Locking down a remote session

Similar Messages

• Windows 2012r2 Remote desktop services: session based: Locked down

  I am trying to lock down the remote desktop services sessions , just like I did with windows 2003 TS.
  I am following this article :
  http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
  I have done till disable registry modifications.
  I stopped to check if the changes made were in effect before continuing.
  What did work is the disable server manager popup at user logon.
  Nothing else seems to have taken effect: just to mention a few
  Microsoft administrative tools,
  network and sharing center.
  ABCD drives are still being seen.
  What did I miss ?
  regards
  Leopold
  (first time I am doing gpo with > ms 2003) so maybe I am doing something wrong.)

  Hi Leopold,
  Here is related article below for you:
  How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs
  http://blogs.msdn.com/b/rds/archive/2011/05/26/how-to-restrict-users-from-accessing-local-drives-of-an-rd-session-host-server-while-using-remoteapp-programs.aspx
  If the group policy setting doesn’t take effect, please log off users then log back on.
  If the issue persists, please run GPresult.exe to determine whether the setting is applied to users.
  Gpresult
  https://technet.microsoft.com/en-us/library/cc733160.aspx?f=255&MSPPError=-2147217396
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• RD Session Host lock down best practice document

   
  Hello,
  I am currently working on deploying an RDS Farm. My farm has several RD Session host servers. Today I learned that you can do some bad things to the RD Session hosts, if a user presses
  CTRL + Alt + End when having a open session. I locked all of this down using different GPOs which include disabled access task manager, cmd, locking the server, reboot and shutdown etc.
  However, this being sad how would I know what else to lock down since I am new to this topic. I tried to find some Microsoft document about best practices what should be locked down but I wasn’t
  successful and unfortunately a search in the forum did not bring up anything else.
  With all the different features and option Windows Server 2008 R2 has I do not even know where to start.
  Can some please point me into the right direction.
  Thank you
  Marcus

  Hi,
  The RD Session host  lock down best practices of each business is different, every enterprise admin can only to find the most suitable for their own solutions based on their IT infrastructure.
  I collected some resource info for you.
  Remote Desktop Services: Frequently Asked Questions
  http://www.microsoft.com/windowsserver2008/en/us/rds-faq.aspx
  Best Practices Analyzer for Remote Desktop Services
  http://technet.microsoft.com/en-us/library/dd391873(WS.10).aspx
  Remote Desktop Session Host Capacity Planning for 2008 R2
  http://www.microsoft.com/downloads/details.aspx?FamilyID=CA837962-4128-4680-B1C0-AD0985939063&displaylang=en   
  RDS Hardware Sizing and Capacity Planning Guidance.
  http://blogs.technet.com/iftekhar/archive/2010/02/10/rds-hardware-sizing-and-capacity-planning-guidance.aspx
  Technical Overview of Windows Server® 2008 R2 Remote Desktop Services
  http://download.microsoft.com/download/5/B/D/5BD5C253-4259-428B-A3E4-1F9C3D803074/TDM%20RDS%20Whitepaper_RC.docx
  Remote Desktop Load Simulation Tools
  http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c3f5f040-ab7b-4ec6-9ed3-1698105510ad
  Hope this helps.
  Technology changes life……

• Locked down RDS Server

  Good morning,
   I followed this tutorial to lock down my RDS Server but I have one issue.
  http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/
   When users are in an app they try to attach a file and explorer defaults to the c my documents. Is there a way to change it so it defaults to there network drive?
   Also, how can I have there local drives redirect to the RDS server?
  Thanks,
  Derek

  Hi Derek,
  Please disable the below policy setting and verify.
  Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
  Do not allow drive redirection
  More information.
  Make Local Devices and Resources Available in a Remote Session
  https://technet.microsoft.com/en-in/library/cc770631.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Forward facing locked down machines... kiosk?

  Hey everyone,
  So I have done a lot of research on this topic, but have yet to find an end-all solution to my conundrum. I have many machines in my network that are forward facing and public use reference terminals that connect to a database of books and things. These
  machines are not and should not be used to casual internet browsing so we have manually locked them down. These machines currently run IE10 Win7x32. The windows side locking down is no problem. But we are having a BIG issue with the current way we allow specific
  sites and lock out all others. 
  In our system, we have an abundance of allowed sites for quick research purposes that these machines are allowed to access. Still technically reference information. For the sake of argument, we have about 25 sites including the main database site that should
  be allowed through a proxy or other filtering system. Currently, we have this proxy based with exceptions built into IE... however, there is around a 255 char limit on that input box (for whatever reason).
  So that brings me to my current solution that is not quite working correctly. I have configured a .PAC script and stored it on a server that these machines can access and an msi for IE10 branding using the IEAK for IE10. This .PAC script does not seem to
  be working the way it should. I got the idea from a site I didn't save, but the basic idea is below:
  function FindProxyForURL(url, host)
  // variable strings to return
  var proxy_yes = "PROXY 255.255.255.255:8080";
  var proxy_no = "DIRECT";
  if (shExpMatch(url, "*.google.com")) { return proxy_no; }
  // Proxy anything else with yes
  return proxy_yes;
  So, my understanding is this would run when sites are accessed, if it matches the if statements it passes and if it doesn't, it defaults to proxy_yes which doesn't exist and thus doesn't load. The ADMX configures the proxy itself and everything should be
  great. 
  My main question: is there a better way to allow sites through to a machine WITHOUT loading the pages first. A simple whitelist/blacklist doesn't necessarily work because it, as far as I understand, still loads the pages but does not display them. Currently,
  it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong. It doesn't seem like the list from our previous installation from GP is being overridden using this method, and it doesn't
  apply to new machines connected to the policy. Of course, I know it is applying because other functions, like the content rating system that I accidentally left on, have caused some problems in the past. 
  We will be upgrading these machines to newer optiplex models and installing Windows 8, so if there is a more effective solution that only works in windows 8, I am willing to try it. 
  Thanks in advance for the help, you guys are always awesome! 

  Hi,
  >>Currently, it looks like IEAK is the only way to correctly manipulate these settings in internet explorer 10+, unless I'm getting that wrong.
  In addition to IEAK 10, to configure proxy for IE 10 on Windows 7, if our most up-to-date domain controller is Windows Server 2012 or R2, we can use Group Policy Preferences
  Internet Settings extension to configure the proxy setting. Besides, we can also choose to install Remote Server Administrative Tools on a Windows 8 or 8.1 client and manage group policy settings from this client.
  Moreover, another way is that we can try using Group Policy Preferences Registry extension to configure the proxy settings for IE10 on Windows 7.
  Regarding this point, the following thread can be referred to as reference.
  Proxy settings not applying to IE above 8
  http://social.technet.microsoft.com/Forums/en-US/3b0f54d7-7293-49dc-9e3f-e8799c20265b/proxy-settings-not-applying-to-ie-above-8?forum=winserverGP
  Best regards,
  Frank Shen

• No Remote session after disconnect

  We have the problem that AFTER a disconnect of a remote session we get the message:
  "Failed to connect to server (DNShostName~50)" - actually in German it reads "Fehler beim Herstellen einer Verbindung mit dem Server (DNShostName~50)"
  The initial remote session works, only if it breaks a reconnect is only possible after a reboot of the remote host. In addition the client does not lock the screen if the connection is lost.
  I noticed that the listening IP stack does not listen any longer. Before the problem, when doing a "netstat -a -b" I can see 2 entries for nzrWinVNC.exe:
  Proto Lokale Adresse Remoteadresse Status
  TCP 0.0.0.0:5950 LWS71127:0 ABHREN
  [nzrWinVNC.exe]
  TCP [::]:5950 LWS71127:0 ABHREN
  [nzrWinVNC.exe]
  But both listening ports are gone after I have lost the remote session.
  We have ZCM 10.3.3 on Win7 64bit with an internal CA and MS-SQL DB. Problem exists at least since 10.3.0
  Most important policy settings:
  Remote Control Settings
  x Allow managed device to be controlled remotely
  x Ask permission from user on managed device before starting Remote Control
  x Give visible signal to the user on the managed device during Remote Control
  _ Give audible beep to the user on the managed device every seconds during Remote Control
  x Allow managed device screen to be blanked during Remote Control
  x Allow managed device mouse and keyboard to be locked during Remote Control
  x Allow screen saver to be automatically unlocked during Remote Control
  x Automatically terminate Remote Control session after inactivity of "30" minutes
  Password Authentication
  x Enable password based authentication
  Minimum password length "7"
  Password type
  _ Session
  x Persistent
  x Allow user to override default passwords on managed device
  Default ZENworks password:
  _ Clear password (if any)
  x Set password
  Default VNC password:
  _ Clear password (if any)
  x Set password (password should not exceed 8 characters)
  Intruder Detection
  x Enable Intruder Detection
  Suspend accepting connections after "5" successive invalid attempts
  Automatically start accepting connections after "10" minutes
  Session security
  _ Enable Session Encryption
  x Allow connection when Remote Management Console does not have SSL certificate
  Allow up to "2" levels in Viewer certificate chain
  Abnormal termination
  x Upon abnormal termination of remote sessions, "Lock Device"

  BachmannK,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• URGENT : Releasing locks aquired after the session ubruptly terminated

  Hi everybody,
  When a record is edited the record gets locked.
  If the session is ubruptly terminated (PC switched off, Network down or something like that) before the edited record is commited or rolled back and if the same record is accessed after loging on once agian "Cannot reserve record " message is displayed.
  When will such locks get released?
  Is there any way to make the record editable (releasing locks programatically)?
  Thanks
  Brijesh

  The old session should clean up given time - How, depends of course if this is a Client Server Form or a Web Deployed Form.
  If it is a web deployed form then the FORMS60_TIMEOUT (or FORMS90_TIMEOUT) will be used to determine how long to wait before cleaning up the process and releasing the locks.
  If this is client server then it's a database configuration thing.
  There is no way to manually release the locks of an orphaned session in code. The DBMS_LOCK package does have a way of releasing a lock, but I think this is only locks that have been taken out by dbms_lock itself, not a "normal" lock.

• Profile locked by another local session, please retry later

  Hi when i ran the "netweaver initial setup" task, this error occurs
  "com.sap.rprof.dbprofiles.AccessException: Profile locked by another
  local session, please retry later.", i checked in TCODE SM12 and saw an
  register "001 PILDUSER 16:57:44 X AII_PROFILES AIICOMMON
  exchange_profile.xml 1 0", i saw the sap note 1333205, and update my
  Support Packages to Stack 11 of Netweaver 7.1, but not was solved.
  Thanks
  Josue Neto

  Dear all,
  we had the same problem on our PI7.0 SP21, that CTS was not working and IntegrationBuilder was not operational, aso...
  The lock "AII_TABLES" was visible in SM12 and appeared immediately after restart or manual deletion.
  We have opened a very high message to SAP, as the recomm. from SAP Note 1602945 did no help. Once they replied we have additionaly applied SAP_JTECHS PL30 and added parameter "com.sap.aii.ib.remote.exprof.enabled=TRUE" to the exchange profile per each server node.
  After these changes and restart, the lock is not active anymore - this was implemented and tested on Dev and Test systems. We will proceed with the Prod later on, we believe it helps.
  Regards,
  Peter Bajza

• Locking down is it possible.

  Hello, We just installed a server 2012 r2 with the AD and Remote Desktop Services roles,  To host quickbooks.  All our client computers are running non professional versions of windows.  Can we use Group Policy to lock down user activities
  when logged into the remote desktop.  Users are logging in fine, but no group policy seems to be working.  I have been attempting to do this with no success and just want to make sure i am not wasting my time. 

  Hi,
  Thanks for posting in Windows Server Forum.
  As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to  reply
  this post directly so we will be notified to follow it up. 
  BTW,  we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. 
  Thanks for your Support & understanding.
  Regards.
  Dharmesh Solanki
  TechNet Community Support

• Remote session was disconnected because there are no remote desktop licence servers available to provide a licence. Please contact the server administrator

  Hi,
  I am getting this error from windows server : remote session was disconnected because there are no remote desktop licence servers available to provide a licence. Please contact the server administrator.
  Remote desktop Session Host Server Configuration Details:
  The RD licensing Diagnoser(WIN-909xxxxxxxxxxx):
  Number of license available for clients : 0
  Remote Desktop Session Host server version: Windows server 2012 R2
  Active Directory Domain : Not applicable
  Licensing mode  : Not configured
  Now, Down I am getting this error as well shown by the system:
  RD licensing Diagnoser Information- 2 errors:
   Win-909xxxxxxxxxx : licensing mode for the Remode Desktop Session Host Server is not configured.
   Win-909xxxxxxxxxx : The grace period for the Remote Desktop Session Host server has Expired, but the RD Session Host server has not been configured with any license servers. connections to the RD Session Host server will be denied
  unless a license server is configured for the RD Session Host server.
  Now my kestion is :
  Do I need to buy a license key of the windows server to not getting this error or it may continue appear even if I purchased the license and not configure RDS and AD.
  Do I need to configured only  RDS and AD and buy the license key of windows server later because I still have 55 day of trial.
  Do I just buy the RDS client access license (L).
  Please could you help on this, am new in windows server?

  Hi,
  As the message indicates, the grace period for the Remote Desktop Session Host server has Expired, you need to purchase and install RDS CALs. Also, you need to configure related settings
  to continue using Remote Desktop Services. Otherwise, you cannot connect to the server remotely.
  References:
  Understand the licensing grace period
  http://technet.microsoft.com/en-us/library/hh553157(v=ws.10).aspx
  Install and issue RDS CALs or TS CALs
  http://technet.microsoft.com/en-us/library/hh553159(v=ws.10).aspx
  Remote Desktop Services Client Access Licenses (RDS CALs)
  http://technet.microsoft.com/en-us/library/cc753650.aspx
  Specify the Remote Desktop Licensing Mode on an RD Session Host Server
  http://technet.microsoft.com/en-us/library/cc754487.aspx
  Specify a License Server for an RD Session Host Server to Use
  http://technet.microsoft.com/en-us/library/cc770585.aspx
  Meanwhile,
  1. AD is not required for RDS. However, it is recommended.
  2. As you do not purchase Windows Server and related licenses as well, I suggest you contacting Microsoft sales or partner firstly.
  How to buy Windows Server 2012 R2
  http://www.microsoft.com/en-us/server-cloud/products/windows-server-2012-r2/buy.aspx
  Best Regards.
  Jeremy Wu
  TechNet Community Support

• I am using a Photoshop cs2, and I wonder if it is possible to keep the settings of the guidelines when closing an image, with the actual document ? It would be nice to have the guidelines locked down, I find it than when opening the same or another image,

  I am using a Photoshop cs2, and I wonder if it is possible to keep the settings of the guidelines when closing an image, with the actual document ? It would be nice to have the guidelines locked down, I find it than when opening the same or another image, the guidelines are not locked, it is annoying to have to lock them down again. and it would actually be nice, to ba able to give specific directions when placing the guidelines. Thanks

  Then why are the guides unlocked when I reopen a document that I saved with the guides locked ?
  Thanks.

• Lock down X140e BIOS

  Hello!
  I'm deploying 55 of the Thinkpad x140e to a school, and I want to be able to lock down the BIOS so the students won't be able to boot from other devices or make any other changes in the BIOS. I'm wondering if anyone knows of an application that allows me to lock down the BIOS without having to do it manually on every machine. I'm imaging them with the same image, so if there's an application that can be put on the image beforehand, that would be ideal. Anyone run into a similar situation or know of any solutions?
  Thanks in advance for any help you can provide!
  Solved!
  Go to Solution.

  Lenovo has some scripts (and accompanying documentation) for configuring the BIOS through WMI available here:
  http://support.lenovo.com/us/en/documents/ht100612
  The X140e isn't listed as a supported model, but it might be worth a try anyhow.
  How are you deploying the image? If you're using something like MDT or SCCM you would create a task that runs the script as part of the imaging process.

• How do you modify the web.xml to lock down the pages from a user role

  how do you modify the web.xml to lock down the pages from a user role

  I'll make a stab at your question:
  The following is an example of where a URL is protected within a web.xml deployment descriptor. In this example, the URL /protectedA within the application is protected:
  <!-- security constraints -->
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>protectedA</web-resource-name>
  <url-pattern>/protectedA</url-pattern>
  </web-resource-collection>
  <!-- authorization -->
  <auth-constraint>
  <role-name>sr_developer</role-name>
  </auth-constraint>
  </security-constraint>
  Sun's explaination here:
  http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security4.html

• Local Devices not found while on Remote Session

  Hopefully someone in the forum will have an idea where I am failing.
  I have an hp laptop (model 15--b123cl) running windows 8.1.
  I am Remote Desktop Connecting into my Server running Windows 7 Professional SP1.
  Both my hp laptop and the server have all Updates installed (including KB 2830477 for Windows 7 SP1).
  I have checked all options in my Remote Desktop Connection (Show Options) Local Resources tab to allow Local Devices and Printers to be available on my laptop (the client) while in a remote session on my server.
  (Checked Printers, Clipboards and all options under "more" such as Ports, Drivers, etc.)
  The connection works fine but no local devices (printers, thumbdrives, etc.) are visible or accessible while in the remote session.  My laptop recognizes the devices being plugged into the USB port (tone sounds), but the device will not show up in the
  remote session.  (They are shown on my local hp when I minimize the Remote connection.)
  My real need is to print to my hp printer while logged onto  the remote server.  I have an hp Officejet Pro 8600 which I have plugged-in to my laptop USB.  I relalize that while in remote connections I won't find wireless devices
  on my local (client) network unless mapped to a LPT or COM port, so I hard-plug into my USB.  I have also tried mapping my printer to a second port such as LPT2 or COM1 - still no luck.
  No matter what I have tried or read about Remote Desktop Sessions, I can not get my Local hp Printer to show up while in my remote session.  Any ideas?
  Thanks
  SL in Virginia  

  Hi Avi,
  Thanks for your reply!
  I am using JDeveloper version 9.0.3.1035!
  When I say it works in JDeveloper, I do mean the embedded server.
  In JDeveloper I have two projects, a) a session bean project and b) an entity bean project.
  I can run my code fine against the embedded server.
  However once I deploy the two jars to the standalone server things fall apart.
  When I reverted back to putting the session beans & entity beans all in one jar everythinh worked fine.
  However, I do not want to do this, I want to maintain my entity beans independently ( for maintenance & de- coupling reasons).
  So, I guess what I really want, is to see in black and white that local references do or do not traverse different jars on the same server.
  thanks,
  Kevin

• Unable to Change Screen Resolution in Remote Session - Windows Server 2012 R2

  Does anybody know of a way to allow Remote Desktop users to adjust their own screen resolution in a remote session under Windows Server 2012 R2? We are struggling with this and can't seem to find a solution.
  When users login to their RDP session and try to adjust their screen resolution this message is displayed in Control Panel:
  "The display settings can't be changed from a remote session."
  We don't want to use the "make text and other items larger or smaller" scaling feature, as this produces undesirable results with some of our applications.  We also don't want to have to support multiple types of RDP clients or RDP shortcut
  files.
  We have looked at other posts but can't find an answer that applies to Windows Server 2012 R2.  The closest thing we could find is KB2726399, but it only applies to Server 2008.
  Does anybody have a solution for Server 2012?
  Thanks

  Hi,
  Currently you cannot change the resolution from within the session.  This is normal and expected behavior.  
  Unfortunately this means you need to set the desired resolution before connecting by using custom .rdp files, manually within the Remote Desktop Client, custom web launch page, custom windows launch program, etc.
  -TP