Blocking Terminal Services Users from Some Objects

Is there a way to prevent users logged on through Terminal Services from accessing certain files or other objects?

Yes; you can use the special security principal Remote Interactive Logon, which is available in ACLs and user rights assignments. Then, when a user logs on to a computer through Remote Desktop, Remote Assistance, or Terminal Services, Windows places the Remote Interactive Logon SID in the user's access token, which causes any permissions or rights assigned to Remote Interactive Logon to apply to the user for the current logon session.

To block your Terminal Services users from accessing a folder, for example, simply add to the folder an access control entry (ACE) that denies Full Control to Remote Interactive Logon. Then, anyone who logs on through Terminal Services and tries to access the folder will be denied access.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish