SUMMARY

This article describes how to use the Windows 2000 Terminal Services Application Security tool. If you are an administrator, you can use this tool to limit user access to a specific list of programs. The Application Security tool is included as-is in the Windows 2000 Resource Kit.

Because it may be difficult to configure a server that is running Terminal Services correctly, you must build your Terminal server in a test environment. Also, you may have to implement policy settings that restrict the functionality of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet design goals.

You can use the appsec command to start Application Security. You can use Application Security to specify exactly which programs the client computers can run. Application Security works in a similar way to system policy settings that allow users to run only specific programs. However, a system policy setting does not prevent users from running a program from the command prompt. If you use Application Security, you can prevent users from running a program from a command prompt.

You can use Application Security to control the executables files that a user can open. Some programs may use dozens of separate executable files; you must specify all of these files if you use Application Security. You may want to use Application Security if you want the clients to run only a few programs. However, if the clients are running more than a few programs, you may find it easier to use policies and profiles or NTFS file system file and folder permissions to restrict users from using certain programs on a Terminal server. You can use Application Security in conjunction with Group Policy restrictions to both turn off and hide restricted programs.

Administrators typically use Application Security to restrict access to users when they use Terminal Services in Application Server mode. Application Security allows important tools to be either available on the computer or accessible on the network for administrators, but it restricts the actual programs that a user can run. If you use Application Security, administrators can always run any executable file, but other users can only run programs that are listed in the Authorized Applications list.

You may also want to use Application Security in Windows 2000 to deploy a Terminal server that is used by Internet users. If Internet Connector licensing is turned on, all Terminal Services client logons are to the same user, TsInternetUser. You can use Application Security to configure the server so that the users who are connecting from the Internet can run only the programs that are listed in the Authorized Applications list.

back to the top

How to Install Application Security

The Application Security tool is included in the Windows 2000 Server Resource Kit.

NOTE: You may experience issues if you run the version of Application Security that is included with the Windows 2000 Server Resource Kit. See the "Troubleshooting" section of this article for more information about this issue.

To download the Application Security tool, visit the following Microsoft Web site:

The files that Application Security requires are copied to the user-definable installation folder during Windows 2000 Resource Kit Setup. Before you use Application Security, you must perform the following procedure to complete the installation:

1. Install the Windows 2000 Server Resource Kit.
2. Click Start, and then click Run.
3. Type instappsec.exe, and then press ENTER.

NOTE: The version of Application Security that is included with the Windows 2000 Resource Kit is missing three critical files. Without these files, Application Security does not work properly. For more information about this issue, see the Troubleshooting section of this article.

Application Security requires the following files:

• Appsec.exe
• Appsec.hlp
• Appsec.dll
• Appsec.cnt
• Instappsec.exe

back to the top

How to Use Application Security

1. To start Application Security, type appsec at the command prompt, and then press ENTER.
2. To turn on or turn off Application Security, click either Enabled or Disabled.
   

NOTE: When you turn on Application Security, users who are already logged on to the Terminal server before AppSec.dll was loaded will continue to be able to run programs that are not in the Authorized Applications list. To restrict the programs for these users, the users must log off, and then log back on. To force a user to log off if you are an administrator, stop the user's session.

By default, the following authorized programs are included in the Authorized Applications list when you turn on Application Security:

1. • Program: ACRegL.exe
     

Location: WINNT\Application Compatibility Scripts\Acregl.exe

1. • Program: ACsr.exe
     

Location: WINNT\Application Compatibility Scripts\Acsr.exe

1. • Program: Attrib.exe
     

Location: WINNT\system32\Attrib.exe

1. • Program: Cmd.exe
     

Location: WINNT\System32\Cmd.exe

1. • Program: Explorer.exe
     

Location: WINNT\Explorer.exe

1. • Program: Loadwc.exe
     

Location: WINNT\System32\Loadwc.exe

1. • Program: Net.exe
     

Location: WINNT\System32\Net.exe

1. • Program: NTSD.exe
     

Location: WINNT\System32\Ntsd.exe

1. • Program: Regini.exe
     

Location: WINNT\System32\Regini.exe

1. • Program: Subst.exe
     

Location: WINNT\System32\Subst.exe

1. • Program: Systray.exe
     

Location: WINNT\System32\Systray.exe

1. • Program: Xcopy.exe
     

Location: WINNT\System32\Xcopy.exe

1. To add additional programs to this list, click Add, and then either locate the program or type the path to the program that you want to add this list.
   

You cannot add a program that does not reside on the local hard disk to the Authorized Applications list.

NOTE: You can use the Application Security tool to restrict 32-bit programs only. Do not try to restrict 16-bit programs by using Application Security. To allow users to run all 16-bit programs, add Ntvdm.exe to the Authorized Applications list.

1. To remove a program from this list, click the program, and then click Delete.
   

To restrict access to a program, the program must reside on the Terminal server.

NOTE: If you use Application Security to restrict access to executable files, you must add the following programs to the Authorized Applications list if they are not already listed:

1. • Program: Cmd.exe
     

Location: WINNT\System32\Cmd.exe

1. • Program: Explorer.exe
     

Location: WINNT\Explorer.exe

1. • Program: Net.exe
     

Location: WINNT\System32\Net.exe

1. • Program: Regini.exe
     

Location: WINNT\System32\Regini.exe

1. • Program: Subst.exe
     

Location: WINNT\System32\Subst.exe

1. • Program: Systray.exe
     

Location: WINNT\System32\Systray.exe

1. • Program: Xcopy.exe
     

Location: WINNT\System32\Xcopy.exe

back to the top

Limitations of Application Security

Before you use Application Security, consider the following issues:

• The Application Security settings apply to the computer; you cannot configure the tool for each user.
• Application Security restricts programs that are only invoked by using the CreateProcess method. If a program is started by using the NTCreateProcess method (which is rare), you cannot use Application Security to restrict this program.
• Application Security restricts the file based on the full path name. Only the named executable file that is in the designated location can be run. This functionality prevents users from running other versions of the same executable file from different locations. However, Application Security does not specifically check the executable file; it restricts the file only by name. If precautions are not taken, a malicious user may replace a valid executable file (for example, WinWord.exe) with a different file that they rename WinWord. You must use the Windows 2000 security functionality to prevent a user from replacing or renaming program files.
• Application Security restricts executable files only; it does not restrict dynamic link library (DLL) files.

back to the top

How to Test Application Security

To test the Application Security tool:

1. Start Application Security on the server, and then click Enabled.
2. On a computer on which Terminal Services client is installed, start a session, and then try to run any program that is not on the Authorized Applications list.
   
   You receive the following error message:

   Access to the specified device, path, or file is denied.

3. Close the session on the client computer.
4. Start Application Security on the server, click Add, locate a program that is not on the Authorized Applications list, click Open, and then click OK.
5. On the computer on which Terminal Services client is installed, start a new session, and then confirm that you can run the program that you added to the Authorized Applications list.

back to the top

Troubleshooting

The version of the Application Security tool that is included with the Windows 2000 Resource Kit is missing the following three critical files:

• Appsec.cnt
• Appsec.dll
• Instappsec.exe

Application Security does not work properly without these files. To resolve this issue, download the corrected version of Application Security from the following Microsoft File Transfer Protocol (FTP) site:

For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:

If you try to log on using Terminal Services client, you may receive the following error message:

This behavior occurs because Terminal Services has a default connection security setting that allows only administrators to log on. If the security attributes on a specified connection have not been set, the connection inherits these default security settings.

For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:

back to the top