blocking access to explorer on a terminal server session

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

neo68 - 28 Feb 2006 17:16 GMT

I have configured group policy to lock down the terminal server on our
windows 2003 server; however, if the user clicks start > then double clicks
"programs" they are still able to access the explorer and "snoop" around.
Does anyone know of a way to deny access to the explorer? We are running an
old dos application which prevents us from using the run a single application
feature (which I know would prevent a user from accessing anything on the
desktop - even a start menu).

Reply to this Message

Vera Noest [MVP] - 28 Feb 2006 20:14 GMT

Use NTFS permissions on the file system to keep users out sensitive
areas of the server disks. The default permissions on a 2003 server
should already do this, provided that you didn't give your users
elevated user rights, and that you installed Terminal Services in
"Full Security" compatibility mode.
Note that you would have to do this even if you defined a starting
application. It is relatively simple to access the file system from
within most applications.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"=?Utf-8?B?bmVvNjg=?=" <neo68@discussions.microsoft.com> wrote on
28 feb 2006 in microsoft.public.win2000.termserv.clients:

> I have configured group policy to lock down the terminal server
> on our windows 2003 server; however, if the user clicks start >
[quoted text clipped - 4 lines]
> feature (which I know would prevent a user from accessing
> anything on the desktop - even a start menu).

Reply to this Message