Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Terminal Server/ Security

Status
Not open for further replies.
Bhavin78

Bhavin78

IS-IT--Management
Oct 26, 2004
320
how to block intenet access on terminal server for all users?
 
Sort by date Sort by votes
all terminal server users are members of the remote desktop users group. You can try deny permissions to the IE executable for this group on the server running the service.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
Yes, there is a group policy that you can apply (can't remember the name of it off the top of my head), in which you can specify executables to not run (such as iexplore.exe in your case). When you apply the policy, make sure you only apply it to the group(s) you want to be affected.

Matt

Please always take the time to backup important data and verify that backup, before making any changes suggested.
 
Upvote 0 Downvote
How can I use it so that it only affects when the user is on terminal server
 
Upvote 0 Downvote
Create a grp, name it, then put those TS users into that grp. Then create and set a policy for that newly created grp.


dan
 
Upvote 0 Downvote
If you do that then the users won't have internet access when on their own machines, assuming they use the same accounts.

How is your network configured do you use a proxy? You can set IE properties to be computer based rather than user, therefore do that for TS and remove the proxy, and don't allow users to change the setting.

Windows and NT Admin.
 
Upvote 0 Downvote
What does you network look like? If everyone is local to the TS, then you can remove the default gateway from the NIC.
 
Upvote 0 Downvote
1. You could create a GLOBAL Group in Active Directory (i.e. NoHTTPAccess
Add users who you don't want to have Internet access

2. Create an Organizational Unit in your AD
i.e.
AD: yourcompany.com
OU: yourcompany.com\Servers\TerminalServers

3. MOVE the server's computer object into that OU.

4. Create a Group Policy that is linked to the "TerminalServers" OU. (use Group Policy Management Console on XP to do this!)

5. Add a filter to this in this manner:
Read:YOURDOMAIN\NoHTTPAccess
SERVERNAME:Read

YOU should explicitly specify both the users (via the GROUP) that you want to apply this to AND the server that this is to be read by. That way no other computers are going to be affected by this.

6. IMPORTANT:
MUST Enable Loopback Processing for that GPO! This will reapply the USER section of the GPO settings to the users that are logged on to the Terminal Servers!

7. As far as the actual GPO settings to change:
I would recommend that if you TRULY want to remove web access then set the IE Proxy settings to this:
(a.k.a. Blackhole Proxy)

localhost:0

This way IE will just time out in a few seconds and there is no network traffic on the LAN interfac...

8. DISABLE the user's ability to change the IE proxy settings too.

Hope that helps.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
689
Aquiles Vidal
Aquiles Vidal
MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
519
MaioMaio
MaioMaio
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
904
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
539
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
648
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top