[THIN] Re: Restricting users from applications

  • From: "Bray, Donovan (ESC)" <BrayD@xxxxxxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 7 Nov 2005 14:05:40 -0800

I use NTFS file permissions propagated by GPO to protect applications.

I also use login scripts to manipulate the users start menu and desktop
based on group membership.

So for a "protected" application the login script checks with ismember to
find out if the icons should be copied to the users profile, if not it
attempts to delete them.  

Then using a Group Policy attached to the termserver OU  -> computer ->
windows settings -> Security Settings -> File System, I create and replace
the permissions on the directory that holds the executables to prevent
access unless they are a member of that applications assigned "group"
(obviously the same one that ismember is checking).

I usually do it with entire folders, but in office's case since there are so
many shared components, you might think about doing it just for the primary
executables. 

The beauty of using GPO's is that I can change it at will, (don't have to
wait for a re-image), and it affects as many termserves as are in the OU
where you have the GPO linked without manually setting each one.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Adam.Baum@xxxxxxxxxxxxxx
Sent: Monday, November 07, 2005 12:04 PM
To: thin@xxxxxxxxxxxxx
Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx
Subject: [THIN] Re: Restricting users from applications

Correct.  I have to prevent the "restricted" apps from being accessed by any
means (explorer navigation, embedded links, creating new files with .doc,
.xls and then clicking on them, etc).  Basically, MS is now charging an
extra $100+ for every telecommuter to access Office via a terminal
session.  That's ontop of the Windows CAL and the TS CAL.   Doesn't matter
if the user has a legit copy of Office on his home PC and has Office on his
work PC.

adam




                                                                           
             Jeff Pitsch                                                   
             <jepitsch@xxxxxxx                                             
             om>                                                        To 
             Sent by:                  thin@xxxxxxxxxxxxx                  
             thin-bounce@freel                                          cc 
             ists.org                                                      
                                                                   Subject 
                                       [THIN] Re: Restricting users from   
             11/07/2005 12:35          applications                        
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
             thin@xxxxxxxxxxxx                                             
                     g                                                     
                                                                           
                                                                           




Unfortunately he wants to make sure that the user can't start the programs
even from another.  At least that's how I understand it.  for example, if
you have outlook open, you can't open a word attachment because word is
restricted if your coming in over the internet.

Jeff Pitsch


On 11/7/05, Walter, Chris <christopher.walter@xxxxxxx > wrote:
  Setup a load evaluator based on IP range and deny them access if they are
  using a specific IP range.

  Chris

  -----Original Message-----
  From: thin-bounce@xxxxxxxxxxxxx [mailto: thin-bounce@xxxxxxxxxxxxx] On
  Behalf
  Of Adam.Baum@xxxxxxxxxxxxxx
  Sent: Monday, November 07, 2005 12:21 PM
  To: thin@xxxxxxxxxxxxx
  Subject: [THIN] Restricting users from applications

  HI All,

  As we move more and more into a thinclient solution here, I have been
  asked
  if there is a way to keep someone from accessing certain applications
  when
  telecommuting.  Here some background info:  While using a City supplied
  pc
  (mainly internal users), access to Microsoft applications are covered
  under
  our EA.  When using the same servers from home, the access to apps are
  not
  covered under the EA.  So..I need to find a way to prevent users coming
  through MSAM from accessing Microsoft applications.  Internally, we use
  PNAgent/WI.

  My intial thought was to not publish the apps through MSAM.  Then I
  thought
  about embedded links.  Even if the app isn't published, clicking on an
  embedded document (or link to a .doc, xls, etc) will launch the app.

  Is there a way to set publishing/access rules based on your connection
  (MSAM vs PNagent)?  Any other methods accomplishing this task?

  adam

  ************************************************
  For Archives, RSS, to Unsubscribe, Subscribe or
  set Digest or Vacation mode use the below link:
  //www.freelists.org/list/thin
  ************************************************
  ************************************************
  For Archives, RSS, to Unsubscribe, Subscribe or
  set Digest or Vacation mode use the below link:
  //www.freelists.org/list/thin
  ************************************************


************************************************
For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode
use the below link:
//www.freelists.org/list/thin
************************************************
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

Other related posts: