Securing an RD RemoteApp Server
I am running Remote Desktop Services on Windows Server 2008 R2.
How can I secure the RemoteApp server so that only the RD RemoteApp application (and no others) can be run from a remote computer on an untrusted network?
For example, configure Notepad as a RemoteApp program, invoke the RemoteApp program from a computer on an untrusted network, and open the File Open dialog via the File -> Open menu. The File Open dialog allows the client user to browse to any folder on the RemoteApp server, and run any executable on the RemoteApp server. So for example, the RD client user could browse to C:\Windows\System32, right-click cmd.exe and select Open to run cmd.exe on the RemoteApp server.
How do you recommend I secure the RemoteApp server (through group policy or other means) so that *only* the desired RemoteApp program (and no others) can be invoked from a remote client computer?
Thanks.
Answers
Hello Matthew,
Thanks for posting in our forum.
As additions to J2’s good suggestions, I’d like to include the following points:
· The GPO mentioned by J2 is the Software Restriction Policies in the Group Policy Management Editor, based on my understanding. The location of these policies that restricts users are: Group Policy Management Editor \ User Configurations \ Software Restriction Policies. Please refer to the following article to know more about this policy:
(KB324036) How To use Software Restriction Policies in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;324036
Please note to slightly change some details when using Windows Server 2008-based DC.· Please give the Remote Desktop Users permissions rather than Local Administrators ones to the remote users. In that way, the User Access Control built in the Windows Server 2008 R2 will help to protect the system files from modification of remote normal users. This is a Windows level protections.
Hope the information above helps. Please feel free to let me know if you have any further questions on the topic. Thanks.
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Marked As Answer byMatthew Theobald Thursday, November 05, 2009 6:11 AM
All Replies
- you can use gpo to specify which apps a user can run on the local computer. With this you can lock 'em down to pretty much only the apps you want, but depending on the app you will have to do some testing to ensure that the app you publish itself does not call any blocked app. If it does, it will either crash out or you will get weird behavior.
Hello Matthew,
Thanks for posting in our forum.
As additions to J2’s good suggestions, I’d like to include the following points:
· The GPO mentioned by J2 is the Software Restriction Policies in the Group Policy Management Editor, based on my understanding. The location of these policies that restricts users are: Group Policy Management Editor \ User Configurations \ Software Restriction Policies. Please refer to the following article to know more about this policy:
(KB324036) How To use Software Restriction Policies in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;EN-US;324036
Please note to slightly change some details when using Windows Server 2008-based DC.· Please give the Remote Desktop Users permissions rather than Local Administrators ones to the remote users. In that way, the User Access Control built in the Windows Server 2008 R2 will help to protect the system files from modification of remote normal users. This is a Windows level protections.
Hope the information above helps. Please feel free to let me know if you have any further questions on the topic. Thanks.
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Marked As Answer byMatthew Theobald Thursday, November 05, 2009 6:11 AM
Since I am running Remote Desktop Services on Windows Server 2008 R2, would you recommend using AppLocker instead of Software Restriction Policies?
Hello Matthew,
Thanks for your feedback.
Yes, if Windows Server 2008 R2 serves as the Remote Desktop Services session host and RemoteApp roles, AppLocker is a good choice to restrict users/groups from running specific software.
For more information about AppLocker design and deployment, please refer to:
AppLocker Policies Design Guide
http://technet.microsoft.com/en-us/library/ee449480(WS.10).aspx
Please let us know the result. I’m always glad to help you. Thanks.
· Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
