How to prevent access to local server disks in an application hosting enviroment

[Dave]

Hi All

I know this must have been posted a thousand times and I not having a go at
any previous post, but does any know how to restrict access the local drive
on a terminal server without just saying

"Set proper NTFS permissions on the file system."

How do you restrict users access to "documents and setting", %systemroot%
and "program files" and still have the systems usable ?

One other back door to file system I haven't see mentioned is the outlook
bar file integration, if anyone knows how to turn that off under Office XP I
would be eternally grateful.

How has any other ASP's (application service providers) gotten around this.

Any suggestions are welcome, thanks in advance.

regards

Dave Collins

 

[Matthew Harris [MVP]]

I would get yourself a book on terminal services and see
how to lock down both the registry and the NTFS file
system. The main point is that users only need read
access to most system componets, like the system32 folder,
and only need write access to their documents and settings
and the temp folders.

-M

 

[Vera Noest [MVP]]

Dave,

"Set proper NTFS permissions on the file system."

It really boiles down to this, and the reason that I didn't give
you more detailed information was that this is such a huge
subject, that it is hard to give detailed guidelines in a post
like this.

However, there are security templates that you can use as an
example to set the NTFS permissions. Be aware that you have to
test them in your specific environment, because 3th party
applications might need specific user rights on all kinds of
directories.
But by studying and modifying the templates, you can get the
general idea and you will have a way to undo your changes if
things don't work.

Usefull templates and documentation can be found here:

NSA Security Recommendation Guides
http://nsa1.www.conxion.com/

Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf

 

[Dave]

Hi Vera

Thanks for your reply, I didn't my post to be a criticism, but rather a
plea for more info (After re-reading my post it does comes off a bit harsh,
for that a apologise)

As you say it is a huge subject to cover and I would have thought that MS
would have done a lot more to help.
Its a bit a blow to spend a lot of time and effort to lock down the TS
desktop to find out that it can be easily circumvented by typing a path in
the "Save AS" dialog box, I normally quite like MS products but it things
like this that leave me feeling a little let down .

I would have thought it would be relatively easy to have the dialog box
check against a list of "restricted" file path yet this problem has been
around a least as long a Office 2000.

once again thanks for your reply

Regards

Dave Collins

 

[Dave]

HI Mathew

Thanks for the reply, I do have several books on TS but none of them go into
securing the file system, I wasn't very clear in my original post (long
day, not much archived :-( ) but I'm try to work around the problem with
the "save as" dialog in Office and the outlook bar in outlook, both of which
circumvent the "hide drive" and "disable access to drive" GPO settings.

As we intend to host multiple companies on each TS server we need to lock
people out of viewing other peoples profiles and from poking around the
Files system in general, all of which seems to quite a huge task.

As I mentioned to my reply to Vera I would have thought it would be
relatively easy to have the dialog box
check against a list of "restricted" file path and have a GPO setting to
"Hide Outlook bar" (better still would to be able to remove file integration
from outlook completely, I believe it was an add on in Office 97)

Anyway thanks for reply

regards

Dave

 

[Vera Noest [MVP]]

Hi Dave,

OK, no problem. I know from experience that posts often read
differently than they were meant to be written....:-(

Apart from NTFS security (which is the ultimate solution, together
with security on Registry keys), there is one more tool that you
might find usefull: Application Security or AppSec. It lets you
list a number of allowed applications, and no other application
can be run by the users. But that leaves you still with the
problem that if you add Notepad to the list of allowed
applications, users can edit system .inf files if they have access
to the location on disk.

320181 - HOW TO: Use the Application Security Tool to Restrict
Access to Programs in Windows 2000 Terminal Services
http://support.microsoft.com/?kbid=320181

257980 - Appsec Tool in the Windows 2000 Resource Kit Is Missing
Critical Files
http://support.microsoft.com/?kbid=257980

And yes, I agree that securing a server, and especially a Terminal
Server, is non-trivial, to say the least. I find that it is an
ongoing, daily activity rather than a one-time act.
As soon as you *think* that you have plugged all holes, you find a
user file in a weird place or a registry key that shouldn't be
there.

 

[Dave]

Hi Vera

I did have a look at Appsec but because we are hosting multiple companies
and want to offer the ability to allow or restrict application access on a
per company/per user level we look like using GPO's "allowable application"
settings instead, form what I've read Appsec applies to machine rather than
per user, but thanks for the suggestion.

If I can push my luck just a little bit more (and go off topic a bit) how
bad of an idea is it to have wallpaper on the TS session's desktop, the
reason I ask is that the client I'm working for want to use it as "Free"
advertising , to me it seems like it would too high a cost in terms of
bandwidth and memory but I have limited experience with TS (my main skills
are networking, exchange, servers and growing chillies , but they won't pay
me to do that ! ) and I would like another opinion.

regards

Dave

 

[Vera Noest [MVP]]

I'm not really sure. As far as I understand, frequent screen
updates are the main thing to worry about. So if you compare
screen savers, clock in taskbar and (static) wallpaper, my guess
would be that their negative effect on performance comes in the
above order. I've never measured the effect of a wallpaper myself,
though. Would guess that first desktop screen will be slower, but
then the effect diminishes? But that will also depend on the type
of wallpaper and possibly the settings for local caching.
I'd try to measure the effect in network monitor.

On the other hand,
186566 - Connection Configuration in Terminal Server
http://support.microsoft.com/?kbid=186566

states:

Disabling wallpaper can significantly decrease screen redraw
times. This is especially useful for clients connecting over RAS.

On a related topic: Our main application had originally a clock in
the program menu bar which indicated *seconds*. We have managed to
convince the application developer to remove that clock, since the
effect on network traffic was highly noticeable.

186505 - Terminal Server Client Taskbar Clock Not Enabled
http://support.microsoft.com/?kbid=186505

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---

 

[Dave]

Hi Vera

The wallpaper will be quite simple just three colours and nothing fancy, so
hopefully it won't have to much of a negative effect (The managers have
insisted that it goes ahead no matter what I say !)
anyway, thanks for your time and all the best.

Dave