Re: Terminal Server Problems

Caster Troy · ‎03-06-2006

Hi All,
I have 7 DL580 G2 Servers these are the terminal servers and users connect to them through Remote Desktop Connection from Thin Clients. The problem is that users play games built in flash and java and very few in power point. I cant uninstall java and flash components and powerpoint as there are web based applications running. Is there a way to stop users from running those specific games? plz provide any help as the server resources are consumed largely due to such activity.

Evil Has Its Winning Ways

Igor Karasik · ‎03-06-2006

Probably the best way is to deny access to game sites in the firewall rules (I mean your corporate firewall, not windows 2003 built-in firewall).
You can also denied specific .swf/.ppt files.

Caster Troy · ‎03-06-2006

The users do not have internet access, they are getting these games in their e-mail on outlook and how can I block a specific *.ppt or *.swf file, plz explain. I do not want to block all swf/ppt files.

Evil Has Its Winning Ways

Igor Karasik · ‎03-06-2006

If we talk about files in emails you can block specific files on your mail relay gateway or on antivirus for exchange.
I can write exactly how to do it on EsafeMail or in Symantec mail security but this feature exists in most similar programs today.
But if you don't know specific file name and don't want to block all swf/ppt files - I don't see another solution here.
You can restrict attachment size as well.

Robert S. Carr · ‎03-07-2006

Caster:

Igor has got the right idea. Block attachments using any number of attachment blocking tools for Exchange (are you using Exchange or another provider?). The one we use, which is very effective, is Antigen.

http://www.sybari.com/

As for users and games, well, if they have so much time for games I wonder how they get their work done? Flash is certainly hard to stop since it is basically built to work with any browser. To block Flash, un-install the plug-in but I think that would create other problems as many work-related sites could need Flash.

I wonder, do you have an NAUP (Network Acceptable Usage Policy) at your firm? If you do not, perhaps you should think about one. Sit down with company managers and discuss what is and is not acceptable and what actions the company is willing to take for those breaking rules. For example, viewing of porno, hatred, etc web sites strictly forbidden at all times. Playing Flash games? How do they get their work done? I'm not sure technology is the answer to that problem.

Rob

Alan_152 · ‎03-08-2006

I'd agree with Robert on this one. Write up an AUP, get management to sign off on it, make all the employees sign it and place the document in their HR files, then start auditing for illicit use.

Make sure that the AUP has penalties and explicit examples of violations. Then start applying those penalties.

Andy_180 · ‎03-08-2006

Hi Caster! we use system policies with MS AD and XP to nip the use of local installed apps. what we do with this situation where they go online to get their daily fill of spyware and viruses is get the IP of the site they're going to and ban access in the router. 95% of our issues comes from 5% of the users. thats the quickest way and most effective we've found. thanks!
--Andy

Jasdev Singh · ‎03-08-2006

Hi Caster,

try this:
Block email attachments with Norton Antivirus for Microsoft Exchange

http://myitforum.com/articles/14/view.asp?id=2513

or

http://www.emailaddressmanager.com/protect-attachment.html

hope will help you...

jasdev

Caster Troy · ‎03-08-2006

Dear All,
Your usual cooperation is highly appreciated like always and the only solution is getting approved and signed an AUP, because there is no utility that can block specific files, the utilities only block same file types recognizing their extension.
If I intend to block snooker147.exe there is no way to do it instead all .exe files will be blocked and other work related applications will also stop functioning.

Evil Has Its Winning Ways

Igor Karasik · ‎03-08-2006

Caster,
Which mail relay server you use?
Do you use Exchange server? Which antivirus for exchange you use?
90 % of modern mail security tools CAN block specific file (e.g. block snooker147.exe)

Alan_152 · ‎03-09-2006

since you know a filename, do a search on the terminal servers. Once you find it, access the properties to find the install date and the person who installed this. Take screenshots, then proceed to HR and the installer's direct report.

Also, you could also replace the file with an executable that locks the user's session whenever it is accessed. Unlocking the session will require a password, and the only way you'll give up the password is via a meeting with HR, the user, and the user's boss.

You might consider updating your TS install with Citrix Metaframe/Winframe. That way you can limit each client's session by approved application instead of by virtual desktop.

Finally, a piece of advice. I used to be known as "The Terminator" for my zealous efforts at keeping people at work and unauthorized stuff off my machines. It turned into a continuous, escalating battle -- I'd put in a restriction or feature, and my "enemy" would find a way around it. I kept at it for 3 years until I moved to a company whose philosophy was to treat users as professionals instead of children. I ended up having far less trouble, and HR dealt with the few troublemakers I did have. Of course, such a strategy requires a good AUP, a good HR dept, management buy-in, and a corporate understanding of what happens if a machine breaks beyond repair (we also had the policy that if I couldn't repair an installation in 20 minutes, I would simply wipe the machine and the user would lose his work).

Caster Troy · ‎03-12-2006

Dear Igor,
We are using Exchange2003 but I am unable to find out how to block certain files. It is best if I can block them on Terminal Server as there are plenty of things that users bring in through usb blue tooth and other transfer media

Evil Has Its Winning Ways

Igor Karasik · ‎03-12-2006

Caster,
AFAIK , you cannot block specific attachment in exchange , but as I wrote before you CAN do it in antivirus for exchange or in mail relay gateway. I hope your organization use something for mail security?

Alan_152 · ‎03-13-2006

I just thought of something. In the old Win9x and NT4 days, you could use poledit to restrict which programs a user could execute. Maybe there's something like that in AD now?

http://www.zisman.ca/poledit/

Lucky Luciano · ‎04-17-2006

Hi
I had the same problem and I was looking for something what is reversible and so I've decided to use group policy with specification of additional software restrictions. It is absolutelly not perfect, but it works.
Even it has a good option to block according hash of file so they can try to rename it, but it is still blocked.
Other thing is that on fileserver we use File&Quota sentinel and blocking potentionally dangerous extensions.
Another point is that after new reinstall of our terminal server based on clean install and customisation only with GPO problem with applications consuming too much power as you mention disappeared (worth to think about)

I admire your fashionable running shoes!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Terminal Server Problems

Terminal Server Problems