I have an AWS Lightsail server based on the Windows Server 2016 blueprint. I would like to have users log in via remote desktop, and be limited to using just one designated application, and have no access to the desktop or other features [including the File Explorer].
I tried setting up a group policy, both for the server [Computer Configuration] and users [User Configuration] under Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Remote Session Environment, and I enabled and configured Start a program on connection. That did not work.
I also tried the suggestions found at the following link: Can RDP clients launch remote applications and not desktops
including setting the following dword value in the server's registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fAllowUnlistedRemotePrograms"=dword:00000001I also included the alternate shell and remoteapplication entries in an .RDP file, and pointed to that file in the user's Remote Desktop Services Profile tab of the user's Properties dialog.
None of that worked. Each time I logged in as the user, the configured application did not run and I had access to the desktop.
Nothing that I found in my Google searches worked either.
Can someone please point me in the right direction. I am pretty sure that what I am trying to do is possible, but I am stuck.
I am connecting to the server using the remote desktop client in Windows 10 Pro, though I am not sure that that has anything to do with the failure. I'll also note that once I log into the server using remote desktop I can successfully run the application from the File Explorer or cmd prompt.
Download Article Download Article
Remote Desktop is a Windows service that allows users to connect to a host computer from a different location. This allows users to access information stored on a separate computer from any place that allows them to log on to the Remote Desktop application. This has many practical applications in business, but also opens up some obvious security issues. These issues can be remedied by learning how to make a secure Remote Desktop Connection as safe for your needs as possible.
-
1
Limit users who can log on to the host computer. Go to the host computer's system properties and select the Remote tab. If Remote Desktop is set up, the box that reads "Allow Users to Connect Remotely" should be checked. If not, check it now. Click the Select Remote Users button, and add which groups of users that can have access to the computer.
- In most versions of Windows, this will still allow users in the administrator group to access the host computer. If you want to change that, go to the Run box in your Windows Start Menu and enter
-
2
%SystemRoot%\system32\secpol.msc /s
-
3
Expand the Local Policies tree and select the folder titled User Rights Assignment. Go to the "Allow log on through Terminal Services" option and remove the administrators selection from the local security settings screen. If you want to allow a specific administrator to access the Remote Desktop Connection, you can always add them through the previous step.
-
4
Set the number of password attempts until the user is locked out. While still in the local security settings section, expand the Account Policies tree and choose the Account Lockout Policy folder. This folder has three settings that you can alter--Account Lockout Duration, Account Lockout Threshold, and Reset Account Locked After. The Account Lockout Threshold option is the amount of times a person can enter the wrong password before being locked out. The Account Lockout Duration and the Reset Account options allow you to set how long a user will be locked out from the system after passing the number in the Account Lockout Threshold section. Change these to whatever is appropriate for your system.
- In order to manually unlock a user who has been locked out, go to Administrative Tools in the Start Menu and select Computer Management. In the Local Users and Groups setting, you can click on an individual user and restore their access by un-checking the Account is Disable box.
-
5
Allow only certain IP addresses to access the Remote Desktop. IP addresses are a unique series of numbers that identifies a computer, and through Windows it is possible to limit the Remote Desktop Connection to only known and trusted IP addresses. To do so, navigate to your Windows Firewall settings through the Windows Control Panel. In the Firewall options, select the Exceptions tab and highlight Remote Desktop. Click the edit button followed by the Change Scope button.
- This screen gives you the option to limit access to a local network, or create a custom list of IP addresses that are allowed access. Enter the IP addresses and click OK. Your Remote Desktop is now secure.
wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, 12 people, some anonymous, worked to edit and improve it over time. This article has been viewed 127,071 times.
Co-authors: 12
Updated: August 15, 2020
Views: 127,071
Categories: Network Security | Remote Access Services
- Send fan mail to authors
Thanks to all authors for creating a page that has been read 127,071 times.
If you want to restrict Remote Desktop access to your dedicated server IP address or range of IP addresses, you can do so by following the instructions below.
Edit existing firewall rule
- Connect to your server via RDP or from Console.
- Open Windows Firewall with Advanced Security
- Click Inbound Rules in the left pane.
- Locate the RDP rule
- Right-click the rule, go to Properties, switch to the Scope tab.
Create your IP restrictions
The Scope tab is where you add the IP addresses and ranges you want to access the server.
- On the Scope tab, edit the Remote IP Address section
- Click the button next to These IP Addresses
- Then click Add ...
- If you’re using a single IP address, simply type it in the text field above, then click OK.
- For each additional IP address, repeat steps 3 and 4.
- If you need to add an IP range, click the button next to This IP range
- Type the beginning of the range in the From field and the end of the range in the To field.
- For each additional range, repeat steps 6 and 7.
- After adding each desired IP address, click the OK button to complete the changes.
Once you complete the changes, you can test the rule by trying to connect to the RDP server using an IP outside the desired intervals. If it fails to connect, then the rule has been successfully applied.
If the rule is unsuccessful, or you lose your connection to the server via RDP, please contact your support team.
The best option to me in this case is simply modify the properties of the users AD account. Under the "Account" tab, select "Log On To" and there you can specify to which computers the user is allowed to login. You will of course want to allow them to login to their own workstation, but you can also add the terminal servers to which they should be allowed to login.
The downside to this method, depending on your environment, is that the user would not be allowed to login at other workstations either, unless those workstation are specified in this list of allowed systems.