Answer the question
In order to leave comments, you need to log in
Internet on a terminal server
Good afternoon.
Please push me towards the correct solution.
Task:
Release the user to the Internet from the terminal server, securing the server itself from possible infection as much as possible.
I see the following options:
1) Classic: We cut all possible rights and tune the write permissions to various directories + antivirus with a firewall + some interesting proxy)
(Cons: Long tuning + cost of antivirus and proxy)
2) Perverse: Launch the browser as RemoteApp from another server, which is virtual and rolls back to the default state, for example, once a day.
(Cons: Server license cost (Server 2008R2/2012))
We will assume that the hardware resources on the virtualization cluster are consumed in both cases approximately the same.
Is it possible to publish the application free of charge? Or is there a better way to solve this problem?
Answer the question
In order to leave comments, you need to log in
Come on, what's there to tune for a long time. If the user does not have administrator rights, and even has an antivirus, nothing more needs to be done.
Em. the first thing you need under Windows is the rights of ordinary users for everyone.
the second thing you need is Local or group policies and the prohibition of launching p / o from anywhere except c: \ windows, Program Files + (x86 option)
Well, ms essentials for anti-virus protection.
Actually, then only regular installation of updates to the installed software (1s, office, java / flash, adobe reader) is required
. That's all.
and you did not think to make the second option with the server part on linux?
As an alternative, you can virtualize a Web browser application (Microsoft App-V, VMware ThinApp or others) by adding additional required components to the package - flash, java, etc.
But the proxy server and antivirus should be in any case.
The goal is just to give the user an Internet? Maybe it's easier to release it to the Internet directly from a thin client / RDP client? Even older thin clients have a browser.
I would not recommend running the browser(s) on a working terminal server where working software is running. Because the user has the ability to open an unlimited number of tabs with an unlimited number of buggy flash banners.
And since in Windows (up to 2008 R2 inclusive) there are NO tools to limit the user in terms of memory / processor,
this can cause brakes on the entire server.
I would look towards a second terminal server on Linux (LTSP) with RDP access to it.
at the enterprise completely refused RemoteApp (win 2008 R2 server). Extremely unstable thing. You sneeze a little - “protocol error”, and restart everything again ...
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question