How to secure local resources on a windows 2008 terminal server

[Guest shax]

I am running a window 2008 Terminal services Server. I have outlook 2007

published as a RemoteApp. When users of the RemoteApp Outlook 2007 attach a

document to their e-mail they have access to the redirected drives from their

local machine and also they have access to the local drives of the terminal

server.

 

For security reasons I don’t want them to have access to the local drives on

the terminal server. How do I do this? I know there is a local security

policy that I can set that will hide drives. This is located Under User

Configuration | Administrative Template | Windows Components | Windows

Explorer are the settings "Hide these specified drives in My Computer". This

will work but it also will hides the drives when I remote into the server or

if I’m on the server locally. So that is not a good solution. How are other

administrators dealing with this?

[Guest Vera Noest [MVP]]

Re: How to secure local resources on a windows 2008 terminal server

 

The way to achieve what you want is this:

 

Do not use the local policy on the Terminal Server, but in stead

create a domain-wide policy with this setting and link the Group

Policy Object to the OU which contains the Terminal Server computer

account.

And since the setting you need is a User Configuration, you will

also need to configure the GPO to use "loopback processing". That

setting can be found here:

 

Computer Configuration - Administrative Templates - System - Group

Policy

"User Group Policy loopback processing mode" - "Replace"

 

The above setup makes sure that all settings in the new domain-wide

GPO are applied to users *only* when they logon to the TS, and not

when they logon to their workstations. That can be important for a

lot of security settings, assuming that you want to lock down the

TS more strictly than users' workstations.

 

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

 

And to make sure that the restrictions in the GPO are not applied

when you as Administrator log on to the Terminal Server, use

security filetring of the GPO. That's described here:

 

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 05

maj 2008 in microsoft.public.windows.terminal_services:

> I am running a window 2008 Terminal services Server. I have

> outlook 2007 published as a RemoteApp. When users of the

> RemoteApp Outlook 2007 attach a document to their e-mail they

> have access to the redirected drives from their local machine

> and also they have access to the local drives of the terminal

> server.

>

> For security reasons I don’t want them to have access to the

> local drives on the terminal server. How do I do this? I know

> there is a local security policy that I can set that will hide

> drives. This is located Under User Configuration |

> Administrative Template | Windows Components | Windows Explorer

> are the settings "Hide these specified drives in My Computer".

> This will work but it also will hides the drives when I remote

> into the server or if I’m on the server locally. So that is

> not a good solution. How are other administrators dealing with

> this?

[Guest shax]

Re: How to secure local resources on a windows 2008 terminal serve

 

Re: How to secure local resources on a windows 2008 terminal serve

 

Thanks for the help! That fixed the problem.

 

"Vera Noest [MVP]" wrote:

> The way to achieve what you want is this:

>

> Do not use the local policy on the Terminal Server, but in stead

> create a domain-wide policy with this setting and link the Group

> Policy Object to the OU which contains the Terminal Server computer

> account.

> And since the setting you need is a User Configuration, you will

> also need to configure the GPO to use "loopback processing". That

> setting can be found here:

>

> Computer Configuration - Administrative Templates - System - Group

> Policy

> "User Group Policy loopback processing mode" - "Replace"

>

> The above setup makes sure that all settings in the new domain-wide

> GPO are applied to users *only* when they logon to the TS, and not

> when they logon to their workstations. That can be important for a

> lot of security settings, assuming that you want to lock down the

> TS more strictly than users' workstations.

>

> 231287 - Loopback Processing of Group Policy

> http://support.microsoft.com/?kbid=231287

>

> And to make sure that the restrictions in the GPO are not applied

> when you as Administrator log on to the Terminal Server, use

> security filetring of the GPO. That's described here:

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 05

> maj 2008 in microsoft.public.windows.terminal_services:

>

> > I am running a window 2008 Terminal services Server. I have

> > outlook 2007 published as a RemoteApp. When users of the

> > RemoteApp Outlook 2007 attach a document to their e-mail they

> > have access to the redirected drives from their local machine

> > and also they have access to the local drives of the terminal

> > server.

> >

> > For security reasons I don’t want them to have access to the

> > local drives on the terminal server. How do I do this? I know

> > there is a local security policy that I can set that will hide

> > drives. This is located Under User Configuration |

> > Administrative Template | Windows Components | Windows Explorer

> > are the settings "Hide these specified drives in My Computer".

> > This will work but it also will hides the drives when I remote

> > into the server or if I’m on the server locally. So that is

> > not a good solution. How are other administrators dealing with

> > this?

>

[Guest Vera Noest [MVP]]

Re: How to secure local resources on a windows 2008 terminal serve

 

Re: How to secure local resources on a windows 2008 terminal serve

 

Great! I'm glad that your problem is solved, and thanks for the

feedback!

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

=?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on 08

maj 2008 in microsoft.public.windows.terminal_services:

> Thanks for the help! That fixed the problem.

>

> "Vera Noest [MVP]" wrote:

>

>> The way to achieve what you want is this:

>>

>> Do not use the local policy on the Terminal Server, but in

>> stead create a domain-wide policy with this setting and link

>> the Group Policy Object to the OU which contains the Terminal

>> Server computer account.

>> And since the setting you need is a User Configuration, you

>> will also need to configure the GPO to use "loopback

>> processing". That setting can be found here:

>>

>> Computer Configuration - Administrative Templates - System -

>> Group Policy

>> "User Group Policy loopback processing mode" - "Replace"

>>

>> The above setup makes sure that all settings in the new

>> domain-wide GPO are applied to users *only* when they logon to

>> the TS, and not when they logon to their workstations. That can

>> be important for a lot of security settings, assuming that you

>> want to lock down the TS more strictly than users'

>> workstations.

>>

>> 231287 - Loopback Processing of Group Policy

>> http://support.microsoft.com/?kbid=231287

>>

>> And to make sure that the restrictions in the GPO are not

>> applied when you as Administrator log on to the Terminal

>> Server, use security filetring of the GPO. That's described

>> here:

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?c2hheA==?= <shax@discussions.microsoft.com> wrote on

>> 05 maj 2008 in microsoft.public.windows.terminal_services:

>>

>> > I am running a window 2008 Terminal services Server. I have

>> > outlook 2007 published as a RemoteApp. When users of the

>> > RemoteApp Outlook 2007 attach a document to their e-mail they

>> > have access to the redirected drives from their local machine

>> > and also they have access to the local drives of the terminal

>> > server.

>> >

>> > For security reasons I don’t want them to have access

>> > to the local drives on the terminal server. How do I do

>> > this? I know there is a local security policy that I can set

>> > that will hide drives. This is located Under User

>> > Configuration | Administrative Template | Windows Components

>> > | Windows Explorer are the settings "Hide these specified

>> > drives in My Computer". This will work but it also will hides

>> > the drives when I remote into the server or if I’m on

>> > the server locally. So that is not a good solution. How are

>> > other administrators dealing with this?