Thursday, April 24, 2014

How to prevent access to console session (Session 0) WITHOUT disabling Interactive Services Detection (UI0Detect)

I have a server running an interactive service.  This service's GUI can only be accessed through Microsoft's Interactive Services Detection (UI0Detect) service.  I wanted Administrators to be able to access the GUI but not by anyone in the Remote Desktop Users group.  Initially i had some Logon/Logoff and Task Scheduler scripts running to automatically stop/disable the UI0Detect service when it was not needed but this was less than elegant and not foolproof.  So I found a better way via WMI!.  This disables access to the ‘Console’ session (session 0) by members of the ‘Remote Desktop Users’ group.  Took me a bit of googling and trial/error to figure out how to compose the command properly, but it works!  The UI0Detect GUI window no longer displays on Remote Desktop User sessions.  The commands can be customized as needed!  See helpful links below  

You’d think Microsoft would have this configured as a setting somewhere in group policy or security policy but I didn’t find it!

wmic RDAccount where "TerminalName='Console' and AccountName like '%Remote Desktop Users%'" call delete

in case you want to un-do this setting, the command is:

wmic RDPermissions where "TerminalName='Console'" call AddAccount "BUILTIN\Remote Desktop Users", 1

http://serverfault.com/questions/481411/restrict-rdc-console-session-for-administrator-only-in-windows-2003-server
http://web.archive.org/web/20130616045724/http://ts.veranoest.net/ts_faq_administration.htm#console_permission
http://support.microsoft.com/kb/290720/EN-US

No comments:

Post a Comment