KB ID 0001211
Note: This is not an exhaustive list, but it’s what I use when securing Remote Desktop Services, (Terminal Services) servers. Some of these settings are ONLY for Server 2012 R2 and later. If you have any settings you think are omitted, please comment below.
User Access To RDS
If you want to create a Domain security group for RDS users than please do so. BE AWARE the ‘Remote Desktop Users’ group you see in Active Directory Users and Computers, (in the built in OU) is for access to Domain Controllers Only! In all the examples I use below I am allowing access to ‘Domain Users’.
If you log onto the RDS server itself > Windows Key+R > systm.cpl > Remote > Remote Desktop > Select Users > Add as appropriate.
I had a situation where everyone worked apart from one user, who got this error;
The connection was denied because the user account is not authorised for remote login.
This user was a member of domain users, and all the normal boxes were ticked, I had to add ‘Domain Users’ AGAIN via Group Policy before the problem went away?
Stop Group Policy Applying to Domain Administrators
Restricting users is fine but if you create a GPO and link it to your RDS servers, and enable ‘loopback processing’, then the policy will apply to the domain administrator, and members of the domain administrators group. To stop that happening, you need to ‘Deny: Apply group policy‘ to the users/groups that you DON’T want the policy being applied to;
Stop Server Manager Launching at Logon
(Note: to remove the Server Manager shortcut from the task bar see below)
Configure Group Policy Loopback Processing
The reason you do this is, a lot of the policies you want to apply are ‘user policies‘ and the group policy you link to your RDS servers is linked to a domain/site/OU that contains Computer objects. If you enable loopback processing you can configure user settings in the same policy and they get applied to users logging onto those computers the policy is linked to. This is perfect for Remote Desktop Services.
Prevent/Hide Access to Drives
I hide access to the drives that are on the RDS server itself, and leave the rest because most people still have mapped drives and network drives they want access to.
GPO Location (Server 2012 and older)
Prevent/Hide Access to Control Applications
There is a policy that blocks access to applications you specify, but I prefer to block ALL applications except the ones I specify, and I only ever allow access to Devices and Printers.
Note: For a list of all applications, search for ‘Canonical names for Control Panel Items’.
Remove Shut Down / Restart, Sleep and Hibernate
For obvious reasons you don’t want your users to have the ability to shut down the server.
Now your users should just have’ lock’ and ‘sign out’.
Remove Use Of Command Line (CMD)
I say ‘remove use’, because with this policy enabled, even if a user manages to get a command window to run, they still can’t execute any commands.
Setting: Disable the command prompt script processing also: Yes. (Read the warning!)
So if a user does manage to get a command window open, this is what they will see;
Prevent Access to Registry Editing Tools (Regedit)
For obvious reasons, I don’t trust most techs in the registry, never mind ‘users’.
Setting: Disable Regedit from Running Silently: Yes. (Make sure you dont have any reg commands in your login scripts!)
If a user attempts to run the registry editing tools this is what they will see;
Remove Server Manager From the Task Bar
To do this you need to change permissions on the shortcut files.
Right click File system ‘Add File’, Change the permissions on the following files BY REMOVING USERS,
File: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk
The users/groups remaining should be;
- All Application Packages (may not be present)
Note: Sometimes you need to test this with a new ‘fresh user’. This is because these shortcuts are copied into the user profile, the first time a user logs on.
Prevent Access to PowerShell
This is much more difficult that it needs to be! I prevent access to the powershell.exe and powershell_ise.exe files.
Setting: powershell.exe and powershell_ise.exe
Now if you user attempts to run PowerShell this is what they will see;
RDS Removing Administrative Tools From Start Menu
I do this by creating a custom start menu for my users, see the following article;
Remove ‘Pinned’ Applications / Programs from the Taskbar
This is a bit of a ‘shotgun approach’, because it removes ALL [pinned items and stops users pinning items (which you might not want). I use it because all solutions Ive found to remove the PowerShell shortcut from the Taskbar don’t seem to work on Server 2012R2
Related Articles, References, Credits, or External Links