How to Restrict Direct RDP Access to SHD Server having an Application Published

This page addresses the use case when the published applications are on the SHD server but the access to the SHD server using MSTSC needs to be restricted if the RDP port is open.

Steps

1. Publish the application via Accops (HyWorks) and allow access to users.

2. On the server where this requirement is to be implemented,

   Open run, type mmc and click enter go to File, and select Add/Remove Snap-in as seen in below image:

   

   

3. Double click on Group Policy Object, following window will open, click on Browse:

   

4. Select Users tab and click on Non-Administrators and Ok as seen in below image:

   

5. You will see the Group Policy Object as seen in above snapshot, click on Finish

   

6. Click on Ok and

   

7. Follow the path as seen in below image:

   

8. The complete path is

   User Configuration / Polices / Administrative Templates / Windows Components / Remote Desktop Services / Remote Desktop Session Host / Remote Session Environment / "Start a program on connection"
   

9. Enable the GPO,

   

10. Enter program path of logoff.exe and working directory of the same exe as seen in below screenshot and click on OK.

    

11. In run, type gpupdate /force and press enter.

12. Save the settings when you exit from mmc.

If the requirement is to be implemented for all Accops SHD servers, make the following changes in the "Accops GPO policy" present in AD; make sure the authenticated users are removed from this GPO filter, and add only Users & Computers where you want this setting to be applied.

Note

Once these changes are made no one will be able to take MSTSC of the servers over which this GPO policy is applied, so please confirm before applying this policy.