Re: prevent users from accessing c drive
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 03 Mar 2009 13:25:24 -0800
Brad, it's a bit confusing that we now have 2 very similar threads
active on the same subject. Can we choose one and stick to that?
Anyway, a couple of points:
configuring a starting application is in *no* way to be seen as a
security enhancement! It is trivial to get to a full desktop from
withing nearly any application (as you have noticed yourself). It's
only a matter of time before users start doing that by mistake.
And I would never rely on trust, and this is *not* the way it has
to be! See my other post about your NTFS permissions, which seem to
be non-default and very relaxed. If the same is true for your
registry permissions and maybe even user rights, then it's not
secure.
For remote users who run a limited amount of applications, I would
definitively configure a Software Restriction Policy (it can be
cumbersome to define it for users who run a lot of different
applications).
324036 - HOW TO: Use Software Restriction Policies in Windows
Server 2003
http://support.microsoft.com/?kbid=324036
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
"Brad Pears" <bradp@xxxxxxxxxxxxxxxxxxxxx> wrote on 03 mar 2009 in
microsoft.public.windows.terminal_services:
Yes, that is a good point....
My main concern was with our remote dealers. For security
reasons, when they log on to our server, we automatically run an
app so they don't even get a desktop - unlike our inside sales
folks (cuz we can kind of keep an eye on them!) However, when a
remote user runs Outlook, they can then attach a file and it
shows the c: drive there... I guess it all boils down mostly
to trust - but some of these folks are not really computer savvy
and they may inadvertently do something or a family member
manages to get in there etc... etc... you know the
possibilities... It's likely quite remote that this type of
thing would even happen - but you just never know. I guess my
thing is that I just wanted to make sure that I was doing all I
could... If this is the way it has to be - then so be it... At
least I can say tried!!! lol
Thanks Vera...
"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message
news:Xns9BC2F36C686F9veranoesthemutforsse@xxxxxxxxxxxxxxxx
Yes, it may seem so, but that's where the user rights come into
the picture.
If your TS was installed in Full Security mode, user will have
the right to create files, but not install rogue applications
or anything else that needs administrators rights.
And you can restrict their access to the C:-drive further than
the default NTFS permissions, but you have to be careful not to
break authorized applications.
And if you instead of the C:-drive give them access to a drive
on a fileserver, containing their home folder, they would still
be able to create a virus-infected file there, right? And since
they are running under the OS of the server, it really makes no
difference at all where they save such a file.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?QnJhZGluTXVza29rYQ==?=
<BradinMuskoka@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 02 mar 2009
in microsoft.public.windows.terminal_services:
Allowing TS users to create folders and files on C is a little
scary in that a user could easily copy a virus laden file or
whatever directly to the C: drive of a server from a USB drive
insalled on their personal PC or their PC's hard drive. Of
course if the server has up to date virus defs it should be
caught but there is always the possibility that it won't. It
just seems scary that TS users can create files there. I could
maybe see changing existing files - as the session itself
liekly woul dneed to do that but to be able to create brand
new files - that is the scary part...
Brad
"Vera Noest [MVP]" wrote:
Which OS is your TS running?
Did you install Terminal Services with "Full Security"
compatibility mode (on 2003) or "Permissions compatible with
Windows 2000 Users" (on W2K)? If not, you're running in
relaxed security mode, which gives your users way too much
user rights.
Can you define what you mean with "access"?
Yes, users can see the C drive on the server, and read most
of it, but they can't change or delete much.
There is a GPO setting to *hide* drives on the server, but it
doesn't do more than that, just hiding from view, and not
even that from all applications or the command prompt. It's
meant as a convenience for the users, nor as a safety
measure.
If you want to keep users out of the C drive, you have to use
NTFS and registry permissions. But be carefull, modifying
their permissions might well cause applications to break or
logon to fail.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*
"b.binnenweg" <b.binnenweg@xxxxxxxxxx> wrote on 20 feb 2009:
We found out that our terminal server users are able to
access these servers c drive. We also know about the policy
to prevent users from accessing drives, but could we set
this policy and have users run programs on this terminal
server at the same time?
- References:
- Re: prevent users from accessing c drive
- From: BradinMuskoka
- Re: prevent users from accessing c drive
- From: Vera Noest [MVP]
- Re: prevent users from accessing c drive
- From: Brad Pears
- Re: prevent users from accessing c drive
- Prev by Date: Re: preventing access to the c: drive...
- Next by Date: Cannot log into terminal services from Vista workstation
- Previous by thread: Re: prevent users from accessing c drive
- Next by thread: RemoteApp Not Working Externally
- Index(es):
Relevant Pages
|
