If you have a Server 2016 Remote Desktop Services infrastructure, you will likely want to lock down the Sessions Hosts. Below are some of the useful Group Policies that we suggest you apply.
Note that Server 2012 and Server 2016 have the option to use something very important for security named USER PROFILE DISKS. A User Profile Disk is a VHDX that is created for each user. That Virtual Hard Disk contains their C:\USERS\ profile and blocks remote users from interacting with the physical disk.
If you want to use USER PROFILE DISKS click HERE for more information. If you don’t want to use USER PROFILE DISKS, you should consider configuring the following GPOs:
Lets get started. Below are the GPO’s we suggest you consider to lock down your RDS Session Hosts:
COMPUTER > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS:COMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > SET THE REMOTE DESKTOP LICENSING MODECOMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > USE THE SPECIFIED REMOTE DESKTOP LICENSE SERVERSUSER > POLICIES > ADMINISTRATIVE TEMPLATES > CONTROL PANELThe complete description of .CPL’s is available from Microsoft HERE but a list of .CPL’s is below:
Note that this is a new version of our 2010 article on common GPO’s including those for what was then called Terminal Services.
hi,
part 1 how to restrict RDS standard users to open “server manager” 1 create new “restrict admin tool” group in your rds users OU on ADUC[my example OU is “test”]
add test a and test b to the
“restrict admin tool” group
2 create below domain policy and link to special OU on GP management [my example is “test”] user configuration\policies\administrative templates\system don't run specified windows applications enable enter servermanager.exe
3 enter gpupdate /force on both session host server and DC .
4 log off all RDS users and log on again check the result.(my example testa and testb can not open "server manager")
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact .
KB ID 0001211
Problem
Note: This is not an exhaustive list, but it’s what I use when securing Remote Desktop Services, [Terminal Services] servers. Some of these settings are ONLY for Server 2012 R2 and later. If you have any settings you think are omitted, please comment below.
Solution
User Access To RDS
If you want to create a Domain security group for RDS users than please do so. BE AWARE the ‘Remote Desktop Users’ group you see in Active Directory Users and Computers, [in the built in OU] is for access to Domain Controllers Only! In all the examples I use below I am allowing access to ‘Domain Users’.
If you log onto the RDS server itself > Windows Key+R > systm.cpl > Remote > Remote Desktop > Select Users > Add as appropriate.
Errors
I had a situation where everyone worked apart from one user, who got this error;
The connection was denied because the user account is not authorised for remote login.
This user was a member of domain users, and all the normal boxes were ticked, I had to add ‘Domain Users’ AGAIN via Group Policy before the problem went away?
GPO Location
Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > User Rights > Allow Log on through Remote Desktop Services
Group Policy
Restricting users is fine but if you create a GPO and link it to your RDS servers, and enable ‘loopback processing’, then the policy will apply to the domain administrator, and members of the domain administrators group. To stop that happening, you need to ‘Deny: Apply group policy‘ to the users/groups that you DON’T want the policy being applied to;
Computer Policies
[Note: to remove the Server Manager shortcut from the task bar see below]
GPO Location
Computer Configuration > Policies > Administrative Templates > System > Server Manager > Do not display Server Manager automatically at logon
Setting: Enabled
Configure Group Policy Loopback Processing
The reason you do this is, a lot of the policies you want to apply are ‘user policies‘ and the group policy you link to your RDS servers is linked to a domain/site/OU that contains Computer objects. If you enable loopback processing you can configure user settings in the same policy and they get applied to users logging onto those computers the policy is linked to. This is perfect for Remote Desktop Services.
GPO Location
Computer Configuration >Administrative Templates > System > Group Policy > Configure User Group Policy loopback processing mode
Setting: Enabled
User Policies
I hide access to the drives that are on the RDS server itself, and leave the rest because most people still have mapped drives and network drives they want access to.
GPO Location
User Configuration > Administrative Templates > Windows Components > File Explorer > Prevent access to drives from My Computer
Setting: Enabled
GPO Location [Server 2012 and older]
User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer
Setting: Enabled
Prevent/Hide Access to Control Applications
There is a policy that blocks access to applications you specify, but I prefer to block ALL applications except the ones I specify, and I only ever allow access to Devices and Printers.
GPO Location
User Configuration > Administrative Templates > Control Panel > Show only specified Control Panel items
Setting: Enabled
Setting: Microsoft.DevicesAndPrinters
Note: For a list of all applications, search for ‘Canonical names for Control Panel Items’.
Remove Shut Down / Restart, Sleep and Hibernate
For obvious reasons you don’t want your users to have the ability to shut down the server.
GPO Location
User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands
Setting: Enabled
Now your users should just have’ lock’ and ‘sign out’.
Remove Use Of Command Line [CMD]
I say ‘remove use’, because with this policy enabled, even if a user manages to get a command window to run, they still can’t execute any commands.
GPO Location
User Configuration > Policies >Administrative Templates > System > Prevent access to registry editing tools
Setting: Enabled
Setting: Disable the command prompt script processing also: Yes. [Read the warning!]
So if a user does manage to get a command window open, this is what they will see;
Prevent Access to Registry Editing Tools [Regedit]
For obvious reasons, I don’t trust most techs in the registry, never mind ‘users’.
GPO Location
User Configuration > Policies > Administrative Templates> System > Prevent access to registry editing tools
Setting: Enabled
Setting: Disable Regedit from Running Silently: Yes. [Make sure you dont have any reg commands in your login scripts!]
If a user attempts to run the registry editing tools this is what they will see;
Remove Server Manager From the Task Bar
To do this you need to change permissions on the shortcut files.
GPO Location
Computer configuration > Policies > Windows settings > Security Settings > File System
Right click File system ‘Add File’, Change the permissions on the following files BY REMOVING USERS,
File: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk
The users/groups remaining should be;
- Administrators
- Creator
- SYSTEM
- All Application Packages [may not be present]
Note: Sometimes you need to test this with a new ‘fresh user’. This is because these shortcuts are copied into the user profile, the first time a user logs on.
Prevent Access to PowerShell
This is much more difficult that it needs to be! I prevent access to the powershell.exe and powershell_ise.exe files.
GPO Location
User Configuration” > Policies > Administrative Templates > System > Don’t run specified Windows applications
Setting: Enabled
Setting: powershell.exe and powershell_ise.exe
Now if you user attempts to run PowerShell this is what they will see;
RDS Removing Administrative Tools From Start Menu
I do this by creating a custom start menu for my users, see the following article;
RDS – Custom Start Menu [Remove Administrative Tools]
Remove ‘Pinned’ Applications / Programs from the Taskbar
This is a bit of a ‘shotgun approach’, because it removes ALL [pinned items and stops users pinning items [which you might not want]. I use it because all solutions Ive found to remove the PowerShell shortcut from the Taskbar don’t seem to work on Server 2012R2
GPO Location
User Configuration > Policies >Administrative Templates > Start Menu and Taskbar > Remove pinned programs from the taskbar
Setting: Enabled
This is what your users will see;
Related Articles, References, Credits, or External Links
NA