Win 2012 R2 remote desktop services; we would like to deploy remoteapp with security in mind.

I published a couple of remoteapp, including Excel. I gave permissions and all stuff to restrict users following "least privilege" vision.

Opened Excel from Win7 client. Turns out that when saving a file from excel, if I write "cmd" into the name file textbox, command line opens. The same if I write "Control Panel" or notepad or .. whatever I want.

I wonder what's the purpose of publishing remoteapp and fine tuning permissions when you can use every application installed on  session host.

Also, there isn't a way to hide local disks, network discovery pc, deny logon to remote desktop on session host.... and so on.

How can I manage all of the above with a bit of security in mind ? I understand that I will have to "fix" these issues with a combined set of tricks (logoff.exe as custom shell, hiding disks with registry, probably applocker integration ... ) .. but what if I (and I will of course) forget something ?

Thanks for all your suggestions.

• Edited by Fabri_Fabri Thursday, May 28, 2015 9:35 AM

Hi,

I wonder what's the purpose of publishing remoteapp and fine tuning permissions when you can use every application installed on session host.

Remoteapp has its own benefits such as it can be launched from the Start menu just like any other application, also launched with Windows Search.

For more details, here is a related article below for you:

Introducing RemoteApp and Desktop Connections

http://blogs.msdn.com/b/rds/archive/2009/06/08/introducing-remoteapp-and-desktop-connections.aspx

Also, there isn't a way to hide local disks, network discovery pc, deny logon to remote desktop on session host.... and so on.

To restrict users from accessing local drives on RD Session Host, here is an article below for you:

How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs

http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx

Best Regards,

Amy

Hi Amy, thx for reply.

I already found (and read) those articles.

What about running other applications without the rights to do that ?

Thanks.

Hi,

What about running other applications without the rights to do that?

With Remoteapp, for those applications on which users dont have access permissions, they are invisible to users after log on to RD Web page.

Within full remote desktop connections, users cannot see/start/run those applications on which there dont have rights, depends on the permission assignment.

Best Regards,