Terminal server - security and other questions

[Adam]

I have been using terminal in admin mode on many servers
for a long time.. but I'm to the point now where I want a
select group of users to be able to vpn into my corporate
network and then access the terminal server to get into
local systems (databases, software packages, etc.).

I have a box full of licenses for terminal server, I
believe they are 25 packs.. and I have dozens of them..
another story.

I have a new server all setup with the software on it that
I want my remote users to have access to, and they can log
into it on the lan, I haven't tested the vpn access yet,
one thing at a time.

My problem is that right now, it seems that any "domain
user" can log into the server unless I explicitly
deny "logon locally" in the local policy. The server is a
member server in an AD. I'm trying to just specify a
group of users that have access to login to the terminal
server because I have to login as them and map some drives
and setup some user profile items so they have access to
some company systems, I don't want to offer it to the
whole company, therefore, I want it locked down so nobody
but the specified people can login.

That's my main issue at this point.. I may have more
soon.

 

[Vera Noest [MVP]]

Create a user group, let say you call it TS Users. Add that user
group to the permissions on the rdp-tcp connection in TS
Connection Configuration and remove the Domain Users group. Same
thing for the right to logon locally and any other permissions or
restrictions that you want to apply to your TS users.

This might also be worth while reading:

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295

260370 - How to Apply Group Policy Objects to Terminal Services
Servers
http://support.microsoft.com/?kbid=260370

231287 - Loopback Processing of Group Policy
http://support.microsoft.com/?kbid=231287