Re: ask your advice!
Assuming that your TS is setup using "Full Security" compatibility
mode, and that you use high encryption, you have come a long way in
locking it down when you apply KB 278295.
It depends on your needs, requirements and possible threats to the
server if you need more security.
You can consider using Software Restriction Policies to lock it
down further.
324036 - HOW TO: Use Software Restriction Policies in Windows
Server 2003
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr
plcy.mspx
Regarding the security filtering of the GPO: make sure that you
deny "Apply this GPO" for Administrators, but allow all other
rights (except "Full" which should be unselected).
816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?Sm9obg==?= <John@discussions.microsoft.com> wrote on 02
nov 2007 in microsoft.public.windows.terminal_services:
> Hi all,
> Do you think KB278295 will be enough to lock down the windows
> 2003 R2 SP2 terminal server? If not, any other
> recommendation?If I set policy to deny applying to the domain
> admin group, I even can not edit the policy which shows
> inaccessible GPO-access denied. How do you deal with your admin
> account in this case?
>
> Thank you.