2

I have a Windows desktop application (written in .NET) that I have installed on a Windows Server machine. Since it is a desktop app (not a web app) it needs to be used by accessing the server via RDP and interacting with it directly.

Now we have the necessity to let a specific user use this app, but for legal reasons we don't want the user to be able to access the app files (I mean app's .exe and .ddl files, basically we don't want the user to be able to make a copy of the app).

Is this possible in any way?

(before you ask: yes, we're currently converting the desktop app to a web application that will solve this problem, but this will take several months and in the meantime we need to temporarily provide access to the desktop version to a couple of specific users)

harrymc
  • 455,459
  • 31
  • 526
  • 924
Master_T
  • 317
  • 1
  • 3
  • 16
  • 1
    How should the user execute a binary which he cannot access? – mashuptwice Mar 25 '22 at 15:03
  • (1) Is this a GUI application? (2) Which Windows Server version? (3) Are the user and Windows Server on the same local network? (4) If yes, does [RemoteApp](https://newhelptech.wordpress.com/2017/07/23/step-by-step-how-to-deploy-remote-desktop-services-in-windows-server-2016/) fit the situation? – harrymc Mar 25 '22 at 15:06
  • (Add to your comment `@harrymc` for me to be notified.) – harrymc Mar 25 '22 at 15:13
  • @harrymc: very interesting, that might be exactly what I need: the app would run on the server and be "streamed" to the user PC, without the user having full access to the server via RDP, I will check out that tutorial, thanks – Master_T Mar 25 '22 at 15:49
  • 1
    @harrymc RemoteApp is a good suggestion, but it should be known that RemoteApp is essentially the same as Remote Desktop access, except it is presented to the end user in a different way. For instance, RemoteApp does not block access to other things on the server. I can easily send a ctrl-alt-del to the remote server, open task manager, start file explorer, etc. it’s really only a difference in look and feel. All other concerns apply. – Appleoddity Mar 25 '22 at 15:52
  • @Appleoddity: thanks for the warning, I understand it is not a perfect solution, but at the moment its better than nothing – Master_T Mar 25 '22 at 16:21

2 Answers2

3

Anything the app has to access while running as that user is, by necessity, also accessible by the user.

Your option is to implement additional security protection through some type of data loss prevention.

For instance, you may:

  1. Prevent copying and pasting files from the server
  2. Prevent accessing the files over the network
  3. Prevent access to internet browsers or other application which could provide an avenue for the user to upload a file offsite.
  4. Prevent access to the windows clipboard so they cannot copy and paste the code.
  5. Block internet access on the server.
  6. Configure your terminal services settings so the application automatically runs when the user logs in and does not receive access to a desktop. More information here: https://stackoverflow.com/questions/63022048/how-do-i-restrict-a-remote-desktop-user-to-a-single-application-on-windows-serve
  7. Etc.

You’ll have to think about and block any avenue a user may use to copy or modify the code even though they have at least read access to the files. The fact it is running in Remote Desktop makes this much easier.

Appleoddity
  • 11,565
  • 2
  • 24
  • 40
2

For computers that are on the same local network, RemoteApp is a Windows technology that allows one to publish an application so that it runs on Windows Server but appears as if it's running on the user’s desktop almost like a local application. I have used it in the past and it works well.

Some security precautions are required:

  • The app will actually be running on the server under the assigned user account
  • If the app starts a Command Prompt, this will run on the server under the assigned user account, and the same for Windows Explorer
  • If the app starts the Open or Save File Dialog, it should be prevented by account permissions on the server from going out of its assigned disk folders.

For more information how this works, see the article
Step by Step How to Deploy RemoteApp in Windows Server 2016.

harrymc
  • 455,459
  • 31
  • 526
  • 924