0

I have setup Remote Desktop Services on my Windows 2008 Server and having some issues with the permissions. I made a GPO that removes the Administrative Tools from the Start menu but normal users can still gain access to those tools via the normal controlpanel. Users can however only read stuff and not change anything though.

One thing to note is that this server is also running a Domain Controller which is not really recommended, want to remove ability to read stuff from the DC.

What would be the best practise for removing even the ability to read stuff?

Vxed
  • 11
  • 2

2 Answers2

0

While you're situation is not recommended, if you must allow users to access the server via RDS then you should make sure that the users don't have access to the control panel, which you can do via GPO at:

User Configuration|Policies|Administrative Templates|Control Panel|Prohibit access to the Control Panel

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Is there a way to make a GPO that would only affect remote logins? This would also affect normal logins if i'm not mistaken. – Vxed Mar 21 '11 at 14:24
  • You will have to filter the GPO to the specific set of users that are "remote" users so that they only get the GPO applied. You can't apply a GPO to users based on them logging in via remote desktop as opposed to console. – BoxerBucks Mar 21 '11 at 15:35
0

If your users are not Domain or Local administrators, do not fret. They cannot use those tools to cause damage. Nothing visible from Active Directory Sites and Services will expose anything.

To test this out, create a new user and don't do anything with it you wouldn't if HR walked into your office and told you to set up a new employee in the domain.

If your users have local admin, then no matter what, they will be capable of Things You Don't Want.

Aaron Friel
  • 598
  • 3
  • 11
  • I'm not worried that they will change anything, just wanted to remove the ability to even launch MMC snap-ins and read information like that. – Vxed Mar 22 '11 at 13:41
  • Like what? Any information they see in the consoles would be accessible from them downloading and running the Remote Server Administration Tools anyway. If you're attempting to practice security through obscurity, don't bother. If you think your users are malicious, treat them as malicious. If you trust them, and I don't trust mine, then make sure they don't have permission to see or do damaging things. – Aaron Friel Mar 24 '11 at 20:03