Lockdown Remote Desktop Services Server 2022

If you have a Server 2016 Remote Desktop Services infrastructure, you will likely want to lock down the Sessions Hosts.  Below are some of the useful Group Policies that we suggest you apply.

Note that Server 2012 and Server 2016 have the option to use something very important for security named USER PROFILE DISKS.  A User Profile Disk is a VHDX that is created for each user.  That Virtual Hard Disk contains their C:\USERS\ profile and blocks remote users from interacting with the physical disk.

If you want to use USER PROFILE DISKS click HERE for more information.  If you don’t want to use USER PROFILE DISKS, you should consider configuring the following GPOs:

Lets get started.  Below are the GPO’s we suggest you consider to lock down your RDS Session Hosts:

The complete description of .CPL’s is available from Microsoft HERE but a list of .CPL’s is below:

KB ID 0001211

Problem

Note: This is not an exhaustive list, but it’s what I use when securing Remote Desktop Services, [Terminal Services] servers. Some of these settings are ONLY for Server 2012 R2 and later. If you have any settings you think are omitted, please comment below.

Solution

User Access To RDS

If you want to create a Domain security group for RDS users than please do so. BE AWARE the ‘Remote Desktop Users’ group you see in Active Directory Users and Computers, [in the built in OU] is for access to Domain Controllers Only! In all the examples I use below I am allowing access to ‘Domain Users’.

If you log onto the RDS server itself > Windows Key+R > systm.cpl > Remote  > Remote Desktop > Select Users > Add as appropriate.

Errors

I had a situation where everyone worked apart from one user, who got this error;

The connection was denied because the user account is not authorised for remote login.

This user was a member of domain users, and all the normal boxes were ticked, I had to add ‘Domain Users’ AGAIN via Group Policy before the problem went away?

GPO Location

Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > User Rights > Allow Log on through Remote Desktop Services

Group Policy

Restricting users is fine but if you create a GPO and link it to your RDS servers, and enable ‘loopback processing’, then the policy will apply to the domain administrator, and members of the domain administrators group. To stop that happening, you need to ‘Deny: Apply group policy‘ to the users/groups that you DON’T want the policy being applied to;

Computer Policies

[Note: to remove the Server Manager shortcut from the task bar see below]

GPO Location

Computer Configuration  > Policies  > Administrative Templates  > System >  Server Manager > Do not display Server Manager automatically at logon

Setting: Enabled

Configure Group Policy Loopback Processing

The reason you do this is, a lot of the policies you want to apply are ‘user policies‘ and the group policy you link to your RDS servers is linked to a domain/site/OU that contains Computer objects. If you enable loopback processing you can configure user settings in the same policy and they get applied to users logging onto those computers the policy is linked to. This is perfect for Remote Desktop Services.

GPO Location

Computer Configuration  >Administrative Templates > System > Group Policy > Configure User Group Policy loopback processing mode

Setting: Enabled

User Policies

I hide access to the drives that are on the RDS server itself, and leave the rest because most people still have mapped drives and network drives they want access to.

GPO Location

User Configuration > Administrative Templates > Windows Components > File Explorer > Prevent access to drives from My Computer

Setting: Enabled

GPO Location [Server 2012 and older]

User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer

Setting: Enabled

Prevent/Hide Access to Control Applications 

There is a policy that blocks access to applications you specify, but I prefer to block ALL applications except the ones I specify, and I only ever allow access to Devices and Printers.

GPO Location

User Configuration > Administrative Templates > Control Panel > Show only specified Control Panel items

Setting: Enabled

Setting: Microsoft.DevicesAndPrinters

Note: For a list of all applications, search for ‘Canonical names for Control Panel Items’.

Remove Shut Down / Restart, Sleep and Hibernate

For obvious reasons you don’t want your users to have the ability to shut down the server.

GPO Location

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands

Setting: Enabled

Now your users should just have’ lock’ and ‘sign out’.

Remove Use Of Command Line [CMD]

I say ‘remove use’, because with this policy enabled, even if a user manages to get a command window to run, they still can’t execute any commands. 

GPO Location

User Configuration > Policies  >Administrative Templates > System > Prevent access to registry editing tools

Setting: Enabled

Setting: Disable the command prompt script processing also: Yes. [Read the warning!]

So if a user does manage to get a command window open, this is what they will see;

Prevent Access to Registry Editing Tools [Regedit]

For obvious reasons, I don’t trust most techs in the registry, never mind ‘users’.

GPO Location

User Configuration > Policies > Administrative Templates> System > Prevent access to registry editing tools

Setting: Enabled

Setting: Disable Regedit from Running Silently: Yes. [Make sure you dont have any reg commands in your login scripts!]

If a user attempts to run the registry editing tools this is what they will see;

Remove Server Manager From the Task Bar

To do this you need to change permissions on the shortcut files.

GPO Location

Computer configuration > Policies > Windows settings > Security Settings > File System

Right click File system ‘Add File’, Change the permissions on the following files BY REMOVING  USERS, 

File: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

The users/groups remaining should be;

• Administrators
• Creator 
• SYSTEM
• All Application Packages [may not be present]

Note: Sometimes you need to test this with a new ‘fresh user’. This is because these shortcuts are copied into the user profile, the first time a user logs on.

Prevent Access to PowerShell

This is much more difficult that it needs to be! I prevent access to the powershell.exe and powershell_ise.exe files.

GPO Location

User Configuration” > Policies > Administrative Templates > System > Don’t run specified Windows applications

Setting: Enabled

Setting: powershell.exe and powershell_ise.exe

Now if you user attempts to run PowerShell this is what they will see;

RDS Removing Administrative Tools From Start Menu

I do this by creating a custom start menu for my users, see the following article;

RDS – Custom Start Menu [Remove Administrative Tools]

Remove ‘Pinned’ Applications / Programs from the Taskbar

This is a bit of a ‘shotgun approach’, because it removes ALL [pinned items and stops users pinning items [which you might not want]. I use it because all solutions Ive found to remove the PowerShell shortcut from the Taskbar don’t seem to work on Server 2012R2

GPO Location

User Configuration > Policies  >Administrative Templates > Start Menu and Taskbar > Remove pinned programs from the taskbar

Setting: Enabled

This is what your users will see; 

Related Articles, References, Credits, or External Links

NA