How do you restrict application access thru RD Session Host in Windows Server 2008 R2?

Question

I am setting up a new server with RDS. I want to control the access to applications I install for RDS host using Groups or Users. Is this possible? How?

Let's say I have a set of 5 applications that will be used by a group of users. Some users have access to App A, others to App B, others to App C. All of this may overlap.

I thought I would create 5 groups:

• App A Group
• App B Group
• Etc.

Then assign each user to the group of the application he has access to. Is this doable? Is this the proper way to do it, or is there some other best practice for this type of configuration?

Thanks.

Answer 1

Use AppLocker. It lets you define who can run which executable (by name, folder, hash, or digital signature), and all others will be denied. Make sure that you allow the default executables, which the wizard will walk you through.

Answer 2

There are a few ways you can do this:

1. If your RDS host is W2K8R2 and you want to use RD Web Access then you can restrict which applications each group can see, access, and run through RD Web Access by configuring and securing the applications in RemoteApp Manager.

2. If your RDS host is W2K8R2 you can deploy RDP files for each application via RemoteApp manager and restrict which applications each group can run by configuring and securing the applications in RemoteApp Manager.

3. If your RDS host is W2K8 or W2K8R2 You can use Software Restriction Policies in Group Policy by creating a GPO for each group and configuring the appropriate Software Restriction Policies for each group and use Security Filtering to apply the GPO to the appropriate group.

Note that in W2K8 you can use RD Web Access and RemoteApp Manager to make applications available to your users but you can't restrict the applications. The ability to assign (secure) the applications in RemoteApp Manager is available only in W2K8R2.