If you have a Server 2016 Remote Desktop Services infrastructure, you will likely want to lock down the Sessions Hosts.  Below are some of the useful Group Policies that we suggest you apply.

Note that Server 2012 and Server 2016 have the option to use something very important for security named USER PROFILE DISKS.  A User Profile Disk is a VHDX that is created for each user.  That Virtual Hard Disk contains their C:\USERS\ profile and blocks remote users from interacting with the physical disk.

If you want to use USER PROFILE DISKS click HERE for more information.  If you don’t want to use USER PROFILE DISKS, you should consider configuring the following GPOs:

USER > POLICIES > SYSTEM > FOLDER REDIRECTION
USER > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER > HIDE THESE SPECIFIED DRIVES IN MY COMPUTER
USER > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER > PREVENT ACCESS TO DRIVES FROM MY COMPUTER

Lets get started.  Below are the GPO’s we suggest you consider to lock down your RDS Session Hosts:


COMPUTER > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS:
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Message text for users attempting to log on Welcome to the URTech’s private network. , The system you have connected to is to be used for U&R BUSINESS ONLY. This system is intended solely for use byU&R Staff for. Any other use of this system will be prosecuted to the fullest extent of the law. , All actions are traced and logged on external servers.
Interactive logon: Message title for users attempting to log on “U&R Cautionary Statement”

COMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > SET THE REMOTE DESKTOP LICENSING MODE
Specify the licensing mode for the RD Session Host server. Per User

COMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > USE THE SPECIFIED REMOTE DESKTOP LICENSE SERVERS
License servers to use:  <YOUR-LICENSE-SERVER-HERE>  fyi, mine is vm-rdsg

USER > POLICIES > ADMINISTRATIVE TEMPLATES > CONTROL PANEL
Show only specified Control Panel items Enabled
List of allowed Control Panel items
main.cpl
inetcpl.cpl

The complete description of .CPL’s is available from Microsoft HERE but a list of .CPL’s is below:

Categories: Windows Server

1 Comment

Gianluca F · March 13, 2020 at 11:56 am

for the setting “Show only specified Control Panel items” you should use canonical name instead of file name

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *