ask your advice!

[Guest John]

Hi all,

Do you think KB278295 will be enough to lock down the windows 2003

R2 SP2 terminal server? If not, any other recommendation?If I set

policy to deny applying to the domain admin group, I even can not

edit the policy which shows inaccessible GPO-access denied. How do

you deal with your admin account in this case?

 

Thank you.

[Guest Vera Noest [MVP]]

Re: ask your advice!

 

Assuming that your TS is setup using "Full Security" compatibility

mode, and that you use high encryption, you have come a long way in

locking it down when you apply KB 278295.

 

It depends on your needs, requirements and possible threats to the

server if you need more security.

 

You can consider using Software Restriction Policies to lock it

down further.

 

324036 - HOW TO: Use Software Restriction Policies in Windows

Server 2003

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstr

plcy.mspx

 

Regarding the security filtering of the GPO: make sure that you

deny "Apply this GPO" for Administrators, but allow all other

rights (except "Full" which should be unselected).

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?Sm9obg==?= <John@discussions.microsoft.com> wrote on 02

nov 2007 in microsoft.public.windows.terminal_services:

> Hi all,

> Do you think KB278295 will be enough to lock down the windows

> 2003 R2 SP2 terminal server? If not, any other

> recommendation?If I set policy to deny applying to the domain

> admin group, I even can not edit the policy which shows

> inaccessible GPO-access denied. How do you deal with your admin

> account in this case?

>

> Thank you.