Win 2012 R2 remote desktop services; we would like to deploy remoteapp with security in mind.
I published a couple of remoteapp, including Excel. I gave permissions and all stuff to restrict users following "least privilege" vision.
Opened Excel from Win7 client. Turns out that when saving a file from excel, if I write "cmd" into the name file textbox, command line opens. The same if I write "Control Panel" or notepad or .. whatever I want.
I wonder what's the purpose of publishing remoteapp and fine tuning permissions when you can use every application installed on session host.
Also, there isn't a way to hide local disks, network discovery pc, deny logon to remote desktop on session host.... and so on.
How can I manage all of the above with a bit of security in mind ? I understand that I will have to "fix" these issues with a combined set of tricks (logoff.exe as custom shell, hiding disks with registry, probably applocker integration ... ) ..
but what if I (and I will of course) forget something ?
Thanks for all your suggestions.