Re: Windows Server 2008 TS Error.
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 30 Dec 2008 13:16:52 -0800
You can set NTFS permissions on the file system, and thus keep
users out of sensitive areas of the file system.
Right-click any folder - properties - security.
You might want to read up about NTFS permissions, since you can
easily lock the system down too much.
Here's a nice article by Jeff Pitsch:
Understanding and Using NTFS Permissions on Citrix and Terminal
Servers
http://www.brianmadden.com/content/content.asp?id=481
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?c3dpdGNo?= <switch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on
30 dec 2008 in microsoft.public.windows.terminal_services:
Vera, could you please elaborate on how to disable access by.
using NTFS permissions?
BTW, I was able to succesfully Allow log on thourgh Terminal
Server right to Domain Users. Would it be useful to the audience
to publish all steps to achieve? Let me know.
Cheers, switch
"Vera Noest [MVP]" wrote:
And keep in mind that *hiding* drives is merely a cosmetic
thing, it will still be fairly easy for users to get to those
drives. The only mechanism which truly disables access is NTFS
permissions. But as Jeff says, running TS on a DC is a disaster
waiting to happen...
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
Jeff Pitsch <jeff.pitsch.fake@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
on 04 nov 2008 in microsoft.public.windows.terminal_services:
It is a colossal security flaw to allow your users on the
domain controller. It's not MS"s fault you've gone against
best practices and decided to use your DC as a terminal
server. there is a way to prevent users access to the local
drives and that is through group policy. It is two settings
you need to set and you are good to go. Is it perfect?
Nope but it's the best we have right now. If you are
truly, TRULY
concerned about security you'll buy another server and NOT
let your users on the domain controller to begin with. If
your users are truly that savvy then why would you allow them
on in the first place?
I'm sorry if this comes across the wrong way but I don't see
how this is MS"s fault in this case. there are legitimate
reasons to allow users access to the server drives.
And yes you can always directly edit the registry to hide the
drives but then you lose the capability to filter who gets
hidden drives and who doesn't.
Jeff Pitsch
Microsoft MVP - Terminal Services
S H A R I Q U E wrote:
I do Know about Group Policies to block access to certain
Folder/Drives. Cant I use any other method to achieve the
same.It is security breach and any technical user can play
havoc with DC.I dont know it is default feature of Terminal
Service to expose drive into open or not.If it yes, then it
is colossal security flaw.what i mean there should be a
prevention to local drive of TS server.
regards
"Jeff Pitsch" wrote:
You can use group policy to hide the server drives. Are
you familiar with group policy?
Jeff Pitsch
Microsoft MVP - Terminal Services
S H A R I Q U E wrote:
Now, i am able to logon using domain users thanks to
modifcation of local security policy.
i have installed word viewer on WIN2K8 and provided
access to WINXP client through TS RemoteApp Manager. I can
run application at WINXP client successfully.
one thing which is quite alarming is that after opening
WordViewer at client side.When i goto File/Open, it gives
domain user access to root of c driver and shows my local
drive as network drive. How can i prevent users from
accessing drives of WIN2K8 server.??
"Jeff Pitsch" wrote:
Is the terminal server also a domain controller? If not,
you need to add the users to the Remote Desktop User
group that is local to the terminal server.
Jeff Pitsch
Microsoft MVP - Terminal Services
S H A R I Q U E wrote:
I have created a Remote App programe in Windows Server
2008 TS.From Windows XP client having latest RDC 6.x
installed, i can run the application successfully using
Administrator account.When i try to run same application
using domain use account, i get error that "To log on to
this remote computer, you must be be granted the Allow
log on through Terminal Services right. By default,
members of the Remote Desktop Users group have this
right...etc..."
i have added the domain user/computer account in
Remote Desktop uses group in AD even after that i am
getting error. what piece of configuration I am
missing.bear in mind that i am runnin this setup in VM
with default number of TS licenses, that is, two.
- References:
- Re: Windows Server 2008 TS Error.
- From: switch
- Re: Windows Server 2008 TS Error.
- Prev by Date: Printing and Terminal Servers in the DMZ
- Next by Date: Re: Printing and Terminal Servers in the DMZ
- Previous by thread: Re: Windows Server 2008 TS Error.
- Next by thread: Wrong Name in TS Manager
- Index(es):
Relevant Pages
|
Loading
