No announcement yet.

Preventing Shadowing of Terminal Sessions

  • Filter
  • Time
  • Show
Clear All
new posts

  • Preventing Shadowing of Terminal Sessions

    We operate a W2003 TS 32 bit and have a user created for an external company (lets call her 'ABCD') to support their POS software product. They access the system as rdp over the internet.
    They have two computers at their site (not controllable by our company in any way) that they will rdp in from using the same user, ABCD. When one of the computers logs in, the session can be shadowed by our admin user. However, when the other logs in (their senior user), the ABCD session cannot be shadowed which makes me think that senior user does something to prevent shadowing.
    The Group Policy for "Sets rules for remote control of Terminal Services user sessions" in - Computer Configuration - Administrative Templates - Windows Components - Terminal Services, is as follows:

    Local Computer Policy (computer and user): Not Configured
    Default Domain Policy (computer and user): Not Configured
    xxxxx Domain Policy (computer): Enabled (Full Control Without Users Permission)

    The particular user say "ABCD" is in the xxxxx organizational unit. All other users in that OU can be shadowed. And user ABCD connecting from the same remote location from PC1 can be shadowed but not for PC2.

    The user has access to regedit, however, is unable to change the respective keys values for the above. They cannot run gpedit.msc and are not an administrative user.

    I would like to know:
    1) What they could possibly be doing that prevents shadowing of a session and
    2) What settings on the server to change to force the possibility of shadowing.

    This is a particular concern as it obviously opens up the way for users to be able to operate outside of company guidelines. It could also indicate a potential more serious vulnerability as if they can bypass a group policy in this instance, perhaps they can bypass others too.

    Thankyou in advance.
    Last edited by motiv8d; 6th February 2008, 03:16. Reason: Incorrect line

  • #2
    Re: Preventing Shadowing of Terminal Sessions

    Upon GP testing it seems that only the xxxxx user policy is being applied over the default domain policy. The xxxxx computer policy is not.
    The policy xxxxx is set to enabled and enforced for the xxxxx OU.
    Could someone please advise why this could be the case?

    In the interim I have added the enforce shadow policy to the xxxxx user policy part.