If you have a Server 2016 Remote Desktop Services infrastructure, you will likely want to lock down the Sessions Hosts. Below are some of the useful Group Policies that we suggest you apply.
Note that Server 2012 and Server 2016 have the option to use something very important for security named USER PROFILE DISKS. A User Profile Disk is a VHDX that is created for each user. That Virtual Hard Disk contains their C:\USERS\ profile and blocks remote users from interacting with the physical disk.
If you want to use USER PROFILE DISKS click HERE for more information. If you don’t want to use USER PROFILE DISKS, you should consider configuring the following GPOs:
USER > POLICIES > SYSTEM > FOLDER REDIRECTION
USER > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER > HIDE THESE SPECIFIED DRIVES IN MY COMPUTER
USER > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER > PREVENT ACCESS TO DRIVES FROM MY COMPUTER
Lets get started. Below are the GPO’s we suggest you consider to lock down your RDS Session Hosts:
COMPUTER > POLICIES > WINDOWS SETTINGS > SECURITY SETTINGS > LOCAL POLICIES > SECURITY OPTIONS:
| Policy |
Setting |
| Interactive logon: Do not display last user name |
Enabled |
| Interactive logon: Message text for users attempting to log on |
Welcome to the URTech’s private network. , The system you have connected to is to be used for U&R BUSINESS ONLY. This system is intended solely for use byU&R Staff for. Any other use of this system will be prosecuted to the fullest extent of the law. , All actions are traced and logged on external servers. |
| Interactive logon: Message title for users attempting to log on |
“U&R Cautionary Statement” |
COMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > SET THE REMOTE DESKTOP LICENSING MODE
| Specify the licensing mode for the RD Session Host server. |
Per User |
COMPUTER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM > GROUP POLICY > USE THE SPECIFIED REMOTE DESKTOP LICENSE SERVERS
| License servers to use: |
<YOUR-LICENSE-SERVER-HERE> fyi, mine is vm-rdsg |
USER > POLICIES > ADMINISTRATIVE TEMPLATES > CONTROL PANEL
| Show only specified Control Panel items |
Enabled |
|
| List of allowed Control Panel items |
| main.cpl |
| inetcpl.cpl |
|
|
The complete description of .CPL’s is available from Microsoft HERE but a list of .CPL’s is below:
USER > POLICIES > ADMINISTRATIVE TEMPLATES > DESKTOP > ACTIVE DIRECTORY
| Hide Active Directory folder |
Enabled |
USER > POLICIES > ADMINISTRATIVE TEMPLATES > NETWORK > NETWORK CONNECTIONS
| Ability to Enable/Disable a LAN connection |
Enabled |
| Prohibit access to properties of a LAN connection |
Enabled |
USER > POLICIES > ADMINISTRATIVE TEMPLATES > NETWORK > OFFLINE FILES
| Prevent use of Offline Files folder |
Enabled |
| Prohibit user configuration of Offline Files |
Enabled |
USER > POLICIES > ADMINISTRATIVE TEMPLATES > START MENU AND TASKBAR
| Hide the notification area |
Enabled |
| Remove All Programs list from the Start menu |
Enabled
Remove and disable setting |
USER > POLICIES > ADMINISTRATIVE TEMPLATES > SYSTEM
| Don’t run specified Windows applications |
Enabled
| List of disallowed applications |
| cmd.exe |
| msimin.exe |
| Powershell.exe |
|
USER > POLICIES > ADMINISTRATIVE TEMPLATES > WINDOWS COMPONENTS > FILE EXPLORER
| Hides the Manage item on the File Explorer context menu |
Enabled |
| Maximum allowed Recycle Bin size |
Enabled
| Maximum Recycle Bin size: |
1 |
|
| Remove Security tab |
Enabled |
Note that this is a new version of our 2010 article on common GPO’s including those for what was then called Terminal Services.
1 Comment
Gianluca F · March 13, 2020 at 11:56 am
for the setting “Show only specified Control Panel items” you should use canonical name instead of file name