Terminal Service Plus

The best Citrix / RDS Alternative for Remote Desktop and Web Access
https://forum.tsplus.net/

Prevent users from executing programs that are not assigned to their group

https://forum.tsplus.net/viewtopic.php?f=8&t=4248

Page 1 of 1

Prevent users from executing programs that are not assigned to their group

Posted: Tue Nov 28, 2017 2:08 pm
by Filz
Hello everybody,

I have the TSplus Demo to verify if TSplus will be the software we will use in future.
I want my users only to be able to execute a specific program. I did only assign this program to the usergroup. If I log in over the webinterface one of those users the program starts and nothing else is available.
But in our scenario the users will not log in over the web interface. An URL will be used with username, password and program as parameters given by the URL.

Code: Select all

<a href="https://myserver.com/software/html5.html?user=USER&pwd=PASSWORD&program=C:\\\\Path\\\\to\\\\program.exe&startupdir=c:\\\\Path\\\to&params=" target="_blank">Start program</a>
The link works well but if you know the link (e.g. pointing with the mouse on the link in the browser) you can easily modify it. For example I was able to start cmd by using this URL:

Code: Select all

<a href="https://myserver.com/software/html5.html?user=USER&pwd=PASSWORD&program=C:\\\\Windows\\\\SysWOW64\\\\cmd.exe&startupdir=c:\\\\windows\\\\syswow64&params=" target="_blank">Start program</a>
The HTML5 Client will open and show a command prompt. By using the following command I was able to launch the registry editor with elevated rights (I know the admin password):

runas /user:administrator regedit

Ofcourse you need to know the users password. But anyway this seems to be a lack of security since the user can start every program installed on the machine and not only those which were assigned to the user or usergroup via TSplus Admin Panel.

Is there anybody who knows how to solve this with TSplus configuration? I do not want to have to additionally configure program/user/usergroup rights directly in Windows when I already did set it in TSplus Admin panel.

Thanks and BR,

Filz

Re: Prevent users from executing programs that are not assigned to their group

Posted: Wed Nov 29, 2017 3:25 pm
by John
Hello,

In fact you can do it, as long you are using the latest release 10.50 of TSplus.

To do so, just edit C:\Program Files (x86)\TSplus\UserDesktop\files\AppControl.ini

and in the security paragraph just add one line: appcmdline=no

[Security]
appcmdline=no

That's all; as easy as that.

Kind regards

John

Re: Prevent users from executing programs that are not assigned to their group

Posted: Fri Dec 01, 2017 10:45 am
by Filz
Hey John!

Thank you for your reply!
It works great.
But now I have another question:

There is an option in the Admin Panel where you can set if connected users are allowed to send ALT+CTRL+DEL. We did set this option to "None" (no PCs or mobile devices are allowed to send ALT+CTRL+DEL).

But mobile devices will still be able to send ALT+CTRL+DEL over the software keyboard which is integrated in the HTML 5 Client for mobile devices.

I did now manually remove Task Manager as well as some other menu options from the ALT-CTRL-DEL screen by editing the gourp policies for "Non Administrators". So everything is OK now. But there seems to be a little bug. The option in the TSplus Admin Panel does not seem to work correctly.

OS: Windows Server 2016 1607
TSplus Version: 10.50.11.19

Thanks for your help!

BR,

Filz
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited