I installed Terminal Services and IIS with the Remote Desktop Web option, then set up Network Load Balancing between the two servers as outlined here:
How to Configure Windows Network Load Balancing for pure Terminal Server environments
I copied the files from WINDOWS\Web\TSWeb to the root web and edited default.htm. That file is too big to post here, but the most important change was the addition of the following code right before MsRdpClient.Connect:
if MsRdpClient.SecuredSettingsEnabled then
MsRdpClient.SecuredSettings.StartProgram = "notepad.exe"
else
msgbox "Cannot access secured setting (startprogram) in the current browser zone"
end if
That code starts notepad, but can be changed to start any program as the shell. Of course, how do you prevent users from breaking out of that program, or accessing the desktop using another RDP client?
Well, first you want to remove the ability of the BUILTIN\Users group to write to all the drives. Then you'll want to look at this document:
Locking Down Windows Server 2003 Terminal Server Sessions
But the real answer is Software Restrictions. More on that next time.
No comments:
Post a Comment