1

I have to publish a single application via RDP to anonymous users. The server(s) are Windows 2008 R2 and the user connection is handled using Ericom's WebConnect Solution. Which does not change much - for the Terminal Server it is still an normal RDP connection.

Question

Can a Windows 2008 R2 Terminal Server isolate parallel sessions of the same user at all? Or do I have to put the application in a sort of sandbox?

Setup

To enable a unknown visitor to connect to the application, a generic Domain Guest user account named visitor is used. To allow more than one parallel session per server I disabled the setting Restrict each user to a single session.

I now want that each visitor get's a fresh session. To be specific: The user connects, the configured applications starts, the users works with it, makes changes (saved to the registry), closes the application and the session get's discarded. I set up a group policy so that the user will only get a temporary profile that will not be synced back into the roaming profile via Delete cached copies of roaming profiles and Prevent Roaming Profile changes from propagating to the server.

Issue

The above works fine as long as there is only one visitor connected to a server at a time. The main problem rises if there are more simultaneous users, say visitor #1 and visitor #2. These share the same environment - the user's registry among other things. So the two instances affect each other, which is bad.

A secondary issue is that a recently closed connection can be resumed by another user. This must not be possible. (I'm still looking for a way to prevent this, but it's not the main question here. We will probably forbid reconnection at all.)

Security is no big concern in this scenario. But we want to make sure every user sees the same.

Thanks

Roman
  • 392
  • 1
  • 7
  • 20
  • I wonder if you could use something like sandboxie and create a sandbox in a per-user temporary folder... – Zoredache Nov 20 '12 at 18:02
  • If I'm understanding you, you want to use a single user account to allow multiple users to log on to your RDS server(s) and isolate each session as if they were individual user accounts. If I've got that right you can achieve this in theory by using the RD Connection Broker and configuring each server to join a different RD Connection Broker farm. The problem is that you'd need a server for every user, not to mention how to direct each user to a different server. – joeqwerty Nov 21 '12 at 05:02

1 Answers1

2

There is no security isolation between logons for the same user account. You're going to have to create multiple user accounts to achieve OS-level isolation between the user logons.

The best method to achieve your goal of ending disconnected sessions is to set the "Set time limit for disconnected sessions" policy setting. There is no option that I'm aware of that will immediately end disconnected Terminal Services sessions, but this setting will end them within 1 minute of their disconnection.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • It would be nice and clean if each session could have a separate account. Unfortunately we would need some kind of broker to branch "the users" into single temporary or previously created accounts. Regarding the disconnect settings, I already do that. But there is still this short timeframe where a session can be remsumed. There is probably a better solution. – Roman Nov 20 '12 at 17:32
  • @Thomas - That's the option. It sounds like you're stuck between a rock and a hard place. Short of using third-party scripts there's no "better solution" for immediately ending disconnected sessions. That's the best Microsoft offers us, unfortunately. – Evan Anderson Nov 20 '12 at 18:39
  • @Thomas: I wish I could've given you better news. Your use case is, unfortunately, different than Microsoft's designed use case. – Evan Anderson Dec 14 '12 at 01:23
  • I know. But In fact the setups works much better than expected. We set the disconnect wait time to 5 seconds inside Ericom, which is short enough that we did never got into the same session in our tests. – Roman Dec 14 '12 at 14:22