Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Deny access to remote desktop users / TS users to access/browse networks as well as copy/paste data on remote desktop session host server

Answered Deny access to remote desktop users / TS users to access/browse networks as well as copy/paste data on remote desktop session host server

  • Thursday, January 17, 2013 10:03 AM
     
     
    Sign In to Vote
    0

    We have a windows Server 2003 domain controller in network. Recently we added Windows server 2012 server and installed Remote desktop services with license on it. We have created a user group which has a remote desktop access to this Windows Server 2012 server.

    But when the Remote desktop users access this Windows server 2012 server via Terminal Services, they are able to browse all networks and UNC path and can copy/paste data anywhere within these network shares.

    Now we want to restrict these users from accessing entire network as well as UNC path and  copy/paste data using group policy.

    Appreciate if anyone help me for doing this.

    Thanks and Best Regards,



     

All Replies

  • Friday, January 18, 2013 2:46 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Use group policy to set permissions on the network shares you want to deny access to remote desktop users. It locates in:

    Computer Configuration/Windows Settings/Security Settings/File System, then click Add File.

    Reference: http://technet.microsoft.com/en-us/library/cc756952(v=WS.10).aspx

    In addition, refer to below link which may be also helpful(read "Restricting Access to Drives on a Terminal Server" section):
    Configuring User Group Policy Settings
    http://technet.microsoft.com/en-us/library/cc782067(WS.10).aspx

    Regards,
    Cicely

     
  • Friday, January 18, 2013 5:39 AM
     
     
    Sign In to Vote
    0

    Dear Cicely,

    Thanks for your reply.

    But I want that remote desktop users should not able to open or browse any network resources to copy/paste any data. For this, I have disabled network discovery option in local sever. Now they are not able to browse network but they can use UNC path to browse network.

    Can you help me to disable this UNC path for remote desktop users.

    Best Regards,

     

     
  • Friday, January 18, 2013 11:00 AM
     
     
    Sign In to Vote
    0

    We have installed windows server 2012 std Edition with valid Terminal Service licenses. We have removed RUN option from start menu using group policy to restrict UNC path browsing for Terminal Services users and it is working fine. When remote desktop users types RUN in 'Apps' search box, it is not opening RUN.EXE and same for UNC path also.

    But when remote desktop users types UNC path (\\<servername>) in 'Apps' search box, it is browsing to network share and we want to restrict the same.

    Appreciate if anyone help us to resolve this ASAP.

    Thanks in advance.

       
     
  • Monday, January 21, 2013 5:33 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    If you set Read or Write permissions as Deny for remote desktop users on the network share, then they couldn't access these shares, even when they use UNC path. Just use the above group policy to configure it.

    Regards,
    Cicely

     
  • Monday, January 21, 2013 5:51 AM
     
     
    Sign In to Vote
    0

    Hi Cicely,

    Thank you very much for your reply.

    But within group policy, where and how to set Read/Write permissions for remote desktop users on the network share?

    Kindly revert ASAP so that we can resolve this issue because there is lot of pressure from customer for this settings.

    Thanks and Regards,

     
  • Monday, January 21, 2013 8:46 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Please try this policy:

    Computer Configuration/Windows Settings/Security Settings/File System, then click Add File to locate the network share which you want to configure.

    Regards,
    Cicely

     
  • Tuesday, January 22, 2013 8:14 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    I have to merge it to another thread as they are duplicated. Thanks for your understanding.

    Regards,
    Cicely

     
  • Wednesday, January 23, 2013 6:05 AM
     
     
    Sign In to Vote
    0

    Dear Cicely,

    Thanks for your reply. But I do not want to block particular share for remote desktop user. I want to block whole network access for remote desktop user (i.e When remote desktop users starts session on remote host they are not able to browse to network using UNC path, My Computer-->Network folder as well as Apps search menu.)

    Also how to block UNC path (\\<servername>) in 'Apps' search box ? Because if we put UNC path in APPs search, it is browsing to network share and we want to restrict the same.

    Appreciate if anyone help us to resolve this ASAP.

    Thanks in advance.

     
  • Thursday, January 24, 2013 6:26 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Check if this could help?

    http://bethespoon.blogspot.com/2008/01/enable-or-disable-unc-path-browsing.html

    Regards,
    Cicely

     
  • Thursday, January 24, 2013 7:47 AM
     
     
    Sign In to Vote
    0
     
    > Check if this could help?
    >
    >
    >
     
    No, it doesn't. This only disables entering a path in explorer's address
    bar - not Internet Explorer. And it does not prevent the Win 8 Search
    box to open UNC paths... (verified - it doesn't.) And there's no policy
    setting related to "search" that can do so.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Thursday, January 24, 2013 8:45 AM
     
     
    Sign In to Vote
    0

    Dear Cicely,

    Thanks for your reply. But I already done this setting and remote desktop users are not able open run.exe and UNC path in IE as well as in My Computer. But they are able to open UNC path in 'Apps' search box of windows server 2012 and have to disable/block the same.

    Kindly help.

    Thanks and Regards,

     
  • Thursday, January 24, 2013 8:59 PM
     
     Answered
    Sign In to Vote
    0
     
    > Thanks for your reply. But I already done this setting and remote
    > desktop users are not able open run.exe and UNC path in *IE *as well
    > as in*My Computer*. But they are able to open UNC path in *'Apps'
    > search* box of windows server 2012 and have to disable/block the same.
     As of now, I believe there's no help available to you. If a user has
    access to network ressources, she will allways be able to access that
    ressource - through whatever method. So, in my humble opinion, your
    request does not make sense. Deny the user access, so she cannot do
    anything, or allow access, and it doesn't matter.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!