Technology Tips and News
Hi everyone,
We have RemoteApps working fine. Unfortunately, it also enables Remote Desktop Connections as well so the user who is supposed to ONLY use the RemoteApp directly from the .rdp file now can have access to full Remote Desktop. Is there a way to disable remote desktop but allow remote apps (.rdp files)?
Thanks
Hi,
I'm waiting a native solution to solve this behavior in WS2008.
In this moment, run the following procedure:
- Go to the RDP properties on Terminal Services Configuration Console.
- In environment tab, select the option "Start the following program when the user....":
Path: c:\windows\system32\logoff.exe
Start in: c:\windows\system32
Thanks.
Thank you very much. This is very helpful and also a clean solution.
To further enhance this, is there anyway to keep Remote Desktop enabled for Administrator user but try your option for all other users?
How can that be achieved?
Thanks
Windows 2008 Enterprise R2 apparently doesn't have "Go to the RDP properties on Terminal Services Configuration Console."
What is the equipment of Terminal Services Configuration Console on Win 2008 Server R2 Enterprise?
thanks,
All right everyone, here is the proper solution. There is a GPO policy for this:
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > "Start a program on connection"
It has a path and working environment fields which can be enabled. So, you can display a message, run a .bat file, or simply add the logoff.exe like Paul Haro mentioned.
The beauty of this is that now you won't disable your Administrator RDC and disable all other non-administrative users.
I am encountering the same issue here.
We have Windows 2008 R2 as the Terminal Server (now called RemoteDesktop Services). We chose this over Citrix because of our volume licensing with Microsoft.
But to my BIG disappointment in Microsoft...
We would like to allow RemoteApp but disallow actual RDP connection from client PC/Laptops not on the domain (ie: home/personal computers or other work computers outside of company domain). I've looked at this high and
low for 3 months and NOTHING. RemoteApp requires Remote Desktop Group access. RDP Direct Connection requires Remote Desktop Group access. This or that.
Direct RDP connection or use of MSTSC is a security risk when users are able to get in that way.... It is better to have the option to force granted users to the RDWeb only, strip away their access to RDP directly, but still allow SysAdmins to RDP in directly. I've looked into this and there is NOTHING This or that.
I am appalled that Microsoft did not think of this.
Since this is a problem, there's no choice but to drop Microsoft's Terminal Service technology and go back to Citrix instead. At least I know that RDP direction can be blocked, and force users to use remoteapp there AND still allow SysAdmins to RDP in directly.
Well, I would suggest to use the same properties in each user's account instead of using this in the server's properties.
The screenshot of this setting in Windows Server 2008 R2 Russian Edition is listed below.
Moreover, I may use the standard user profile's logon scripts and the RDP logon scripts simultaneously. On the left side you see the scenario dba.cmd, which attaches nessesary databases to user's accounting program, which runs in RemoteApp mode, and on the right side you see the logoff.exe, which prevents user of connecting via standard RDP mode. Admins shouldn't have the logoff.exe set in the properties of their accounts in AD, of course.
If you like to logoff user from every RDS server, except selected, you may use the utility logoff.exe in the body of the scenario "logoff_user.cmd", listed below:
@echo off
set SRV=YOUR_RDS_SERVER_HOSTNAME
rem set SRV=%1 <-- this may be used to add the RDS server's host name via the scenario's first run parameter.
hostname > %temp%\my_host.txt
set /p HST= < %temp%\my_host.txt
if %HST% == %SRV% start %systemroot%\system32\logoff.exe
exit
Well, the Windows Server 2008 R2 Enterprise actually has the specified RDP properties in its RDS configuration console. Here is the screenshot in russian edition:
if( @(([ADSI]"WinNT://localhost/AdminRPDAccess").members() |foreach{$_.GetType().invokemember("Name",'GetProperty',$null,$_,$null)} |where{$_-eq[Environment]::UserName}) -ne$null) {C:\Windows\explorer.exe} else{%systemroot%/system32/logoff.exe}
#Create local group "AdminRPDAccess" on server and adding to it users with access on Desktop
#in Environment, RDP-Tcp Properties, set "Start the following program when the user logs on:", "Program path ..." set "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\CheckUserAccess\User-Check.ps1 -noprofile -nolog -noninteractive"
#!!! This script works only analyzes the users in group "AdminRPDAccess", not adding in group "AdminRPDAccess" domain or local groups
I am dealing with the same problem.
we have RD Gateway, and users are able to access RDP by sepcifing an application to run on connection or full desktop without specifiying any apps to run on connection. I need a way to prevent them from connecting to full desktop yet be able to connect if they have an app specified to launch on connection.
any ideas?
Hi. you can try this (Local Users and Groups > Users)
There is no straightforward way to do this; various people have discovered workarounds that more or less accomplish the same thing, but it isn't built into the Remote Desktop client. RemoteApp isn't intended to be used as a security feature, as there are ways that a sufficiently determined user can use it to run almost anything they could in Remote Desktop Connection.
If you do want to prevent standard Remote Desktop sessions from working, though, one way is the workaround mentioned in this thread (running logoff.exe automatically on log-in); another is using AppLocker to prevent explorer.exe from running.
I've been through this and even got to the point of thinking that there's no way around it, but it's really simple.
you can create a user policy that will not apply to domain admins or local admins. make the settings here:
user configuration\administrative templates\system
on the right double click Custom User Interface and select Enable, and then in the Interface file name you can either use c:\windows\system32\logoff.exe or any other exe file of your choice such as cscript "Path to a VB Scripts" that displays a message, and then after they click Ok, it would log them.
I persnally like c:\windows\system32\logoff.exe, because it does not tell whoever is attempting to connect to a full desktop anything and keeps them guessing.
The solution proposed by zezva_net will not work because it will also prevent the launch of RemoteApps as well as block straight RDP.
Simply setting logoff.exe to run at login is less than ideal, as users don't know they were blocked/denied nor why, and many will continue trying to initiate RDP connections, placing an unnecessary burden on your server(s) and infrastructure.
Our preferred workaround (workaround being the key term, here) is to check the option in a user's Environment settings to start a program at login, but we put a string similar to "This account is not authorized for RDP access. Please use the web portal" in the program field, which of course generates an error when trying to RDP, but it displays this string in the error message so at least users known the reason their RDP doesn't work. This setting can be pushed via GPO for larger user bases, and thoughtful GPO linking and placement of OUs/accounts will alleviate any issue with admin RDP access.
Also, as far as I have been able to gather in testing, this still has not been addressed in Windows 2012 RTM, despite the other radical changes to deploying and managing the RDS suite.
/2cents
Here is how I solved the problem:
1) Setup AD group to control access to "Log on Locally" security policy ("Users" group is normally removed from this permission on our standard server build), "Remote Desktop Users" local group, and RemoteApp authorized users. Then I will use this same group to lock out "explorer" via AppLocker.
2) Set the "Application Identity" service to automatic and started it
3) Run GPEDIT.msc to setup AppLocker (Computer Configuration\Windows Settings\Security Settings\Application Control Policies)
4) Click the Applocker icon, and then in the right, click the "Configure rule enforcement" link and check the box next to "Configured" for "Executable Rules"
5) Create a new rule to DENY access to %WINDIR%\explorer.exe" for the group I created in step 1
6) Allowed it to create the DEFAULT rules
7) Rebooted! I found I was locked out of EVERYTHING, even as an admin until I rebooted. Pretty scary.
8) Test user added to AD group. Setup RemoteApp (AD group has permissions to this). Works!
9) Test user tries to login to the desktop sessions - Fails (works!). User is not allowed to login and the RDP session closes. Message they get is this:
"You are connected to the remote computer. However, an error occured while an initial user program was starting, so you are being logged off...."
This is nice because it gives the user some sort of feedback.
NK
Ive gotten a conclusion and a solution from all the answers here.
In order to disable remote desktop for a user while Remote App is allowed, you will have to go to the users properties from "local users and groups" and environmental tab and set these:
Path: c:\windows\system32\logoff.exe
Start in: c:\windows\system32Works, Thanks!Here is how I solved the problem:
1) Setup AD group to control access to "Log on Locally" security policy ("Users" group is normally removed from this permission on our standard server build), "Remote Desktop Users" local group, and RemoteApp authorized users. Then I will use this same group to lock out "explorer" via AppLocker.
2) Set the "Application Identity" service to automatic and started it
3) Run GPEDIT.msc to setup AppLocker (Computer Configuration\Windows Settings\Security Settings\Application Control Policies)
4) Click the Applocker icon, and then in the right, click the "Configure rule enforcement" link and check the box next to "Configured" for "Executable Rules"
5) Create a new rule to DENY access to %WINDIR%\explorer.exe" for the group I created in step 1
6) Allowed it to create the DEFAULT rules
7) Rebooted! I found I was locked out of EVERYTHING, even as an admin until I rebooted. Pretty scary.
8) Test user added to AD group. Setup RemoteApp (AD group has permissions to this). Works!
9) Test user tries to login to the desktop sessions - Fails (works!). User is not allowed to login and the RDP session closes. Message they get is this:
"You are connected to the remote computer. However, an error occured while an initial user program was starting, so you are being logged off...."
This is nice because it gives the user some sort of feedback.
NK
Nice! Glad it helped. We ended up renewing our Citrix licenses so it turns out I did not need to use this after all. I was looking to see if RDS could be an effective replacement for Citrix...but in the end we went with Citrix anyways.
NK
All right everyone, here is the proper solution. There is a GPO policy for this:
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > "Start a program on connection"
It has a path and working environment fields which can be enabled. So, you can display a message, run a .bat file, or simply add the logoff.exe like Paul Haro mentioned.
The beauty of this is that now you won't disable your Administrator RDC and disable all other non-administrative users.
Thank you, this works perfectly. Just to be clear, the GPO should be:
User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Start a program on connection
You only need c:\windows\system32\logoff.exe in the Program path. Put this is your user GPOs but not sysadmin GPOs.
Thank you, this works perfectly. Just to be clear, the GPO should be:
User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment > Start a program on connection
You only need c:\windows\system32\logoff.exe in the Program path. Put this is your user GPOs but not sysadmin GPOs.
This is the approach I have adopted. Our "RDS Admins" are not in a separate OU, so I applied this GPO to the "RemoteApp Servers" OU with User Group Policy loopback processing mode: Enabled, and set the permissions on the GPO for "RDS Admins" to Apply group policy: Deny.
For a Server 2012 R2 session host Publishing RemoteApp programs will unpublish the Remote Desktop. You would have thought that would stop uses directly connecting to the Remote Desktop, but it does not so this workaround is still required for Server 2012 R2.
I ran into the same 'problem' and resorted to creating a shortcut under the all users startup folder in the startmenu. The shortcut calls the logoff executable, and does not get run when starting a RemoteApp.
To ensure only 'regular users' get the logoff when connecting to the desktop, I denied the filesystem priviliges 'read & execute' for the (local) Administrators group in the ACL of the shortcut.
Testing has proven this solution to provide the desired result. (for us anyway)
Worked for me..
Users get an error before desktop composition. When you use logoff.exe, the desktop will be visible and useable before logging off. Users had access for about 5 seconds, but i wanted access to be denied.
This workaround comes closest in my humble opinion
Hi there. With Windows 2012R2 RDS this problem is solved.
To remove this setting from the Remote Desktop Webaccess you have to change the settings of the ASP.NET application for the RDWeb site.
A full description can be found at: http://windowsitpro.com/windows-server-2012/remove-rd-web-access-option-connect-remote-pc
Cheers.
This topic is archived. No further replies will be accepted.
Other recent topics
Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier