locked
How to disable Remote Desktop Access but allow RemoteAPPs to run? RRS feed

  • Question

  • Hi everyone,

     

    We have RemoteApps working fine. Unfortunately, it also enables Remote Desktop Connections as well so the user who is supposed to ONLY use the RemoteApp directly from the .rdp file now can have access to full Remote Desktop. Is there a way to disable remote desktop but allow remote apps (.rdp files)?

     

    Thanks

    Wednesday, August 17, 2011 3:31 PM

Answers

  • Hi,

    I'm waiting a native solution to solve this behavior in WS2008.

    In this moment, run the following procedure:

    - Go to the RDP properties on Terminal Services Configuration Console.

    - In environment tab, select the option "Start the following program when the user....":

    Path: c:\windows\system32\logoff.exe

    Start in: c:\windows\system32

    Thanks.

     


    Paul Haro - Microsoft Certified Professional
    Wednesday, August 17, 2011 5:59 PM

All replies

  • Hi,

    I'm waiting a native solution to solve this behavior in WS2008.

    In this moment, run the following procedure:

    - Go to the RDP properties on Terminal Services Configuration Console.

    - In environment tab, select the option "Start the following program when the user....":

    Path: c:\windows\system32\logoff.exe

    Start in: c:\windows\system32

    Thanks.

     


    Paul Haro - Microsoft Certified Professional
    Wednesday, August 17, 2011 5:59 PM
  • Thank you very much. This is very helpful and also a clean solution.

     

    To further enhance this, is there anyway to keep Remote Desktop enabled for Administrator user but try your option for all other users?

     

    How can that be achieved?

     

    Thanks

    Wednesday, August 31, 2011 5:17 AM
  • You can use an RD Gateway to achieve this as well, then use RDWeb to publish the apps you want to use, and use the firewall to block 3389 to all servers from the host machines, but allow admin IPs to access 3389.  Users will connect through 443 to the RD Gateway, and the RD Gateway will make the connections to the session hosts over 3389.
    Wednesday, August 31, 2011 1:32 PM
  • Windows 2008 Enterprise R2 apparently doesn't have "Go to the RDP properties on Terminal Services Configuration Console."

    What is the equipment of Terminal Services Configuration Console on Win 2008 Server R2 Enterprise?

    thanks,

    • Proposed as answer by mani pachnanda Friday, December 12, 2014 1:55 PM
    Wednesday, September 7, 2011 9:35 PM
  • All right everyone, here is the proper solution. There is a GPO policy for this:

    Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > "Start a program on connection"

    It has a path and working environment fields which can be enabled. So, you can display a message, run a .bat file, or simply add the logoff.exe like Paul Haro mentioned.

    The beauty of this is that now you won't disable your Administrator RDC and disable all other non-administrative users.

     

     

    • Proposed as answer by Yassine Souabni Thursday, September 10, 2015 4:39 PM
    Thursday, September 15, 2011 3:33 PM
  • Now, here is a challenge. Is there any way to allow Administrator to do Remote Desktop but not the other users. Please see my post above this to know how I achived blocking all users from Remote Desktop but only allowing RemoteApps. However, for ease of Administration I wan Remote Desktop for Administrator. Anyone can think of a way?
    Friday, January 13, 2012 2:26 AM
  • I am encountering the same issue here.

    We have Windows 2008 R2 as the Terminal Server (now called RemoteDesktop Services).  We chose this over Citrix because of our volume licensing with Microsoft.

    But to my BIG disappointment in Microsoft...

    We would like to allow RemoteApp but disallow actual RDP connection from client PC/Laptops not on the domain (ie:  home/personal computers or other work computers outside of company domain).  I've looked at this high and low for 3 months and NOTHING.  RemoteApp requires Remote Desktop Group access.  RDP Direct Connection requires Remote Desktop Group access.  This or that.

    Direct RDP connection or use of MSTSC is a security risk when users are able to get in that way....  It is better to have the option to force granted users to the RDWeb only, strip away their access to RDP directly, but still allow SysAdmins to RDP in directly.  I've looked into this and there is NOTHING This or that.  

    I am appalled that Microsoft did not think of this.

    Since this is a problem, there's no choice but to drop Microsoft's Terminal Service technology and go back to Citrix instead.  At least I know that RDP direction can be blocked, and force users to use remoteapp there AND still allow SysAdmins to RDP in directly.



    SysAdmin

    Friday, May 11, 2012 4:03 PM
  • Well, I would suggest to use the same properties in each user's account instead of using this in the server's properties.

    The screenshot of this setting in Windows Server 2008 R2 Russian Edition is listed below.

     

    Moreover, I may use the standard user profile's logon scripts and the RDP logon scripts simultaneously. On the left side you see the scenario dba.cmd, which attaches nessesary databases to user's accounting program, which runs in RemoteApp mode, and on the right side you see the logoff.exe, which prevents user of connecting via standard RDP mode. Admins shouldn't have the logoff.exe set in the properties of their accounts in AD, of course.

    If you like to logoff user from every RDS server, except selected, you may use the utility logoff.exe in the body of the scenario "logoff_user.cmd", listed below:

    @echo off
    set SRV=YOUR_RDS_SERVER_HOSTNAME
    rem set SRV=%1 <-- this may be used to add the RDS server's host name via the scenario's first run parameter.
    hostname > %temp%\my_host.txt
    set /p HST= < %temp%\my_host.txt
    if %HST% == %SRV% start %systemroot%\system32\logoff.exe
    exit

    • Edited by Eurisco Friday, July 6, 2012 6:28 PM
    Friday, July 6, 2012 5:46 PM
  • Well, the Windows Server 2008 R2 Enterprise actually has the specified RDP properties in its RDS configuration console. Here is the screenshot in russian edition:


    • Edited by Eurisco Friday, July 6, 2012 5:56 PM
    Friday, July 6, 2012 5:55 PM
  • if( @(([ADSI]"WinNT://localhost/AdminRPDAccess").members() |foreach{$_.GetType().invokemember("Name",'GetProperty',$null,$_,$null)} |where{$_-eq[Environment]::UserName}) -ne$null) {C:\Windows\explorer.exe} else{%systemroot%/system32/logoff.exe}

    #Create local group "AdminRPDAccess" on server and adding to it users with access on Desktop

    #in Environment, RDP-Tcp Properties, set "Start the following program when the user logs on:", "Program path ..." set "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\CheckUserAccess\User-Check.ps1 -noprofile -nolog -noninteractive"

    #!!! This script works only analyzes the users in group "AdminRPDAccess", not adding in group "AdminRPDAccess" domain or local groups

    Tuesday, July 17, 2012 2:36 AM
  • I am dealing with the same problem.

    we have RD Gateway, and users are able to access RDP by sepcifing an application to run on connection or full desktop without specifiying any apps to run on connection. I need a way to prevent them from connecting to full desktop yet be able to connect if they have an app specified to launch on connection.

    any ideas?


    Mohsen Almassud

    Wednesday, September 26, 2012 4:56 PM
  • Hi. you can try this  (Local Users and Groups > Users)

    Sunday, October 21, 2012 2:13 PM
  • There is no straightforward way to do this; various people have discovered workarounds that more or less accomplish the same thing, but it isn't built into the Remote Desktop client. RemoteApp isn't intended to be used as a security feature, as there are ways that a sufficiently determined user can use it to run almost anything they could in Remote Desktop Connection.

    If you do want to prevent standard Remote Desktop sessions from working, though, one way is the workaround mentioned in this thread (running logoff.exe automatically on log-in); another is using AppLocker to prevent explorer.exe from running.

    Wednesday, October 24, 2012 12:13 AM
  • I've been through this and even got to the point of thinking that there's no way around it, but it's really simple.

    you can create a user policy that will not apply to domain admins or local admins. make the settings here:

    user configuration\administrative templates\system

    on the right double click Custom User Interface and select Enable, and then in the Interface file name you can either use c:\windows\system32\logoff.exe or any other exe file of your choice such as cscript "Path to a VB Scripts" that displays a message, and then after they click Ok, it would log them.

    I persnally like c:\windows\system32\logoff.exe, because it does not tell whoever is attempting to connect to a full desktop anything and keeps them guessing.


    Mohsen Almassud

    • Proposed as answer by Mehran Safari Wednesday, October 2, 2019 11:51 AM
    Wednesday, October 24, 2012 2:17 AM
  • The solution proposed by zezva_net will not work because it will also prevent the launch of RemoteApps as well as block straight RDP.

    Simply setting logoff.exe to run at login is less than ideal, as users don't know they were blocked/denied nor why, and many will continue trying to initiate RDP connections, placing an unnecessary burden on your server(s) and infrastructure.

    Our preferred workaround (workaround being the key term, here) is to check the option in a user's Environment settings to start a program at login, but we put a string similar to "This account is not authorized for RDP access. Please use the web portal" in the program field, which of course generates an error when trying to RDP, but it displays this string in the error message so at least users known the reason their RDP doesn't work. This setting can be pushed via GPO for larger user bases, and thoughtful GPO linking and placement of OUs/accounts will alleviate any issue with admin RDP access.

    Also, as far as I have been able to gather in testing, this still has not been addressed in Windows 2012 RTM, despite the other radical changes to deploying and managing the RDS suite.

    /2cents


    • Edited by CP-ITP Friday, December 21, 2012 10:06 PM
    Friday, December 21, 2012 10:02 PM
  • Here is how I solved the problem:

    1) Setup AD group to control access to "Log on Locally" security policy ("Users" group is normally removed from this permission on our standard server build), "Remote Desktop Users" local group, and RemoteApp authorized users.  Then I will use this same group to lock out "explorer" via AppLocker.

    2) Set the "Application Identity" service to automatic and started it

    3) Run GPEDIT.msc to setup AppLocker (Computer Configuration\Windows Settings\Security Settings\Application Control Policies)

    4) Click the Applocker icon, and then in the right, click the "Configure rule enforcement" link and check the box next to "Configured" for "Executable Rules"

    5) Create a new rule to DENY access to “%WINDIR%\explorer.exe" for the group I created in step 1

    6) Allowed it to create the DEFAULT rules

    7) Rebooted!  I found I was locked out of EVERYTHING, even as an admin until I rebooted.  Pretty scary.

    8) Test user added to AD group.  Setup RemoteApp (AD group has permissions to this).  Works!

    9) Test user tries to login to the desktop sessions - Fails (works!).  User is not allowed to login and the RDP session closes.  Message they get is this:

    "You are connected to the remote computer.  However, an error occured while an initial user program was starting, so you are being logged off...."

    This is nice because it gives the user some sort of feedback.

    NK


    • Edited by NJK-Work Wednesday, March 6, 2013 9:34 PM
    • Proposed as answer by WildHare Friday, July 26, 2013 5:31 PM
    Wednesday, March 6, 2013 9:33 PM
  • I’ve gotten a conclusion and a solution from all the answers here.

    In order to disable remote desktop for a user while Remote App is allowed, you will have to go to the user’s properties from "local users and groups" and environmental tab and set these:

    Path: c:\windows\system32\logoff.exe

    Start in: c:\windows\system32
    Monday, April 22, 2013 9:05 AM
  • Here is how I solved the problem:

    1) Setup AD group to control access to "Log on Locally" security policy ("Users" group is normally removed from this permission on our standard server build), "Remote Desktop Users" local group, and RemoteApp authorized users.  Then I will use this same group to lock out "explorer" via AppLocker.

    2) Set the "Application Identity" service to automatic and started it

    3) Run GPEDIT.msc to setup AppLocker (Computer Configuration\Windows Settings\Security Settings\Application Control Policies)

    4) Click the Applocker icon, and then in the right, click the "Configure rule enforcement" link and check the box next to "Configured" for "Executable Rules"

    5) Create a new rule to DENY access to “%WINDIR%\explorer.exe" for the group I created in step 1

    6) Allowed it to create the DEFAULT rules

    7) Rebooted!  I found I was locked out of EVERYTHING, even as an admin until I rebooted.  Pretty scary.

    8) Test user added to AD group.  Setup RemoteApp (AD group has permissions to this).  Works!

    9) Test user tries to login to the desktop sessions - Fails (works!).  User is not allowed to login and the RDP session closes.  Message they get is this:

    "You are connected to the remote computer.  However, an error occured while an initial user program was starting, so you are being logged off...."

    This is nice because it gives the user some sort of feedback.

    NK


    Works, Thanks!
    Friday, August 30, 2013 3:58 PM
  • Nice! Glad it helped.  We ended up renewing our Citrix licenses so it turns out I did not need to use this after all.  I was looking to see if RDS could be an effective replacement for Citrix...but in the end we went with Citrix anyways.

    NK

    Friday, August 30, 2013 4:08 PM
  • All right everyone, here is the proper solution. There is a GPO policy for this:

    Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > "Start a program on connection"

    It has a path and working environment fields which can be enabled. So, you can display a message, run a .bat file, or simply add the logoff.exe like Paul Haro mentioned.

    The beauty of this is that now you won't disable your Administrator RDC and disable all other non-administrative users.

    Thank you, this works perfectly.  Just to be clear, the GPO should be:

    User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Start a program on connection

    You only need c:\windows\system32\logoff.exe in the Program path.  Put this is your user GPOs but not sysadmin GPOs.

    Friday, April 4, 2014 2:50 PM
  • Thank you, this works perfectly.  Just to be clear, the GPO should be:

    User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Start a program on connection

    You only need c:\windows\system32\logoff.exe in the Program path.  Put this is your user GPOs but not sysadmin GPOs.

    This is the approach I have adopted.  Our "RDS Admins" are not in a separate OU, so I applied this GPO to the "RemoteApp Servers" OU with User Group Policy loopback processing mode: Enabled, and set the permissions on the GPO for "RDS Admins" to Apply group policy: Deny.

    For a Server 2012 R2 session host Publishing RemoteApp programs will unpublish the Remote Desktop.  You would have thought that would stop uses directly connecting to the Remote Desktop, but it does not so this workaround is still required for Server 2012 R2.

    Tuesday, May 27, 2014 12:18 AM
  • I ran into the same 'problem' and resorted to creating a shortcut under the all users startup folder in the startmenu. The shortcut calls the logoff executable, and does not get run when starting a RemoteApp.

    To ensure only 'regular users' get the logoff when connecting to the desktop, I denied the filesystem priviliges 'read & execute' for the (local) Administrators group in the ACL of the shortcut.

    Testing has proven this solution to provide the desired result. (for us anyway)

    • Proposed as answer by Myron15 Thursday, March 5, 2015 1:32 PM
    Thursday, July 31, 2014 6:23 PM
  • Worked for me.. 

    Users get an error before desktop composition. When you use logoff.exe, the desktop will be visible and useable before logging off. Users had access for about 5 seconds, but i wanted access to be denied.

    This workaround comes closest in my humble opinion

    Tuesday, August 5, 2014 11:51 AM
  • I am Microsoft Tech with Platforms Core  , I came across this thread rather recently. So as a Christmas surprise it can be achieved rather simply.Please follow following steps...


    1. Please navigate to HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP
    2. Change the value of port to anything from 3389.
    3. Also change it in remote app manager in RD Session Host server RDP Port to the port you have changed to in registry.
    4.Please note it has to be done on all session hosts,redirectors  and Connection brokers.
    5. Now your remote app continues to work , however RDP done sans the exact port number will not work.
    Please feel free to contact me on this.

    Simple sweet and logical resolution. Cheers..Happy holidays :-)
    Friday, December 12, 2014 3:22 PM
  • I am Microsoft Tech with Platforms Core  , I came across this thread rather recently. So as a Christmas surprise it can be achieved rather simply.Please follow following steps...


    1. Please navigate to HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-TCP
    2. Change the value of port to anything from 3389.
    3. Also change it in remote app manager in RD Session Host server RDP Port to the port you have changed to in registry.
    4.Please note it has to be done on all session hosts,redirectors  and Connection brokers.
    5. Now your remote app continues to work , however RDP done sans the exact port number will not work.
    Please feel free to contact me on this.

    Simple sweet and logical resolution. Cheers..Happy holidays :-)
    • Proposed as answer by mani pachnanda Friday, December 12, 2014 3:22 PM
    Friday, December 12, 2014 3:22 PM
  • Hi there. With Windows 2012R2 RDS this problem is solved.

    To remove this setting from the Remote Desktop Webaccess you have to change the settings of the ASP.NET application for the RDWeb site.

    A full description can be found at: http://windowsitpro.com/windows-server-2012/remove-rd-web-access-option-connect-remote-pc

    Cheers.

    Thursday, June 18, 2015 7:47 AM
  • Are we really officially recommending security via obscurity here? Simply editing the port number is not a very good solution, and merely a nice insecure workaround.

    • Edited by TyroneS2S Wednesday, July 15, 2015 10:15 PM gremmar
    Wednesday, July 15, 2015 10:13 PM
  • This does not solve the issue (at all), this just removes the option from the RDWeb page; it does not prevent someone from pulling up mstsc and typing in the machine name/IP and connecting.
    Wednesday, July 15, 2015 10:14 PM
  • .

    In this moment, run the following procedure:

    - Go to the RDP properties on Terminal Services Configuration Console.

    - In environment tab, select the option "Start the following program when the user....":

    Path: c:\windows\system32\logoff.exe


    Paul Haro - Microsoft Certified Professional

    This is a clever idea that can also be accomplished via group policy in case you only want to restrict certain users. 

    User Configuration/Policies/Administrative Templates/Windows Components/Terminal Services/Terminal Server/Remote Session Environment/Start a program on connection

    Wednesday, December 16, 2015 10:32 PM
  • But how does this not affect the administrator RDC? Does this setting not affect all users using remote desktop including administrators?
    Monday, May 9, 2016 6:08 PM
  • The solution from Paul works fine.  Set this in group policy then under the security of the policy set Domain Admins (or your admin group) to Deny 'Apply Policy'.  Your admins can then log in fine but users are blocked.

    Friday, August 19, 2016 3:13 AM
  • This is my preferred method as well.  It gives standard users all the RemoteApp they need and disallows RDP and console login, while retaining admin RDP access.  Perfect.  the c:\windows\system32\logoff.exe method is no good.
    Thursday, September 1, 2016 10:33 PM
  • An even easier method would be to use Group Policy.  This can be done via domain policy or via local policy, but in either case, navigate to "Local Computer Policy" --> "Computer" --> "Administrative Templates" --> "Windows Components" --> "Remote Desktop Services" --> "Remote Desktop Session Host" --> "Remote Session Environment" --> "Start a program on connection” = Enabled, and then set the value to “:” (without the double quotes...just put in a colon).
    • Proposed as answer by Kostenko Anton Friday, February 7, 2020 9:30 AM
    Tuesday, May 2, 2017 6:38 PM
  • Has any test ItMustBeVictor solution?
    Monday, May 15, 2017 8:56 PM
  • Hi All,

    Can some one explain me .. how do you apply the GPO. Where do you link this GPO and how do you restrict it for just few users.?

    Tuesday, December 5, 2017 8:32 AM
  • hi thanks for solution it woked well

    the good thing is you can apply it to everyone or all domain users and if you want exclude a user or group you can go to gpo and delegation setting and in advance mode you can add a user or group and deny the gpo  apply to it

    nice idea ;)

    Wednesday, October 2, 2019 11:55 AM
  • It's cool :)

    Friday, February 7, 2020 9:30 AM