Question

Locked

Terminal services without admin rights

By sannhto ·
Hi!

How do I set up an AD account on a Windows 2000 Server (domain controller), so that the user can access another server on the network (also Win2000), and not giving him full rights to the domain and server?

Thank you!

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Answers

Collapse -

Terminal services lock down...

Introduction

There is no magic wand that can lock down your Windows Terminal Servers, but there are many built-in tools provided by Microsoft that do a pretty good job. When the built-in tools are not appropriate or sufficient there are many freeware and commercial 3rd party utilities to do the job.
Built-in tools, settings and lockdown tactics

The number one thing one can do to protect a terminal server from being intentionally or unintentionally tampered with is to limit the number of user accounts that are members of the local administrators security group. If a user is a member of this group, there is absolutely nothing that can be done to prevent this person from altering the system configuration. If there are administrative users that use the terminal servers outside of doing system maintenance, it's best practice that they do their normal work with a non-administrative account and logon as an administrator or use the runas cmd to perform tasks that require administrative rights or permissions.

Appropriate assignment of NTFS Permissions is a critical configuration step, luckily the default settings in Windows Server 2003 are fairly solid. If you're using Windows 2000 Server or want to audit the NTFS Permissions on a Windows Server 2003 Terminal Server, the following are the settings that I would start with on a "new system build":

%SystemDrive% - Authenticated Users = "Read and Execute"

%SystemDrive% - Administrators = "Full Control"

%SystemDrive% - System = "Full Control"

%SystemDrive% - Creator Owner = "Full Control"

%ProgramFiles% - Authenticated Users = "Read and Execute"

%ProgramFiles% - Administrators = "Full Control"

%ProgramFiles% - System = "Full Control"

%ProgramFiles% - Creator Owner = "Full Control"

I can NOT stress enough that making system wide changes to the NTFS Permissions on a production system is very likely to have unintended side effects like system instability and inoperable programs. Start with a clean install of a system, lock down the file system and relax the permissions on a per file or per directory basis when needed to allow a specific application to operate when executed by a limited user account.

Restricting access to applications with NTFS Permissions is very effective, but only if you know which applications you want to deny access. It just so happens restricting access to applications or files via NTFS ACLs is very easy, simply alter the ACL so the user's account or a group the account is a member of is not listed in the ACL. If the security group cannot be removed, once can create a new group, add specific users to the group and DENY Read Permission to the Group on the ACL of the file or Directory.

The system registry has Access Control Lists similar to the NTFS File System. One can restrict users or groups from being able to read or alter specific keys or entries in the Windows Registry. Do NOT go perusing the Windows Registry, blindly making changes that you think will lock down your system. Doing so will likely cause the system to function improperly. Make a backup of the registry before making any changes.

The Terminal Server Service has its own security settings that impact the stability of the system. These settings can be found in the Terminal Server Configuration Administrative Tool (tscc.msc) and some are also in Group Policy at Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services. The most important of all settings in tscc.msc is the Permission Compatibility which should always be set to "Full Security" (Windows Server 2003), or to "Windows 2000 Users" (Windows 2000 Server). If you use the "Permissions compatible with Terminal Server 4.0 Users" (Windows 2000 Server) or "Relaxed Security" (Windows Server 2003), each user logging on is added to the TSUser Security Group, which has permissions and rights of the Power Users Group.

Group Policy is a very effective method of restricting access to files, the Windows Registry and features of applications and the Operating System. One fundamental problem with relying on Group Policy as the only method of system lock down is that there is usually more than one way to perform any task in the OS or a Windows Application. Using a Loopback Policy to lock down a Windows Terminal Server is a standard configuration step any time you have access to create GPOs and manage Active Directory. Following settings are particularly useful when locking down a Terminal Server:

1. Enable "Delete Cached Copies of Roaming Profiles". Since the Roaming Profile does not propagate the user's Temp Directory, enabling this policy will usually delete that anything the user downloaded unintentionally. This policy deletes the user's local profile at logoff once it's been successfully unloaded and copied to the roaming location.
2. Enable "Empty Temporary Internet File Cache when browser is closed". This will reduce the storage required for local profiles and deletes many spyware installers that were unintentionally downloaded by the end user.
3. Hide these specific drives in My Computer
4. Prevent access to these drives from My Computer

Install the User Profile Hive Cleanup Service, which helps to ensure user sessions are completely terminated when a user logs off. Without this service, user profiles are often not unloaded successfully which causes the copy to the roaming profile location and DeleteRoamingCache setting to fail

Define and enforce a strong password policy. This is kind of a no brainer, but without a strong password policy, your system can easily by compromised.

How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session

SUMMARY
You can use Group Policies to lock down a Terminal Server session on a Microsoft Windows Server 2003-based or Microsoft Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new organizational unit instead of modifying the policies on an existing one.

Note The use of these policies does not guarantee a secure computer, and you should use them only as a guideline.
MORE INFORMATION
Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:
? [Computer Configuration\Admin Templates\System\Group Policy]

Enable the following setting:
User Group Policy loopback processing mode
? [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]

Enable the following settings:
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only
? [Computer Configuration\Administrative Templates\Windows Components\Windows Installer]

Enable the following setting, and set it to Always:
Disable Windows Installer


Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address.
? [User Configuration\Windows Settings\Folder Redirection]

Enable the following settings:
Application Data
Desktop
My Documents
Start Menu
? [User Configuration\Administrative Templates\Windows Components\Windows Explorer]

Enable the following settings:
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab
? [User Configuration\Administrative Templates\Windows Components\Task Scheduler]

Enable the following settings:
Prevent Task Run or End
Disable New Task Creation
? [User Configuration\Administrative Templates\Start Menu & Taskbar]

Enable the following settings:
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable changes to Taskbar and Start Menu Settings
Disable and remove the Shut Down command or Remove and prevent access to the Shut Down command

Note In Windows 2000, this setting is named Disable and remove the Shut Down command. In Windows Server 2003, this setting is named Remove and prevent access to the Shut Down command.
? [User Configuration\Administrative Templates\Desktop]

Enable the following settings:
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path
? [User Configuration\Administrative Templates\Control Panel]

Enable the following setting:
Disable Control Panel
Important When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account.
? [User Configuration\Administrative Templates\System]

Enable the following settings:
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools
? [User Configuration\Administrative Templates\System\Logon/Logoff]

Enable the following settings:
Disable Task Manager
Disable Lock Computer
For more information about how to lock down Windows Server 2003 Terminal Server Sessions, visit the following Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en (http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en)
The Dsacls.exe tool
Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services. You can use Dsacls.exe to lock out Terminal Services end-users from files and folders on a Windows Server 2003-based computer or a Microsoft Windows 2000-based computer.
http://www.msterminalservices.org/articles/Locking-Down-Windows-Terminal-Services.html
http://support.microsoft.com/kb/278295/en-us
Hope these help you out. :)

Please post back if you have any more problems or questions.

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums