SUMMARY
This article describes how to use the Windows 2000 Terminal
Services Application Security tool. If you are an administrator, you can use
this tool to limit user access to a specific list of programs. The Application
Security tool is included as-is in the Windows 2000 Resource Kit.
Because it may be difficult to configure a server that is running Terminal
Services correctly, you must build your Terminal server in a test environment.
Also, you may have to implement policy settings that restrict the functionality
of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet
design goals.
You can use the
appsec command to start Application Security. You can use Application
Security to specify exactly which programs the client computers can run.
Application Security works in a similar way to system policy settings that
allow users to run only specific programs. However, a system policy setting
does not prevent users from running a program from the command prompt. If you
use Application Security, you can prevent users from running a program from a
command prompt.
You can use Application Security to control the
executables files that a user can open. Some programs may use dozens of
separate executable files; you must specify all of these files if you use
Application Security. You may want to use Application Security if you want the
clients to run only a few programs. However, if the clients are running more
than a few programs, you may find it easier to use policies and profiles or
NTFS file system file and folder permissions to restrict users from using
certain programs on a Terminal server. You can use Application Security in
conjunction with Group Policy restrictions to both turn off and hide restricted
programs.
Administrators typically use Application Security to
restrict access to users when they use Terminal Services in Application Server
mode. Application Security allows important tools to be either available on the
computer or accessible on the network for administrators, but it restricts the
actual programs that a user can run. If you use Application Security,
administrators can always run any executable file, but other users can only run
programs that are listed in the Authorized Applications list.
You
may also want to use Application Security in Windows 2000 to deploy a Terminal
server that is used by Internet users. If Internet Connector licensing is
turned on, all Terminal Services client logons are to the same user,
TsInternetUser. You can use Application Security to configure the server so
that the users who are connecting from the Internet can run only the programs
that are listed in the Authorized Applications list.
back to the top
How to Install Application Security
The Application Security tool is included in the Windows 2000
Server Resource Kit.
NOTE: You may experience issues if you run the version of Application
Security that is included with the Windows 2000 Server Resource Kit. See the
"
Troubleshooting" section of this
article for more information about this issue.
To download the
Application Security tool, visit the following Microsoft Web site:
The files that Application Security requires are copied to the
user-definable installation folder during Windows 2000 Resource Kit Setup.
Before you use Application Security, you must perform the following procedure
to complete the installation:
- Install the Windows 2000 Server Resource Kit.
- Click Start, and then click Run.
- Type instappsec.exe, and then press
ENTER.
NOTE: The version of Application Security that is included with the
Windows 2000 Resource Kit is missing three critical files. Without these files,
Application Security does not work properly. For more information about this
issue, see the
Troubleshooting
section of this article.
Application Security requires the following
files:
- Appsec.exe
- Appsec.hlp
- Appsec.dll
- Appsec.cnt
- Instappsec.exe
back to the top
How to Use Application Security
- To start Application Security, type
appsec at the command prompt, and then press ENTER.
- To turn on or turn off Application Security, click either Enabled or Disabled.
NOTE: When you turn on Application Security, users who are already
logged on to the Terminal server before AppSec.dll was loaded will continue to
be able to run programs that are not in the Authorized Applications list. To
restrict the programs for these users, the users must log off, and then log
back on. To force a user to log off if you are an administrator, stop the
user's session.
By default, the following authorized programs are
included in the Authorized Applications list when you turn on Application
Security:
- Program: ACRegL.exe
Location: WINNT\Application
Compatibility Scripts\Acregl.exe - Program: ACsr.exe
Location: WINNT\Application
Compatibility Scripts\Acsr.exe - Program: Attrib.exe
Location:
WINNT\system32\Attrib.exe - Program: Cmd.exe
Location:
WINNT\System32\Cmd.exe - Program: Explorer.exe
Location:
WINNT\Explorer.exe - Program: Loadwc.exe
Location:
WINNT\System32\Loadwc.exe - Program: Net.exe
Location:
WINNT\System32\Net.exe - Program: NTSD.exe
Location:
WINNT\System32\Ntsd.exe - Program: Regini.exe
Location:
WINNT\System32\Regini.exe - Program: Subst.exe
Location:
WINNT\System32\Subst.exe - Program: Systray.exe
Location:
WINNT\System32\Systray.exe - Program: Xcopy.exe
Location:
WINNT\System32\Xcopy.exe
- To add additional programs to this list, click Add, and then either locate the program or type the path to the
program that you want to add this list.
You cannot add a program
that does not reside on the local hard disk to the Authorized Applications
list.
NOTE: You can use the Application Security tool to restrict 32-bit
programs only. Do not try to restrict 16-bit programs by using Application
Security. To allow users to run all 16-bit programs, add Ntvdm.exe to the
Authorized Applications list. - To remove a program from this list, click the program, and
then click Delete.
To restrict access to a program, the program must
reside on the Terminal server.
NOTE: If you use Application Security to restrict access to executable
files, you must add the following programs to the Authorized Applications list
if they are not already listed:
- Program: Cmd.exe
Location:
WINNT\System32\Cmd.exe - Program: Explorer.exe
Location:
WINNT\Explorer.exe - Program: Net.exe
Location:
WINNT\System32\Net.exe - Program: Regini.exe
Location:
WINNT\System32\Regini.exe - Program: Subst.exe
Location:
WINNT\System32\Subst.exe - Program: Systray.exe
Location:
WINNT\System32\Systray.exe - Program: Xcopy.exe
Location:
WINNT\System32\Xcopy.exe
back to the top
Limitations of Application Security
Before you use Application Security, consider the following
issues:
- The Application Security settings apply to the computer;
you cannot configure the tool for each user.
- Application Security restricts programs that are only
invoked by using the CreateProcess method. If a program is started by using the
NTCreateProcess method (which is rare), you cannot use Application Security to
restrict this program.
- Application Security restricts the file based on the full
path name. Only the named executable file that is in the designated location
can be run. This functionality prevents users from running other versions of
the same executable file from different locations. However, Application
Security does not specifically check the executable file; it restricts the file
only by name. If precautions are not taken, a malicious user may replace a
valid executable file (for example, WinWord.exe) with a different file that
they rename WinWord. You must use the Windows 2000 security functionality to
prevent a user from replacing or renaming program files.
- Application Security restricts executable files only; it
does not restrict dynamic link library (DLL) files.
back to the top
How to Test Application Security
To test the Application Security tool:
- Start Application Security on the server, and then click Enabled.
- On a computer on which Terminal Services client is
installed, start a session, and then try to run any program that is not on the
Authorized Applications list.
You receive the following error
message: Access to the specified device, path, or file is
denied.
- Close the session on the client computer.
- Start Application Security on the server, click Add, locate a program that is not on the Authorized Applications
list, click Open, and then click OK.
- On the computer on which Terminal Services client is
installed, start a new session, and then confirm that you can run the program
that you added to the Authorized Applications list.
back to the top
Troubleshooting
The version of the
Application Security tool that is included with the Windows 2000 Resource Kit
is missing the following three critical files:
- Appsec.cnt
- Appsec.dll
- Instappsec.exe
Application Security does not work properly without these
files. To resolve this issue, download the corrected version of Application
Security from the following Microsoft File Transfer Protocol (FTP) site:
For additional information about this
issue, click the article number below to view the article in the Microsoft
Knowledge Base:
257980 Appsec Tool in Windows 2000 Resource Kit Is Missing Files
If you try to log on using Terminal Services
client, you may receive the following error message:
Logon Message: You do not have access to logon to this session.
This
behavior occurs because Terminal Services has a default connection security
setting that allows only administrators to log on. If the security attributes
on a specified connection have not been set, the connection inherits these
default security settings.
For
additional information about this issue, click the article numbers below to
view the articles in the Microsoft Knowledge Base:
225038 Default Connection Changes Are No longer Applied
224395 Error Message: You Do Not Have Access to Logon to This Session