How to secure local resources on a windows 2008 terminal server

  • Thread starter Thread starter shax
  • Start date Start date
S

shax

Guest
I am running a window 2008 Terminal services Server. I have outlook 2007
published as a RemoteApp. When users of the RemoteApp Outlook 2007 attach a
document to their e-mail they have access to the redirected drives from their
local machine and also they have access to the local drives of the terminal
server.

For security reasons I don’t want them to have access to the local drives on
the terminal server. How do I do this? I know there is a local security
policy that I can set that will hide drives. This is located Under User
Configuration | Administrative Template | Windows Components | Windows
Explorer are the settings "Hide these specified drives in My Computer". This
will work but it also will hides the drives when I remote into the server or
if I’m on the server locally. So that is not a good solution. How are other
administrators dealing with this?
 
Re: How to secure local resources on a windows 2008 terminal server

The way to achieve what you want is this:

Do not use the local policy on the Terminal Server, but in stead
create a domain-wide policy with this setting and link the Group
Policy Object to the OU which contains the Terminal Server computer
account.
And since the setting you need is a User Configuration, you will
also need to configure the GPO to use "loopback processing". That
setting can be found here:

Computer Configuration - Administrative Templates - System - Group
Policy
"User Group Policy loopback processing mode" - "Replace"

The above setup makes sure that all settings in the new domain-wide
GPO are applied to users *only* when they logon to the TS, and not
when they logon to their workstations. That can be important for a
lot of security settings, assuming that you want to lock down the
TS more strictly than users' workstations.

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287

And to make sure that the restrictions in the GPO are not applied
when you as Administrator log on to the Terminal Server, use
security filetring of the GPO. That's described here:

816100 - How To Prevent Domain Group Policies from Applying to
Administrator Accounts and Selected Users in Windows Server 2003
http://support.microsoft.com/?kbid=816100
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 05
maj 2008 in microsoft.public.windows.terminal_services:

> I am running a window 2008 Terminal services Server. I have
> outlook 2007 published as a RemoteApp. When users of the
> RemoteApp Outlook 2007 attach a document to their e-mail they
> have access to the redirected drives from their local machine
> and also they have access to the local drives of the terminal
> server.
>
> For security reasons I don’t want them to have access to the
> local drives on the terminal server. How do I do this? I know
> there is a local security policy that I can set that will hide
> drives. This is located Under User Configuration |
> Administrative Template | Windows Components | Windows Explorer
> are the settings "Hide these specified drives in My Computer".
> This will work but it also will hides the drives when I remote
> into the server or if I’m on the server locally. So that is
> not a good solution. How are other administrators dealing with
> this?
 
Re: How to secure local resources on a windows 2008 terminal serve

Re: How to secure local resources on a windows 2008 terminal serve

Thanks for the help! That fixed the problem.

"Vera Noest [MVP]" wrote:

> The way to achieve what you want is this:
>
> Do not use the local policy on the Terminal Server, but in stead
> create a domain-wide policy with this setting and link the Group
> Policy Object to the OU which contains the Terminal Server computer
> account.
> And since the setting you need is a User Configuration, you will
> also need to configure the GPO to use "loopback processing". That
> setting can be found here:
>
> Computer Configuration - Administrative Templates - System - Group
> Policy
> "User Group Policy loopback processing mode" - "Replace"
>
> The above setup makes sure that all settings in the new domain-wide
> GPO are applied to users *only* when they logon to the TS, and not
> when they logon to their workstations. That can be important for a
> lot of security settings, assuming that you want to lock down the
> TS more strictly than users' workstations.
>
> 231287 - Loopback Processing of Group Policy
> http://support.microsoft.com/?kbid=231287
>
> And to make sure that the restrictions in the GPO are not applied
> when you as Administrator log on to the Terminal Server, use
> security filetring of the GPO. That's described here:
>
> 816100 - How To Prevent Domain Group Policies from Applying to
> Administrator Accounts and Selected Users in Windows Server 2003
> http://support.microsoft.com/?kbid=816100
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> =?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 05
> maj 2008 in microsoft.public.windows.terminal_services:
>
> > I am running a window 2008 Terminal services Server. I have
> > outlook 2007 published as a RemoteApp. When users of the
> > RemoteApp Outlook 2007 attach a document to their e-mail they
> > have access to the redirected drives from their local machine
> > and also they have access to the local drives of the terminal
> > server.
> >
> > For security reasons I don’t want them to have access to the
> > local drives on the terminal server. How do I do this? I know
> > there is a local security policy that I can set that will hide
> > drives. This is located Under User Configuration |
> > Administrative Template | Windows Components | Windows Explorer
> > are the settings "Hide these specified drives in My Computer".
> > This will work but it also will hides the drives when I remote
> > into the server or if I’m on the server locally. So that is
> > not a good solution. How are other administrators dealing with
> > this?
>
 
Re: How to secure local resources on a windows 2008 terminal serve

Re: How to secure local resources on a windows 2008 terminal serve

Great! I'm glad that your problem is solved, and thanks for the
feedback!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 08
maj 2008 in microsoft.public.windows.terminal_services:

> Thanks for the help! That fixed the problem.
>
> "Vera Noest [MVP]" wrote:
>
>> The way to achieve what you want is this:
>>
>> Do not use the local policy on the Terminal Server, but in
>> stead create a domain-wide policy with this setting and link
>> the Group Policy Object to the OU which contains the Terminal
>> Server computer account.
>> And since the setting you need is a User Configuration, you
>> will also need to configure the GPO to use "loopback
>> processing". That setting can be found here:
>>
>> Computer Configuration - Administrative Templates - System -
>> Group Policy
>> "User Group Policy loopback processing mode" - "Replace"
>>
>> The above setup makes sure that all settings in the new
>> domain-wide GPO are applied to users *only* when they logon to
>> the TS, and not when they logon to their workstations. That can
>> be important for a lot of security settings, assuming that you
>> want to lock down the TS more strictly than users'
>> workstations.
>>
>> 231287 - Loopback Processing of Group Policy
>> http://support.microsoft.com/?kbid=231287
>>
>> And to make sure that the restrictions in the GPO are not
>> applied when you as Administrator log on to the Terminal
>> Server, use security filetring of the GPO. That's described
>> here:
>>
>> 816100 - How To Prevent Domain Group Policies from Applying to
>> Administrator Accounts and Selected Users in Windows Server
>> 2003 http://support.microsoft.com/?kbid=816100
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> =?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on
>> 05 maj 2008 in microsoft.public.windows.terminal_services:
>>
>> > I am running a window 2008 Terminal services Server. I have
>> > outlook 2007 published as a RemoteApp. When users of the
>> > RemoteApp Outlook 2007 attach a document to their e-mail they
>> > have access to the redirected drives from their local machine
>> > and also they have access to the local drives of the terminal
>> > server.
>> >
>> > For security reasons I don’t want them to have access
>> > to the local drives on the terminal server. How do I do
>> > this? I know there is a local security policy that I can set
>> > that will hide drives. This is located Under User
>> > Configuration | Administrative Template | Windows Components
>> > | Windows Explorer are the settings "Hide these specified
>> > drives in My Computer". This will work but it also will hides
>> > the drives when I remote into the server or if I’m on
>> > the server locally. So that is not a good solution. How are
>> > other administrators dealing with this?
 
Back
Top