Terminal Services Restrict to One Application and Disable "x" Option
Terminal Services has many uses, on this project we had to setup a server in a location, have people log into it from all over the country, and if they get disconnected, log back into their account without losing their workspace.
We setup a Windows 2003 Server with TS and used the Remote Desktop Connection which comes standard with XP to login to our server.
Problem:
In this situation, the purpose of the whole operation was have all the users log in and use the Pastel accounting software. However, it should just look like a shortcut on their desktop, and they should have no choice of choosing the IP, or settings they use to log in. Also as soon as they log in, they application should open up, and as soon as they close the application, their session should be logged off.
Solution:
Follow this tutorial ->
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html
Dont forget to link the group policies you created to your Domain.
You can configure as many restrictions as you like.
To create a "shortcut" straight to the server, simply open your Remote Access Connections, set the server and all your parameters, and
- Press the Options>> button.
- Under the general tab, Connection Settings group. Click "Save As"
Now, create a shortcut for the users to that saved session. Now they will login to the server you specified, as well as all the restrictions you set.
Problem:
Also the pastel guy didnt want the users to be able to disconnect their session with the "x" button with comes up when you use an RDP. This is because it some operations wont be available if the users had to just disconnect their session instead of logging off because the files would still be accessed by their logged in session.
Solution:
By using a program called ResHacker, you can edit all the visual properties of executable files.
So we are going to edit the "x" option in the Remote Connection so the users cant just disconnect their session.
First Obtain ResHacker:
http://www.angusj.com/resourcehacker/
Now navigate to your executable : *make a backup of your original before editing it*
eg in this case: C:\WINDOWS\system32\mstsc.exe
I would copy that .exe to a different location then edit it.
Once opened in ResHacker, in the tree on the left goto:
-> "Dialog" folder
-> "404" folder
-> "1033" item
This contains all the items of the "x" dialog box
Now by editing this script we're gonna change the dialog box to look like an error message disallowing the user to disconnect from the active session.
-> Change the line "Control 401...." to "Control 400...." which will make the image an error image
-> Click on the "OK" button and press delete
-> Drag the cancel button to the centre of the window
-> Edit the script in reshacker to say "OK" instead of "Cancel"
-> Lastly in the script edit the main text, instead of saying "This will disconnect your windows session..." to a custom warning message of your choice. In our example "Please close all applications and log off"
-> Click "Compile Script"
-> Dont forget to save your hacked mstsc.exe
Now when you logon to your server with your hacked client it will display your error message when they click the "x" button to disconnect.
Problem:
With windows XP Service Pack 2 and above, windows replaces all changed system files if the Date modified, size etc.. has changed from the original. this means our hacked exe will be replaced with the original exe, losing all the changes we made to the hacked one.
Solution:
Place these two lines in a batch file, and place the batch file in the same directory as your hacked exe.
copy mstsc.exe %SYSTEMROOT%\system32\dllcache\ /Y
copy mstsc.exe %SYSTEMROOT%\system32\ /Y
Windows will prompt you to put the XP CD in, just click cancel.
the next dialog box will prompt you if you wish to keep the non-original exe and it may be harmful bla...bla...bla..., just click OK.
Now our hacked exe will not get over written and the users will not be able to keep their active sessions open.
Problem:
We came across a machine with Windows Vista. This OS prohibits you from deleting certain files unless you are the owner of them.
Solution:
In our example were gonna take ownership of mstsc.exe and mstscax.dll for the user limz.
Open Command prompt:
-----------------------------------------------------------------------------
-> type: takeown /f %SYSTEMROOT%\System32\mstsc.exe
-> press Enter
-> type: cacls %SYSTEMROOT%\System32\mstsc.exe /G limz:F
-> press Enter
-> It will ask "Are You Sure (Y/N)" press Y then Enter
-> type: takeown /f %SYSTEMROOT%\System32\mstscax.dll
-> press Enter
-> type: cacls %SYSTEMROOT%\System32\mstscax.dll /G limz:F
-> press Enter
-> It will ask "Are You Sure (Y/N)" press Y then Enter
-> Now delete those two files and replace them with your hacked exe and get the mstscax.dll from a Machine with XP
-----------------------------------------------------------------------------
*Please consult your system admin before doing any changes to your system.
=)
We setup a Windows 2003 Server with TS and used the Remote Desktop Connection which comes standard with XP to login to our server.
Problem:
In this situation, the purpose of the whole operation was have all the users log in and use the Pastel accounting software. However, it should just look like a shortcut on their desktop, and they should have no choice of choosing the IP, or settings they use to log in. Also as soon as they log in, they application should open up, and as soon as they close the application, their session should be logged off.
Solution:
Follow this tutorial ->
http://www.windowsecurity.com/articles/Windows-Terminal-Services-Run-Single-Application.html
Dont forget to link the group policies you created to your Domain.
You can configure as many restrictions as you like.
To create a "shortcut" straight to the server, simply open your Remote Access Connections, set the server and all your parameters, and
- Press the Options>> button.
- Under the general tab, Connection Settings group. Click "Save As"
Now, create a shortcut for the users to that saved session. Now they will login to the server you specified, as well as all the restrictions you set.
Problem:
Also the pastel guy didnt want the users to be able to disconnect their session with the "x" button with comes up when you use an RDP. This is because it some operations wont be available if the users had to just disconnect their session instead of logging off because the files would still be accessed by their logged in session.
Solution:
By using a program called ResHacker, you can edit all the visual properties of executable files.
So we are going to edit the "x" option in the Remote Connection so the users cant just disconnect their session.
First Obtain ResHacker:
http://www.angusj.com/resourcehacker/
Now navigate to your executable : *make a backup of your original before editing it*
eg in this case: C:\WINDOWS\system32\mstsc.exe
I would copy that .exe to a different location then edit it.
Once opened in ResHacker, in the tree on the left goto:
-> "Dialog" folder
-> "404" folder
-> "1033" item
This contains all the items of the "x" dialog box
Now by editing this script we're gonna change the dialog box to look like an error message disallowing the user to disconnect from the active session.
-> Change the line "Control 401...." to "Control 400...." which will make the image an error image
-> Click on the "OK" button and press delete
-> Drag the cancel button to the centre of the window
-> Edit the script in reshacker to say "OK" instead of "Cancel"
-> Lastly in the script edit the main text, instead of saying "This will disconnect your windows session..." to a custom warning message of your choice. In our example "Please close all applications and log off"
-> Click "Compile Script"
-> Dont forget to save your hacked mstsc.exe
Now when you logon to your server with your hacked client it will display your error message when they click the "x" button to disconnect.
Problem:
With windows XP Service Pack 2 and above, windows replaces all changed system files if the Date modified, size etc.. has changed from the original. this means our hacked exe will be replaced with the original exe, losing all the changes we made to the hacked one.
Solution:
Place these two lines in a batch file, and place the batch file in the same directory as your hacked exe.
copy mstsc.exe %SYSTEMROOT%\system32\dllcache\ /Y
copy mstsc.exe %SYSTEMROOT%\system32\ /Y
Windows will prompt you to put the XP CD in, just click cancel.
the next dialog box will prompt you if you wish to keep the non-original exe and it may be harmful bla...bla...bla..., just click OK.
Now our hacked exe will not get over written and the users will not be able to keep their active sessions open.
Problem:
We came across a machine with Windows Vista. This OS prohibits you from deleting certain files unless you are the owner of them.
Solution:
In our example were gonna take ownership of mstsc.exe and mstscax.dll for the user limz.
Open Command prompt:
-----------------------------------------------------------------------------
-> type: takeown /f %SYSTEMROOT%\System32\mstsc.exe
-> press Enter
-> type: cacls %SYSTEMROOT%\System32\mstsc.exe /G limz:F
-> press Enter
-> It will ask "Are You Sure (Y/N)" press Y then Enter
-> type: takeown /f %SYSTEMROOT%\System32\mstscax.dll
-> press Enter
-> type: cacls %SYSTEMROOT%\System32\mstscax.dll /G limz:F
-> press Enter
-> It will ask "Are You Sure (Y/N)" press Y then Enter
-> Now delete those two files and replace them with your hacked exe and get the mstscax.dll from a Machine with XP
-----------------------------------------------------------------------------
*Please consult your system admin before doing any changes to your system.
=)
Comments