Prevent access to user documents for users logging in from terminal server

Question

I am fairly new to administrating servers, but I have been charged with the task of working out remote access to the company's network.

The general plan is to connect through a VPN to a terminal server connected to the network.

The users will then connect to the network in an RDP session which we will configure to prevent files from being taken off the network and moved onto remote machines.

There are 2 things I need to figure out for this to work though:

1. The remote users need to be able to log into the terminal server using their domain logons (set-up with roaming profiles) but they cannot have access to the documents they normally use while logging in locally. They should be able to save a different set of documents on their terminal server logon.

2. There are shared folders which are also located on the domain controller server. When a user logons remotely they cannot have access to these files.

Basically, we want to limit the users to a few business applications installed on the terminal server we also want them to be able to create and save documents in the RDP session (like MS Word and Excel) while they are out on the road. And we do not want them accessing their local work files from the road.

The terminal server is running MS Server 2008.

The domain controller (which is also the file server) is running Server 2000.

There is a Cisco 3550 switch which will sit between the Terminal Server and the Domain Controller/File Server. So one thought was to use the switch to prevent access to the shared files, that would solve #2 above. But I do not think I can use the same technique to prevent access to user profile documents.

Is there some kind of a group policy setting that can be done to set this up?

I don't have anything set-up on the terminal server end yet so I cannot test much. I needed to give some kind of sensible proposal for the two points above to roll forward and complete the set-up.

Answer 1

This seems like a pretty silly business requirement. But you're not here looking for opinions. So on to suggestions.

The main problem is that you're essentially trying to give conditional access to the same set of windows domain users. There's really no good way to do what you want. A user either has permissions to a file share or they don't. Like you said, creative use of firewall rules will prevent traffic from the Terminal Server to the File Server. And since you don't want users using files stored in their roaming profile, why not just turn off roaming profiles for this server as well.

The other option that seems like more of a compromise is to use group policy to disable all of the RDP features on the Terminal Server that would normally allow easy data extraction (drive redirection, clipboard redirection, printer redirection, etc.). This still gives people useful access to their network documents, but basically limits the data export capabilities to screen captures on the client side. As long as the data you're trying to protect isn't easily parse-able from a screenshot, you're golden.

Oh, and don't forget to deny Internet access from the Terminal Server as well. There are plenty of places in the cloud to copy data to that users can access without admin rights.