locked
RemoteApp 2012 R2 Restrict Access to Session Host Desktop RRS feed

  • Question

  • Here is our current situation: I have set up Remote Desktop Services on Server 2012 R2 and published RemoteApp programs. Everything works great with load balancing, collections, etc... and I have been very impressed. However, as it always has been an issue, I have always had the question of how to allow users to access RemoteApp applications on the session host without allowing them to RDP directly onto the server to access the server desktop. Obviously, you have to add them to remote desktop users group and they need to be allowed to access over RDP so I figure that the next best thing is to restrict access to the desktop should they manually type the name into an RDP client connection. I know you couldn't restrict them from using mstsc.exe because they need that to open the RemoteApp since it just uses RDP and I am aware of using GPO's to restrict access to drives and many other things but I would like to remove the desktop altogether. Would it be plausible to remove the GUI feature and restrict access to CMD and SCONFIG through Server Manager and still allow the session host to present RemoteApp applications or is there a better way to approach this? I figured if I just remove the GUI and access to cmd and sconfig then if they logged on, they would get a blank screen. Thank you in advance for your time!
    Friday, December 13, 2013 7:57 PM

Answers

  • Hi,

    One technique for this is to set the Custom User Interface group policy setting to logoff.exe.  You would have the GPO apply to normal users, but not applied to Domain Admins (or other users that you need to have full desktop).

    User Configuration\Administrative Templates\System

    Custom User Interface     Enabled

    Interface file name: %systemroot%\system32\logoff.exe

    You should also use NTFS permissions, group policy settings, AppLocker, etc., to further restrict what users are able to do.

    -TP

    Friday, December 13, 2013 9:11 PM

All replies

  • Hi,

    One technique for this is to set the Custom User Interface group policy setting to logoff.exe.  You would have the GPO apply to normal users, but not applied to Domain Admins (or other users that you need to have full desktop).

    User Configuration\Administrative Templates\System

    Custom User Interface     Enabled

    Interface file name: %systemroot%\system32\logoff.exe

    You should also use NTFS permissions, group policy settings, AppLocker, etc., to further restrict what users are able to do.

    -TP

    Friday, December 13, 2013 9:11 PM
  • Sorry for the delay! Finally had a chance to test this out and it works like a charm! The RemoteApp connection bypasses the custom user interface so the RemoteApp applications can run. Logging directly onto the server logs them off immediately as hoped (with exception of Domain Admins as suggested)! Thank you so much again for this tip!
    Friday, December 20, 2013 10:11 PM