Article ID: 320181 - View products that this article applies to.
This article was previously published under Q320181
This article describes how to use the Windows 2000 Terminal Services Application Security tool. If you are an administrator, you can use this tool to limit user access to a specific list of programs. The Application Security tool is included as-is in the Windows 2000 Resource Kit.
Because it may be difficult to configure a server that is running Terminal Services correctly, you must build your Terminal server in a test environment. Also, you may have to implement policy settings that restrict the functionality of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet design goals.
You can use the appsec command to start Application Security. You can use Application Security to specify exactly which programs the client computers can run. Application Security works in a similar way to system policy settings that allow users to run only specific programs. However, a system policy setting does not prevent users from running a program from the command prompt. If you use Application Security, you can prevent users from running a program from a command prompt.
You can use Application Security to control the executables files that a user can open. Some programs may use dozens of separate executable files; you must specify all of these files if you use Application Security. You may want to use Application Security if you want the clients to run only a few programs. However, if the clients are running more than a few programs, you may find it easier to use policies and profiles or NTFS file system file and folder permissions to restrict users from using certain programs on a Terminal server. You can use Application Security in conjunction with Group Policy restrictions to both turn off and hide restricted programs.
Administrators typically use Application Security to restrict access to users when they use Terminal Services in Application Server mode. Application Security allows important tools to be either available on the computer or accessible on the network for administrators, but it restricts the actual programs that a user can run. If you use Application Security, administrators can always run any executable file, but other users can only run programs that are listed in the Authorized Applications list.
You may also want to use Application Security in Windows 2000 to deploy a Terminal server that is used by Internet users. If Internet Connector licensing is turned on, all Terminal Services client logons are to the same user, TsInternetUser. You can use Application Security to configure the server so that the users who are connecting from the Internet can run only the programs that are listed in the Authorized Applications list.
NOTE: You may experience issues if you run the version of Application Security that is included with the Windows 2000 Server Resource Kit. See the "Troubleshooting" section of this article for more information about this issue.
To download the Application Security tool, visit the following Microsoft Web site:
http://download.microsoft.com/download/win2000platform/Appsec/1.0/NT5/EN-US/appsec_hotfix.exeThe files that Application Security requires are copied to the user-definable installation folder during Windows 2000 Resource Kit Setup. Before you use Application Security, you must perform the following procedure to complete the installation:
Application Security requires the following files:
ftp://ftp.microsoft.com/reskit/win2000For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:
257980If you try to log on using Terminal Services client, you may receive the following error message:
(http://support.microsoft.com/kb/257980/EN-US/ )Appsec Tool in Windows 2000 Resource Kit Is Missing Files
This behavior occurs because Terminal Services has a default connection security setting that allows only administrators to log on. If the security attributes on a specified connection have not been set, the connection inherits these default security settings.
Logon Message: You do not have access to logon to this session.
For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/225038/EN-US/ )Default Connection Changes Are No longer Applied
(http://support.microsoft.com/kb/224395/EN-US/ )Error Message: You Do Not Have Access to Logon to This Session
For more information about Windows 2000 Terminal Services, see the Terminal Services Online Documentation at the following Microsoft Web site:
Article ID: 320181 - Last Review: October 30, 2006 - Revision: 4.2
Contact us for more help