Remote Desktop Services – Securing By Group Policy

KB ID 0001211

Problem

Note: This is not an exhaustive list, but it’s what I use when securing Remote Desktop Services, (Terminal Services) servers. Some of these settings are ONLY for Server 2012 R2 and later. If you have any settings you think are omitted, please comment below.

 

Solution

User Access To RDS

If you want to create a Domain security group for RDS users than please do so. BE AWARE the ‘Remote Desktop Users’ group you see in Active Directory Users and Computers, (in the built in OU) is for access to Domain Controllers Only! In all the examples I use below I am allowing access to ‘Domain Users’.

If you log onto the RDS server itself > Windows Key+R > systm.cpl > Remote  > Remote Desktop > Select Users > Add as appropriate.

001 - RDS Users

Errors

I had a situation where everyone worked apart from one user, who got this error;

001a - RDS User Account Not Authorised For Remote Login

The connection was denied because the user account is not authorised for remote login.

This user was a member of domain users, and all the normal boxes were ticked, I had to add ‘Domain Users’ AGAIN via Group Policy before the problem went away?

GPO Location

Computer Configuration > Policies > Windows Settings > Security Settings > Local Polices > User Rights > Allow Log on through Remote Desktop Services

001b - GPO User Account Not Authorised For Remote Login

Group Policy

Stop Group Policy Applying to Domain Administrators

Restricting users is fine but if you create a GPO and link it to your RDS servers, and enable ‘loopback processing’, then the policy will apply to the domain administrator, and members of the domain administrators group. To stop that happening, you need to ‘Deny: Apply group policy‘ to the users/groups that you DON’T want the policy being applied to;

003 - Stop Policy Applying to Domain Admins

Computer Policies

Stop Server Manager Launching at Logon

(Note: to remove the Server Manager shortcut from the task bar see below)

GPO Location

Computer Configuration  > Policies  > Administrative Templates  > System >  Server Manager > Do not display Server Manager automatically at logon

Setting: Enabled

002 - RDS Stop Server Manager

Configure Group Policy Loopback Processing

The reason you do this is, a lot of the policies you want to apply are ‘user policies‘ and the group policy you link to your RDS servers is linked to a domain/site/OU that contains Computer objects. If you enable loopback processing you can configure user settings in the same policy and they get applied to users logging onto those computers the policy is linked to. This is perfect for Remote Desktop Services.

GPO Location

Computer Configuration  >Administrative Templates > System > Group Policy > Configure User Group Policy loopback processing mode

Setting: Enabled

004 - RDS Enable Loopback

User Policies

Prevent/Hide Access to Drives

I hide access to the drives that are on the RDS server itself, and leave the rest because most people still have mapped drives and network drives they want access to.

GPO Location

User Configuration > Administrative Templates > Windows Components > File Explorer > Prevent access to drives from My Computer

Restrict access to Drive Letters

Setting: Enabled

Restrict access to Local Drive Letters

GPO Location (Server 2012 and older)

User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer

Setting: Enabled

006 - RDS Hide Drives

Prevent/Hide Access to Control Applications 

There is a policy that blocks access to applications you specify, but I prefer to block ALL applications except the ones I specify, and I only ever allow access to Devices and Printers.

GPO Location

User Configuration > Administrative Templates > Control Panel > Show only specified Control Panel items

Setting: Enabled

Setting: Microsoft.DevicesAndPrinters

Note: For a list of all applications, search for ‘Canonical names for Control Panel Items’.

005 - RDS Policy Printers

Remove Shut Down / Restart, Sleep and Hibernate

For obvious reasons you don’t want your users to have the ability to shut down the server.

GPO Location

User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands

Setting: Enabled

007 - RDS Remove Shutdown

 

Now your users should just have’ lock’ and ‘sign out’.

007a - RDS Block User Shutdown

Remove Use Of Command Line (CMD)

I say ‘remove use’, because with this policy enabled, even if a user manages to get a command window to run, they still can’t execute any commands. 

GPO Location

User Configuration > Policies  >Administrative Templates > System > Prevent access to the command prompt

Setting: Enabled

Setting: Disable the command prompt script processing also: Yes. (Read the warning!)

008 - RDS Remove Access To Command Line

So if a user does manage to get a command window open, this is what they will see;

008a - RDS CMD Blocked

Prevent Access to Registry Editing Tools (Regedit)

For obvious reasons, I don’t trust most techs in the registry, never mind ‘users’.

GPO Location

User Configuration > Policies > Administrative Templates> System > Prevent access to registry editing tools

Setting: Enabled

Setting: Disable Regedit from Running Silently: Yes. (Make sure you dont have any reg commands in your login scripts!)

009 - RDS Remove Access To Regedit

If a user attempts to run the registry editing tools this is what they will see;

009a - RDS Regedit Block

Remove Server Manager From the Task Bar

To do this you need to change permissions on the shortcut files.

GPO Location

Computer configuration > Policies > Windows settings > Security Settings > File System

Right click File system ‘Add File’, Change the permissions on the following files BY REMOVING  USERS, 

File: %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Server Manager.lnk

The users/groups remaining should be;

  • Administrators
  • Creator 
  • SYSTEM
  • All Application Packages (may not be present)

010 - Remove Server Manager From Taskbar

Note: Sometimes you need to test this with a new ‘fresh user’. This is because these shortcuts are copied into the user profile, the first time a user logs on.

Prevent Access to PowerShell

This is much more difficult that it needs to be! I prevent access to the powershell.exe and powershell_ise.exe files.

GPO Location

User Configuration” > Policies > Administrative Templates > System > Don’t run specified Windows applications

Setting: Enabled

Setting: powershell.exe and powershell_ise.exe

011 - RDS 2012 Remove PowerShell

Now if you user attempts to run PowerShell this is what they will see;

011a - RDS 2012 PowerShell Block

RDS Removing Administrative Tools From Start Menu

I do this by creating a custom start menu for my users, see the following article;

RDS – Custom Start Menu (Remove Administrative Tools)

Remove ‘Pinned’ Applications / Programs from the Taskbar

This is a bit of a ‘shotgun approach’, because it removes ALL [pinned items and stops users pinning items (which you might not want). I use it because all solutions Ive found to remove the PowerShell shortcut from the Taskbar don’t seem to work on Server 2012R2

GPO Location

User Configuration > Policies  >Administrative Templates > Start Menu and Taskbar > Remove pinned programs from the taskbar

Setting: Enabled

013 - RDS 2012 Remove Taskpar Pinned ItemsThis is what your users will see; 

012 - RDS 2012 Remove Taskpar Pinned Items

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

15 Comments

  1. Thank you! Excellent article, it’s very helpful!

    Post a Reply
  2. Much appreciated! It helped a lot!

    Post a Reply
  3. Thanks a lot pete your hints regarding start menu heled me a lot !

    Post a Reply
  4. Very impressive article Pete. Thanks for taking time to write this down.

    Post a Reply
  5. under “Prevent/Hide Access to Drives”

    By default, it has A,B,C & D.

    how can you expand it to additional drives such as “E” or “F”?

    Post a Reply
    • Change it to “Restrict all drives”

      Pete

      Post a Reply
  6. Doesn’t exist any longer. Worth to correct it.
    User Configuration > Administrative Templates > Windows Components > Windows Explorer >

    Post a Reply
    • Good Catch, Cheers Mark.
      Post updated with the new policy location.

      Pete

      Post a Reply
  7. Hi,

    Wanted to ask, our users have laptops which they rdp to their workstations. Laptops are on the domain and they use VPN software and some use remote gateway on personal computers.

    I would like to stop them from shutting down their office workstations by accident as some forget they are in a rdp session. So here I am looking into disabling the shutdown/restart option in the start menu only as a computer configuration and not user configuration. As you know this has to be a computer configuration because if it was applied as a user configuration the shutdown button will also be removed from their domain laptop too.

    I have read example that this can be done as a local policy but that would be a pain on all workstations and GPO is preferred method.

    Post a Reply
    • No it’s a user policy the only way to get round it, is to create a ‘user policy’ link it to the ‘computer OU’, then enable ‘loopback processing’ in the computer policy section of that same GPO, and set it to remove the shutdowns command, for the particular policy do a search above for hardening RDS servers, Ive written that policy up in that article.

      P

      Post a Reply
      • Thanks! I’ll look into it further and your article.

        Post a Reply

Leave a Reply to PeteLong Cancel reply

Your email address will not be published. Required fields are marked *