Exposing only part of C: over Terminal Services

Ken Johnson gives a useful tip on his blog about limiting access to your local drives when you make a Terminal Services connection.  This is not new, but it’s useful enough to be worth summarizing here.

When I audit a system via Terminal Services, I usually map a drive to or from the system depending on what the Firewall will allow.

Sometimes, it won’t allow either, though.  In those cases one of the few options remaining is to configure mstsc.exe to expose a local drive on your client system to the server, accessing it via \\tsclient.  But, you probably want to avoid exposing your whole C: drive.

Assuming that you didn’t have the foresight to create a dedicated partition for this purpose (I didn’t), you can easily simulate a drive using subst:

subst s: c:\share

Then you can configure mstsc.exe to only share your S: drive, leaving you less exposed.

Nice tip, Ken.