Restrict access to the server for Terminal Services users

Hi

We have a Windows SBS 2003 Server hosting all our company's applications and
files. Access is managed on the local domain via the Active Directory. For
some time, I have been remotely accessing the server via Terminal Services
without any problems, but I have been wary of unleashing this facility to
users because of the apparently unlimited access they have to the contents of
the server.

Specifically, all our users from Directors down, have their own shared
folder on the server where they can store all their sensitive documents etc.
These folders are restricted access shares on the domain, so that only the
correct users can access them & map drives to them etc. The trouble is that
when someone logs on via Terminal Services and navigates to the local drives
on the server, they can access all files and folders, right down to the
restricted shared folders.

I've tried hiding the local drives in Windows Explorer via GPEdit.msc, but
despite the drives being hidden, if the Terminal Services user types in "C:"
in the Address bar in Windows Explorer, they can still see and browse through
the contents of that drive.

What I really want to do is only grant access to the local drives on the
server to specific idividuals who log on remotely. Anybody who doesn't have
access granted should be prevented from viewing local drives completely. The
situation is slightly more complicated because I DO want remote users to be
able to double click on icons on their desktop to run applications that are
installed on the server.

Can anyone offer me any insight as to how I might achieve this?

Many thanks in advance,
Richard Hotchkin.

 

Honestly this setup is a no-no and for that reason that Terminal Services is
not supported under SBS. All explained here:


The correct approach would be to setup another machine, part of the same SBS
2003 domain, and make that one your Terminal Server and then lock it down
properly with group policies and folder redirection.
As a reference read the guide I wrote, "Terminal Services from A to Z"
available at no cost on my website.

Cheers.

Claudio Rodrigues
CEO, WTSLabs Inc.



Citrix CTP
Provision Networks VIP


"Richard" wrote:
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi
>
> We have a Windows SBS 2003 Server hosting all our company's applications and
> files. Access is managed on the local domain via the Active Directory. For
> some time, I have been remotely accessing the server via Terminal Services
> without any problems, but I have been wary of unleashing this facility to
> users because of the apparently unlimited access they have to the contents of
> the server.
>
> Specifically, all our users from Directors down, have their own shared
> folder on the server where they can store all their sensitive documents etc.
> These folders are restricted access shares on the domain, so that only the
> correct users can access them & map drives to them etc. The trouble is that
> when someone logs on via Terminal Services and navigates to the local drives
> on the server, they can access all files and folders, right down to the
> restricted shared folders.
>
> I've tried hiding the local drives in Windows Explorer via GPEdit.msc, but
> despite the drives being hidden, if the Terminal Services user types in "C:"
> in the Address bar in Windows Explorer, they can still see and browse through
> the contents of that drive.
>
> What I really want to do is only grant access to the local drives on the
> server to specific idividuals who log on remotely. Anybody who doesn't have
> access granted should be prevented from viewing local drives completely. The
> situation is slightly more complicated because I DO want remote users to be
> able to double click on icons on their desktop to run applications that are
> installed on the server.
>
> Can anyone offer me any insight as to how I might achieve this?
>
> Many thanks in advance,
> Richard Hotchkin.<!--colorc--><!--/colorc-->