Group Policies - Best Practices?

Discussion in 'Parallels Remote Application Server' started by AlexeyP1, Feb 27, 2019.

  1. AlexeyP1

    AlexeyP1 Bit poster

    Messages:
    3
    Hello Everybody,

    I am currently integrating Parallels RAS in our enterprise environment and am curious if there are any suggestions / best practices for group policies to restrict users from doing unpredicted actions assuming they are working through RAS Client only.

    The "Best Practices" guide does not cover this topic, the only article I found in the KB is this one which describes limiting of access to local drives. I implemented it (all users data is stored with Profile Roaming & Folder Redirection on a network share). I have also disabled default context functions that prevents users to use right mouse button in File Explorer dialogs. Are there any other recommendations?

    I have never administered a university site or an internet cafe :) But since the company I work for plans now to give clients access to the system, I don't really know what to expect :) I am thinking about protecting the setup from something wild, that normal user won't do, but a foreigner may try. Like opening system programs or running a script from "File Open" dialog with some kind of a trick - there are numerous to be found in google and new ones popping up every day.

    Thanks in advance for all your thoughts...
     
  2. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
  3. AlexeyP1

    AlexeyP1 Bit poster

    Messages:
    3
    Thanks, Eugene. I was aware of that pages... And read them before posting. Will implement that, though it doesn't apply to my situation directly.

    I am going to publish applications only, not desktops or VDIs. The most risky application among them - is that I'll most likely have to publish Windows Explorer to allow convenient files management. So the question is - should I disable something specific to avoid foreign user executing not allowed applications / applying system changes using some "hacks" may be in the "File Open" dialog or in the Explorer elsewhere?
     
  4. AlexeyP1

    AlexeyP1 Bit poster

    Messages:
    3
    Just to update this topic and a bit clarify what am I talking about - here is an example of users' behaviour I want to prevent.
    1. MS Word is published to the user
    2. File Explorer is not published though
    3. In any Word document you type \\localhost which will be converted to a link
    4. Click on the link opens the File Explorer which is unpublished
    Any other type of links in word - mail links, URLs etc - start additional unpublished applications.
    Is there any way to prevent user from running unpublished applications and run out of bounds defined to him?
     
  5. jpc

    jpc Pro

    Messages:
    433
    @AlexeyP1 What you seem to be looking for is a "Software White list".
    This is a powerful windows security feature which will allow only the applications in the white list to run. If configured incorrectly, it could cripple your windows server, so make sure that you test this on a non-production system first and that you always have a backup unrestricted user (or an actual backup/snapshot handy).

    Setting up the application white list, can be done using:
    * GPO: https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/
    * or (on Windows 2012R2 and later) via AppLocker: https://docs.microsoft.com/en-us/pr...ows-server-2012-R2-and-2012/hh831440(v=ws.11)
     

Share This Page