Export (0) Print
Expand All

Chapter 11: Hardening Terminal Services

Published: February 27, 2008

 

Terminal Services in Windows Server® 2008 supports Remote Desktop Protocol (RDP) 6.0 or later. Windows Server 2008 and Windows Vista® also include the Remote Desktop Connection (RDC) 6.0 client and support it.

Note   The RDC version 6.1 software is available for use on Windows Vista Service Pack 1 (SP1) and Windows® XP SP3. For the best user experience, Microsoft recommends to download the installer package from Microsoft to update your RDC clients to the latest version of either operating system.

In addition to the primary Terminal Services server role, Windows Server 2008 includes the following specific role services:

  • TS Licensing. The Terminal Services Licensing (TS Licensing) role service manages the Terminal Services client access licenses (TS CALS) that are required for devices and users to connect to a terminal server. You can use this role service to install, issue, and monitor the availability of TS CALs.
  • TS Session Broker. The Terminal Services Session Broker (TS Session Broker) role service supports reconnection to an existing session on a terminal server that is a member of a load-balanced terminal server farm.
  • TS Gateway. The Terminal Services Gateway (TS Gateway) role service enables authorized remote users to connect to terminal servers and computers with Remote Desktop enabled on an internal corporate or private network over the Internet. Users can connect from any Internet-connected device that can run the RDC client. The TS Gateway role service does not require users to establish a virtual private network (VPN) session. In addition, this role service uses port 443 to transmit RDP traffic over the HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel. You do not need to open additional ports on the firewall to use this role service.

    When you use Server Manager to install the TS Gateway role service, Server Manager also installs and starts the RPC HTTP Proxy server, the Network Policy and Access Services, the Web Server (IIS) role service, and the Windows Process Activation Services.

  • TS Web Access. The Terminal Services Web Access (TS Web Access) role service allows you to provide access to Terminal Server sessions through a Web interface. Users that you authorize can gain access to terminal servers by using their Web browser. You can configure the Web interface to advertise applications and connections that are available to the user.

Windows Server 2008 also includes the Terminal Services RemoteApp™ (TS RemoteApp) and Terminal Services Easy Print features.

TS RemoteApp allows users to access programs remotely using Terminal Services. The programs appear as if they are running on the user's local computer. TS RemoteApp enables you to provide users with access to a single application over a remote connection, rather than the entire desktop.

The Terminal Services Easy Print feature allows client computers to redirect print sessions to a local printer without the need for an administrator to install any printer drivers on the terminal server. This feature is not a security feature, but it does significantly reduce the risk to the server of a rogue print driver causing a denial-of-service (DoS) attack.

Each role service provides specific functionality to the enterprise and introduces additional elements that can add to the attack surface of the servers performing this role. The following figures illustrates the five role services that you can select as part of the Windows Server 2008 Terminal Services role.

90b9b8a1-3c48-46aa-aff2-10c319168920

Figure 11.1. Role services hierarchy for Terminal Services

Attack Surface

The Terminal Services server role provides technologies for client computers to access desktop sessions or specific applications running on the terminal server. To determine the attack surface of this server role, you need to identify the following.

  • Installed files. These are files that are installed as part of the Terminal Services server role.
  • Running services. These are services that are installed as part of the Terminal Services server role.

    Note   You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.

  • Firewall rules. These are the firewall rules that the Terminal Services server role uses.

The details of the attack surface for the Terminal Services role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the Terminal Services tab of the workbook, view the sections that correspond to each of the items in the previous list.

Security Measures

This section describes the security measures that you can incorporate into your Terminal Services server role configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Terminal Services option on the Select Role Services page of the Add Roles Wizard.

From a security perspective, the Terminal Services role has the greatest attack surface and requires more configuration settings than the other role services that this security guide discusses. However, only the TS Gateway role service has specific configuration changes that relate to security. There are no additional steps to secure the TS Licensing, TS Session Broker, and TS Web Access role services.

Configuration Checklists

There are two main areas to focus on when securing your terminal servers:

  • Securing connections to the terminal servers.
  • Securing the TS Gateway.

The standard internal network terminal server scenario only requires you to install the Terminal Services server role. This installation adds TCP port 3389 to the server's listening port list, which enables client computers to establish RDP remote desktop sessions with the server. Succeeding sections in this chapter provide more information about each of the recommendations in the following lists.

Securing Connections to the Terminal Servers

The following table summarizes the recommended security configuration tasks for hardening servers performing the Terminal Services role. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.

Table 11.1. Terminal Server Configuration Checklist

 

Configuration tasks

 

Configure the network level authentication.

 

Enable Single Sign-On for Terminal Services.

 

Enable secure use of saved credentials with Windows Vista RDP clients.

 

Change the default RDP port.

 

Use smart cards with Terminal Services.

 

Use the NTFS file system.

 

Use TS Easy Print exclusively

 

Partition user data on a dedicated disk.

 

Create specialized OUs for terminal servers.

 

Set Group Policy settings for the terminal servers.

 

Set Group Policy settings for the remote desktops.

 

Restrict users to specific programs.

 

Limit terminal server security auditing.

Configure the Network Level Authentication

Network Level Authentication is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. Network Level Authentication includes the following advantages:

  • It requires fewer server resources initially. The server uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions.
  • It can help provide better security by reducing the risk of DoS attacks.

To use Network Level Authentication, you must meet the following requirements:

  • The client computer must use Remote Desktop Connection (RDC) 6.0 or later.
  • The client computer must run an operating system, such as Windows Vista, that supports Credential Security Support Provider (CredSSP).
  • The terminal server must run Windows Server 2008.

You can configure a terminal server to only support connections from client computers running Network Level Authentication. You can set the Network Level Authentication setting for a terminal server in the following ways:

  • Use Server Manager to install the Terminal Server role service through the Add Roles Wizard on the Specify Authentication Method for Terminal Server page.
  • On the Remote tab in the System Properties dialog box on a terminal server.

    If the Allow connections from computers running any version of Remote Desktop (less secure) setting is not selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and applied to the terminal server.

    To configure the Network Level Authentication setting by using the Remote tab in the System Properties dialog box on a terminal server, see the "Configuring remote connection settings" section of Terminal Server Installation in the Windows Server 2008 Technical Library.

  • On the General tab of the Properties dialog box for a connection in the Terminal Services Configuration tool by selecting the check box for the Allow connections only from computers running Remote Desktop with Network Level Authentication setting.

    If the check box for this setting is selected and the setting is dimmed, the Group Policy setting for Require user authentication for remote connections by using Network Level Authentication has been enabled and applied to the terminal server.

  • By applying the Group Policy setting for Require user authentication for remote connections by using Network Level Authentication.

    This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security. You can configure this setting by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

    Note   This Group Policy setting takes precedence over the setting configured in Terminal Services Configuration or on the Remote tab.

To determine whether a computer is running a version of RDC that supports Network Level Authentication, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Network Level Authentication supported" in the About Remote Desktop Connection dialog box.

For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter Web site.

For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference.

The majority of terminal server users are likely to require the user interface (UI) on the terminal server to be consistent with the UI on their desktop computers. For example, if your users run Windows Vista on their computers, you will need to install the same desktop user experience on the terminal server to provide them with the same UI while running remote desktop sessions.

Enable Single Sign-On for Terminal Services

Single sign-on (SSO) is an authentication method that allows users with a domain account to log on once using a password or smart card, and then gain access to remote servers without being asked for their credentials again.

To implement SSO in Terminal Services, you must meet the following requirements:

  • Use can use SSO for remote connections in either of the following scenarios:
    • Support users logging on from a computer running Windows Vista to a terminal server running Windows Server 2008.
    • Support users logging on from one server running Windows Server 2008 to another server running Windows Server 2008.
  • User accounts must have appropriate rights to log on to both the terminal server and the client computer running Windows Vista.
  • The client computer and terminal server must be joined to a domain.

Configuration Tasks

To configure the recommended settings for your terminal server, complete the following tasks:

  • Configure authentication on the terminal server.
  • Configure the computer running Windows Vista to allow default credentials to be used for logging on to the specified terminal server.

Membership in the local Administrators group, or equivalent, is the minimum requirement to complete this procedure.

To configure authentication on the terminal server

  1. Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
  2. Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and then click Properties.
  3. Click the General tab, verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0).
  4. On the Log on Settings tab, ensure that the Always prompt for password check box is not selected, and then click OK.

To allow default credential usage for single sign-on

  1. On the Windows Vista-based computer, click Start, and then in the Start Search box, type gpedit.msc and press ENTER.
  2. Expand Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation.
  3. Double-click Allow Delegating Default Credentials.
  4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.
  5. In the Show Contents dialog box, click Add.
  6. In the Add Item dialog box, in the Enter the item to be added box, type termsrv/ followed by the name of the terminal server (for example, termsrv/Server1), click OK, and then click OK again.

Membership in the local Administrators group, or equivalent, is the minimum requirement to complete this procedure. To review details about using the appropriate accounts and group memberships, see Why you should not run your computer as an administrator on Microsoft® TechNet.

For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter Web site.

Enable Secure Use of Saved Credentials with Windows Vista RDP Clients

Windows Vista Credential Delegation policy does not allow a Windows Vista RDP client to send saved credentials to a TS server when the TS server is not authenticated. By default, Windows Vista RDP clients use the Kerberos protocol for server authentication. Alternatively, they can use SSL server certificates, but these are not deployed to servers by default. There are three common scenarios where using the Kerberos protocol to authenticate the server is not possible, but using SSL server certificates is possible. Because SSL server certificates are not deployed by default, using saved credentials does not work when you attempt the following:

  • Connect from a home computer to a Terminal Services server through a TS Gateway server.
  • Connect to a stand-alone computer.
  • Connect to a terminal server farm.

When you connect from home through a TS Gateway server to a terminal server hosted behind a corporate firewall, the TS client has no direct connectivity to a key distribution center hosted on a domain controller behind the corporate firewall. As a result, server authentication using the Kerberos protocol fails. When you connect to a stand-alone server, the Kerberos protocol is not used.

For each of these circumstances, you need to enable server authentication, install SSL certificates issued by a trusted certificate authority (CA), and define the server name in the subject field. Deploy the certificates to all terminal servers that you want to use server authentication. Use the following procedure to add certificates to your terminal servers.

To set the SSL certificate for a connection

  1. Click Start, click Run, and then in the Open box type tsconfig.msc and click OK.
  2. In the Connections box of the Configuration for terminal server pane, double-click RDP-Tcp.
  3. On the General tab, click Select.
  4. Select the certificate you want to assign to the connection, and click OK.

In addition, Kerberos authentication does not work in terminal server farm scenarios because farm names do not have accounts associated with them in Active Directory®. Without these accounts, Kerberos-based server authentication is not possible.

To enable server authentication in a server farm, use SSL certificates that are issued by a trusted CA and that have the farm name in the subject field. Deploy them to all servers in your farm. The SSL certificate will provide server authentication for a terminal server, and the Credential Delegation policy will allow saved credentials to be used for remote connections.

Important   A compromised client computer allowed to connect to a TS session could be used to attempt an attack against the Terminal Services server. Microsoft recommends to ensure that all client computers and servers in your organization are adequately protected against malware and are running the latest software updates to help mitigate this risk.

Change the Default RDP Port

If you are concerned about the attack surface exposure of the common RDP port (TCP 3389), you can configure the RDP session to use a different port. However, you must apply the modification to both the terminal server itself and all of the TS clients. It is important to note that changing this port does increase the complexity of both the terminal server deployment and any subsequent audit or troubleshooting steps. For this reason, Microsoft only recommends this step for high risk environments where organizations can justify the overhead required to manage the additional complexity.

For more information about changing the RDP port, see Microsoft Knowledge Base article 187623: "How to change Terminal Server’s listening port."

Use Smart Cards with Terminal Services

Terminal Services RDP client sessions in Windows Server 2008 support the ability to authenticate users who log on using smart cards to remote sessions in a domain that uses Active Directory® Domain Service (AD DS). A smart card is a form of two-factor authentication that requires the user to have a smart card and know the PIN to gain access to network resources. Smart cards provide secure, tamper-resistant storage for private keys and X.509 security certificates. Smart cards also allow you to require strong credentials from users in a manageable way to provide a more secure environment.

This option provides significant protection against an attacker using a valid user's account credentials to access hosts. If the terminal server requires a valid smart card for a user to log on, an attacker would have to not only know the logon and password details of the user, but also possess the user's smart card. For this reason, Microsoft recommends configuring your terminal server to require smart card authentication if your company has a two-factor authentication policy.

To use smart cards with Windows Server 2008 Terminal Services, you must have AD DS deployed in your organization, and your client computers must run a Microsoft client operating system with built-in smart card support, such as Windows Vista or Windows XP, and most devices that run Windows CE .NET. You must also ensure that the computers users can launch terminal server sessions from smart card readers that are locally installed.

Once you have met these requirements, deploying smart cards for use with Windows Server 2008 Terminal Services is the same as deploying smart cards for use with standard Windows client authentication.

Use the NTFS File System

Microsoft strongly recommends using the NTFS file system as the only file system on terminal server hard disk drives. The file allocation table (FAT) file system does not offer any user and directory security, whereas with NTFS you can limit subdirectories to certain users or groups of users.

This is important in a multi-user system, such as one that uses Terminal Services. Without the security that NTFS provides, any user has access to every directory and file on the terminal server. There also are additional performance advantages available only by using the NTFS file system, such as disk quotas and file system auditing.

Use TS Easy Print Exclusively

TS Easy Print is a new feature in Windows Server 2008 that enables users to reliably print from a TS RemoteApp program or full desktop session to a local or network printer installed on the client computer. Printers can now be supported without the need to install print drivers on the terminal server. When users want to print from a TS RemoteApp program or desktop session, they will see the full printer properties dialog box (printer user interface) from the local client and have access to all the printer functionality.

You can use Group Policy to limit the number of printers redirected to just the default printer, thereby reducing overhead, and improving reliability and scalability. To do this, apply the Group Policy setting for Redirect only the default client printer.

This Group Policy setting is located in Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection.

You can configure this setting by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Enabling this policy setting ensures that only the TS client's default printer can be redirected on the TS server. This policy works with connections from any version of the TS client.

Partition User Data On a Dedicated Disk

If you allow users to upload data onto a terminal server's system drive, it is possible the data can seriously affect the server's performance, even to the point of becoming a DoS attack. For this reason, Microsoft recommends storing user data on a dedicated hard disk drive that is isolated from the operating system data.

To do this, you can use the Terminal Server User Profile setting in Group Policy to redirect the terminal server user account profile to the user's data drive.

To configure Terminal Services-specific profile settings manually

  1. Open Active Directory Users and Computers.
  2. Right-click the user account that you want to set profile settings on, and then click Properties.
  3. Click the Terminal Services profile tab.

You can configure the following Terminal Services-specific profile settings manually using the following methods:

  • Terminal Services User Profile path. You can use this path to choose a place to store users' Terminal Services profiles other than the default location.
  • Terminal Services home folder. You can specify a path to a home folder for use with Terminal Server sessions. This directory can be either a local folder or a network share.

You also can enforce both of these options directly using Group Policy at the following location:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server

To provide additional protection, consider enabling quota management on the hard disk drive for user data to manage the disk space for users. For more information about using disk quotas, see Working with Quotas in the Step-by-Step Guide for File Server Resource Manager.

Create Specialized OUs for Terminal Servers

Where possible, Microsoft recommends that you consider placing the Terminal Server computer objects in a specialized OU to allow you to create system-wide restrictions for your terminal server environment. Doing this enforces computer-based restrictions on the Terminal Server. Administrators have the option to apply user-based restrictions to all users, including administrators who log on to the Terminal Server. You can add these restrictions, or establish them in place of policies for users when they log on to the domain. Refer to the computer loopback policy for additional information.

Note   The policies mentioned in this section can severely restrict functionality for even the administrator account.

If you need to apply per-user restrictions, place the user account object into the locked down OU. However, this enforces user-based restrictions for that user account regardless of which computer the user accesses to log on to the domain.

Microsoft recommends one of two approaches when you implement Group Policy for this purpose:

  • Place user accounts into the locked down OU.

    With this approach, you create Terminal Server-only user accounts and place them in the locked down OU. You can then allow user logons to the Terminal Server for only these users by using the Terminal Server Configuration MMC snap-in. Instruct users to only use these accounts on the Terminal Server. If some computer restrictions are necessary, disable loopback processing and place the Terminal Server computer object in the OU. Aside from the restrictive computer policies, users can have different levels of restrictions on the same Terminal Server. This implementation allows administrators to perform some operations on the Terminal Server while users are active.

  • Place only the Terminal Server computer object in the locked down OU.

    With this approach, after installing and configuring all applications on the Terminal Server, you can place the Terminal Server computer object in the locked down OU, and then enable loopback processing. All users who log on to the Terminal Server are then restricted by user-based policies defined by the locked down Group Policy object (GPO), regardless of the OU that users are located in.

    This can prevent many local changes from being applied to the Terminal Server. However, an administrator can still remotely maintain the server. If administrators need access to the Terminal Server, log off all users and temporarily restrict their logons to the Terminal Server. Move the Terminal Server computer object out of the locked down OU, then log on. Return the Terminal Server computer object to the locked down OU, and then re-enable user logons after maintenance is complete. This implementation does not require users to have multiple user accounts. It can also prevent configuration changes to the Terminal Server while it is in production.

After you have decided on the policy application approach that you want to use, the next step is to determine the Group Policy settings that you wish to apply to the environment. For the purposes of this guide, recommendations are included for the settings that can be most effective in helping to secure a terminal server installation in the EC and SSLF environments. However, due to potential compatibility and usability issues, these setting are not enforced in the GPOs that the GPOAccelerator tool creates.

Important   If you chose to enforce these setting recommendations, it is important to thoroughly test them to determine which ones are most effective in your environment. It is possible that some setting restrictions could cause compatibility issues with some applications that your organization requires.

Set Group Policy Settings for the Terminal Servers

There are a number of Group Policy settings that you can use to configure Terminal Services on a terminal server. This section includes policy object names, descriptions and the purpose of the settings, and recommendations where applicable.

You can use the GPMC to edit policy objects that affect Terminal Services security. The following list represents some of the key areas:

  • Security Options
  • System Services
  • Connections
  • Device and Resource Redirection
  • Session Time Limits
  • Windows Installer
  • Group Policy

Security Options Policy Settings

Microsoft recommends using policy settings to control security options in the following location of the GPMC:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.2. Terminal Server Computer Security Options Policy Settings

Policy object

Description

Default

Devices: Restrict CD-ROM access to locally logged-on user only

Recommended setting: Enabled

This policy allows only users who log on to the console of the Terminal Server access to the CD-ROM drive. Microsoft recommends to enable this policy to prevent users and administrators from remotely accessing programs or data on a CD-ROM.

Not defined

Devices: Restrict floppy access to locally logged-on user only

Recommended setting: Enabled

This policy allows only users who log on to the console of the Terminal Server access to the floppy disk drive. Microsoft recommends to enable this policy to prevent users and administrators from remotely accessing programs or data on a floppy disk.

Not defined

Interactive logon: Do not display last user name

Recommended setting: Enabled

This policy determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.

If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box.

By default the name of the last user to log on is displayed. Microsoft recommends to enable this setting to hide logon names from users who access the server.

Disabled

System Services Policy Settings

Microsoft recommends using policy settings to control system services in the following location of the GPMC:

Computer Configuration\Windows Settings\Security Settings\System Services

The following table identifies policy object name, recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.3. Terminal Server Computer System Services Policy Setting

Policy object

Description

Default

Help and Support

Recommended setting: Disabled

This policy disables the Help and Support Center service. It prevents users from starting the Windows Help and Support Center application. This policy does not disable help files (such as the *.chm) or Help in other applications.

Disabling this service might cause issues with other programs and services that depend on it. Microsoft recommends to disable this service to prevent users from starting other applications or viewing system information about the Terminal Server.

Not defined

Connections Policy Settings

Microsoft recommends using policy settings to control connections in the following location of the GPMC:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.4. Terminal Server Computer Connections Policy Settings

Policy object

Description

Default

Restrict Terminal Services users to a single remote session

Recommended setting: Enabled

This policy can prevent a single user from creating multiple sessions on the Terminal Server using a single user account.

Not defined

Remove Disconnect option from Shut Down dialog box

Recommended setting: Enabled

This policy removes the disconnect option from the Shut Down Windows dialog box. It does not prevent users from disconnecting the session to the Terminal Server. Use this policy if you do not want users to easily disconnect from their session and you have not removed the Shut Down Windows dialog box.

Not defined

Device and Resource Redirection Policy Settings

Microsoft recommends using policy settings to control resource redirection in the following location of the GPMC:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.5. Terminal Server Computer Device and Resource Redirection Policy Settings

Policy object

Description

Default

Allow audio redirection

Recommended setting: Disabled

This policy specifies whether users can choose where to play the remote computer's audio output during a Terminal Services session. Users can use the Remote computer sound option on the Local Resources tab of Remote Desktop Connection to choose whether to play the remote audio on the remote computer or on the local computer. Users can also choose to disable the audio.

Disabled

Do not allow clipboard redirection

Recommended setting: Enabled

By default, Terminal Services allows clipboard redirection. This policy specifies whether to prevent the sharing of clipboard contents between a remote computer and a client computer during a Terminal Services session. You can use this setting to prevent users from redirecting clipboard data to and from the remote computer and the local computer.

Not defined

Do not allow COM port redirection

Recommended setting: Enabled

By default, Terminal Services allows this COM port redirection. This policy specifies whether to prevent the redirection of data to client COM ports during a Terminal Services session. You can use this setting to prevent users from mapping local COM ports and redirecting data from the remote computer to local COM port peripherals.

Not defined

Do not allow drive redirection

Recommended setting: Enabled

By default, Terminal Server maps client hard disk drives automatically upon connection. Microsoft recommends to enable this policy to prevent users from gaining easy access to applications on their local computer via the drive redirection.

Not defined

Do not allow LPT port redirection

Recommended setting: Enabled

By default, Terminal Services allows LPT port redirection. This policy specifies whether to prevent the redirection of data to client LPT ports during a Terminal Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals.

Not defined

Do not allow supported Plug and Play device redirection.

Recommended setting: Enabled

By default, Terminal Services allows redirection of supported Plug and Play devices. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose supported Plug and Play devices to redirect then to the remote computer.

If you enable this policy, users cannot redirect their supported Plug and Play devices to the remote computer.

Note: You can also disallow redirection of supported Plug and Play devices on the Client Settings tab in the Terminal Services Configuration tool.

Not defined

Do not allow smart card device redirection

Recommended setting: Disabled

This policy allows you to enable or disable the redirection of smart card devices in a Terminal Services session. Microsoft recommends using smart card devices where possible, and for this reason this setting should not be enabled.

Not defined

Session Time Limits Policy Settings

Microsoft recommends using policy settings to control session time limits in the following location of the GPMC:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

The following table identifies the policy object name, recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.6. Terminal Server Computer Session Time Limits Policy Setting

Policy object

Description

Default

Set time limit for disconnected sessions

Recommended setting: Enabled

By default, Terminal Server allows users to disconnect from a session and keep all of their applications active for an unlimited amount of time. This policy specifies a time limit for disconnected Terminal Server sessions to remain active. Microsoft recommends to enable this policy if you do not want disconnected sessions to remain active for long on the Terminal Server.

Not defined

Windows Installer Policy Settings

Microsoft recommends using policy settings to control Windows® Installer in the following location of the GPMC:

Computer Configuration\Administrative Templates\Windows Components\Windows Installer

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.7. Terminal Server Computer Windows Installer Policy Setting

Policy object

Description

Default

Disable Microsoft Windows Installer

Recommended setting: Enabled

If this policy is set for nonmanaged applications only, Windows Installer still functions for applications that are published or assigned by Group Policy. If this policy is set to Always, Windows Installer is completely disabled. This may be beneficial if you do not want some published or assigned applications on Terminal Server.

Disabling Windows Installer does not prevent application installations from other setup programs or methods. Microsoft recommends installing and configuring applications prior to enabling this policy. After you enable it, administrators cannot install applications that use Windows Installer.

Not defined

User Group Policy Settings

Microsoft recommends using policy settings to control user groups in the following location of the GPMC:

Computer Configuration\Administrative Templates\System\Group Policy

The following table identifies the policy object name, recommended setting and the setting description, and the setting default in Windows Server 2008.

Table 11.8. Terminal Server Computer User Group Policy Setting

Policy object

Description

Default

User Group Policy loopback processing mode

If the Terminal Server computer object is placed in the locked down OU, and the user account is not, loopback processing applies the restrictive user configuration policies to all users on the Terminal Server.

If you enable this policy, all users, including administrators who log on to the Terminal Server are affected by the restrictive user configuration policies, regardless of where the user account is located.

There are two modes for this policy:

·              Merge mode first applies to the user’s own GPO, then to the locked down policy. The lockdown policy takes precedence over the user’s GPO.

·              Replace mode only uses the locked down policy and not the user’s own GPO. This policy enforces restrictions based on computers instead of user accounts.

If you disable this policy, and the Terminal Server computer object is placed in the locked down OU, only the computer configuration policies are applied to the Terminal Server. Each user account must be placed into the OU to enforce the user configuration restriction on that user.

Not defined

Set Group Policy Settings for the Remote Desktops

When planning the workload configuration for terminal server sessions, there is a number of important steps you can take to optimize the security of sessions for users. Microsoft recommends applying these settings to user accounts that are in the locked down terminal servers OU. If you use loopback processing, all user accounts that log on to computers in the locked down OU also have these restrictions applied.

While many of the settings in this guide work on client computers running Windows Vista or Windows XP with SP2 or later, testing for this guide was only performed on computers running Windows Vista. Ensure to perform your own testing for all of these settings on the client computers that you support in your production environment.

You can use the GPMC to edit policy objects that affect Remote Desktop security. The following list represents some of the key areas:

  • Folder Redirection
  • Internet Explorer Search
  • Internet Explorer Browser Menus
  • Application Compatibility
  • Internet Explorer
  • Common Open File Dialog
  • Task Scheduler
  • Windows Messenger
  • Windows Sidebar
  • Windows PowerShell™
  • Windows Update
  • Start Menu and Taskbar
  • Desktop
  • Control Panel
  • Add or Remove Programs
  • Printer
  • System
  • Ctrl+Alt+Del Options
  • Scripts

Folder Redirection Policy Settings

Microsoft recommends using policy settings to control folder redirection in the following location of the GPMC:

User Configuration\Windows Settings\Folder Redirection

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.9. Terminal Server Computer Folder Redirection Policy Settings

Policy object

Description

Default

Application data

Recommended setting: Basic redirection and create a folder for each user under the root path.

To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when the policy is removed.

Not defined

Desktop

Recommended setting: Basic redirection and create a folder for each user under the root path.

To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when the policy is removed.

Not defined

My Documents

Recommended setting: Basic redirection and create a folder for each user under the root path.

To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when policy is removed.

Not defined

Start Menu

Recommended setting: Basic redirection and redirect to the following location.

To do this, on the Settings tab, set the policy removal to redirect the folder back to the local user profile location when the policy is removed. Create a \Programs\Startup folder under this shared folder.

Enabling these policies can provide a central point for backing up user data. In addition, if the policy to restrict access to local hard disk drives is enabled, users need folder redirection if they do not want to see messages saying that they have restricted access.

If a roaming profile server is not available, you can use local shares. To do this, create a master folder for all of the user data (such as C:\userdata). Create four subfolders, one for each folder type (such as AppData, Desktop, MyDocs, and Start). Share each of the subfolders and then set the share permissions for the Everyone group to Change. Finally, set each path to its corresponding share.

You also can configure the Start Menu differently to share it across all users. To do this, change the share permissions from the Everyone group to Read. Ensure to manually create the Programs\Startup folder under the shared Startup folder (C:\userdata\Start\Programs\Startup).

Not defined

Internet Explorer Search Policy Settings

Microsoft recommends using policy settings to control Microsoft Internet Explorer® search behavior in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Internet Explorer

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.10. Terminal Server Computer Internet Explorer Search Policy Setting

Policy object

Description

Default

Search: Disable Find Files via F3 within the browser

Recommended setting: Enabled

This policy disables the use of the F3 key to search in Internet Explorer and Windows Explorer. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk drive (from Windows Explorer).

If the user presses F3, a prompt appears informing the user that this feature is disabled. Microsoft recommends to enable this policy to prevent users from searching for applications on their hard disk drives or browsing the Internet.

Not defined

Internet Explorer Browser Menus Policy Settings

Microsoft recommends using policy settings to control Internet Explorer browser menus in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.11. Internet Explorer Menus Policy Settings

Policy object

Description

Default

Disable Context menu

Recommended setting: Enabled

This policy prevents the shortcut menu from appearing when users click the right mouse button while using the browser.

Microsoft recommends to enable this policy to prevent use of the shortcut menu as an alternate method of running commands.

Not defined

Hide Favorites menu

Recommended setting: Enabled

This policy prevents users from adding, removing, or editing the list of Favorites links. If you enable this policy, the Favorites menu is removed from the interface and the Favorites button on the browser toolbar appears dimmed. Use this policy if you want to remove the Favorites menu from Windows Explorer and you do not want to give users easy access to Internet Explorer.

Not defined

For additional Internet Explorer 7.0 security settings that you can use to provide additional restrictions on the browser, see the Windows Vista Security Guide.

Application Compatibility Policy Settings

Microsoft recommends using a policy setting to control 16-bit application execution in the following location in the GPMC:

User Configuration\Administrative Templates\Windows Components\Application Compatibility

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.12. Application Compatibility Policy Setting

Policy object

Description

Default

Prevent access to 16-bit applications

Recommended setting: Enabled

This policy prevents the MS-DOS® subsystem (ntvdm.exe) from running for the user. This setting affects the start of all 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users. Many MS-DOS applications are not Terminal Server friendly and can cause high CPU utilization due to constant polling of the keyboard.

Microsoft recommends to enable this policy with the Computer Configuration (system-wide) to block 16-bit applications on the entire terminal server.

Not defined

Internet Explorer Policy Settings

Microsoft recommends using policy settings to control Windows Explorer in the following location in the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows Explorer

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.13. Windows Explorer Policy Settings

Policy object

Description

Default

Remove the Folder Options menu item from the Tools menu

Recommended setting: Enabled

This policy removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.

Microsoft recommends to enable this policy to prevent users from configuring many properties of Windows Explorer, such as Active Desktop®, Web view, Offline Files, hidden system files, and file types.

Not defined

Remove File menu from Windows Explorer

Recommended setting: Enabled

This policy removes the File menu from My Computer and Windows Explorer. It does not prevent users from using other methods to perform tasks available on the File menu.

Microsoft recommends to enable this policy to remove easy access to tasks such as "New," and "Open With," as well as shell extensions for some applications. Enabling this policy also prevents easy creation of shortcuts to executables.

Not defined

Remove "Map Network Drive" and "Disconnect Network Drive"

Recommended setting: Enabled

This policy prevents users from connecting and disconnect to shares with Windows Explorer. It does not prevent mapping and disconnecting hard disk drives from other applications or the run command.

Microsoft recommends to enable this policy to remove easy access to browsing the domain from Windows Explorer. If mapped drives are necessary, you can map them from a logon script.

Not defined

Remove Search button from Windows Explorer

Recommended setting: Enabled

Microsoft recommends to enable this policy to prevent users from searching for applications from Windows Explorer. This policy does not prevent search routines in other applications or the Start Menu.

Not defined

Remove Security Tab

Recommended setting: Enabled

This policy removes the Security tab from Windows Explorer. Even if users can open the Properties dialog box for file system objects, including folders, files, shortcuts, and drives, they cannot access the Security tab.

Microsoft recommends to enable this policy to prevent users from changing the security settings or viewing a list of all users who have access to the object.

Not defined

Remove Windows Explorer's default context menu

Recommended setting: Enabled

This policy removes the shortcut menu from Windows Explorer.

Microsoft recommends to enable this policy to prevent easy access to applications that place hooks into the shortcut menu. This policy does not remove other methods of accessing applications on the shortcut menu, such as using shortcut hotkeys.

Not defined

Hides the Manage item on the Windows Explorer context menu

Recommended setting: Enabled

This policy removes the Manage option from Windows Explorer or My Computer. The Manage option opens the Computer Management MMC snap-in (compmgmt.msc). Users can access items like Event Viewer, System Information, and Disk Administrator from Computer Management. This policy does not restrict access to these tasks from other methods, such as Control Panel and the run command.

Microsoft recommends to enable this policy to remove easy access to system information about the Terminal Server.

Not defined

Hide these specified drives in My Computer

Recommended setting: Enabled – Restrict A, B, C, and D drives only.

This policy only removes the icons from My Computer, Windows Explorer, and the standard file dialog box. It does not prevent users from access to these drives by other means, such as the command prompt. The policy only allows you to hide drives A through D.

Microsoft recommends to enable this policy to hide the floppy disk drive, the CD-ROM drive, and the operating system partition. You can configure a partition for public data to be the only drive that users can view. If required, you can use NTFS permissions to restrict access to this partition.

Important   If you are using BitLocker™ Drive Encryption do not attempt to hide the BitLocker boot drive.

Not defined

Prevent access to drives from My Computer

Recommended setting: Enabled – A, B, C, and D drives only.

This policy prevents access to drives A through D with My Computer, Windows Explorer, and the standard file dialog box. This policy does not prevent access from programs that do not use the common dialog boxes. Users can still start applications that reside on the restricted drives.

Microsoft recommends to enable this policy to restrict file browsing of system partitions.

Not defined

Remove Hardware tab

Recommended setting: Enabled

This policy removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices items in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard disk drives, floppy disk drives, and CD-ROM drives.

Microsoft recommends to enable this policy to prevent users from using the Hardware tab to view the device list or device properties.

Not defined

No Computers Near Me in Network Locations

Recommended setting: Enabled

Removes computers in the user's workgroup and domain from lists of network resources in Windows Explorer and Network Locations. This policy removes the Computers Near Me option and the icons representing nearby computers from Network Locations. This setting also removes these icons from the Map Network Drive browser.

This policy does not prevent users from connecting to computers in their workgroup or domain by other common methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box.

Not defined

No Entire Network in Network Locations

Recommended setting: Enabled

This policy removes all computers outside of the user's workgroup or local domain from lists of network resources in Windows Explorer and Network Locations. This setting removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option.

This policy does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.

Not defined

Turn off Windows+X hotkeys

Recommended setting: Enabled

This policy turns off Windows+X hotkeys. Keyboards with a Windows logo key provide users with shortcuts to common shell features.

Not defined

Turn on Classic Shell

Recommended setting: Enabled

This policy stops users from configuring their system to open items by single-clicking. As a result, the user interface looks and operates like the interface for Windows NT® 4.0, and users cannot restore the new features.

Enabling this policy also turns off the preview pane, sets the folder options for Windows Explorer to use the classic folders view, and prevents users from changing these options.

Note: In operating systems earlier than Windows Vista, enabling this policy also disables the Active Desktop and Web view. This setting also takes precedence over the Enable Active Desktop setting. If both policies are enabled, Active Desktop is disabled.

Microsoft recommends to enable this policy to remove Folder Tasks. You can use some folder tasks, such as the one for the My Music folder to start Internet Explorer.

Not defined

Common Open File Dialog Policy Settings

Microsoft recommends using policy settings to control file dialog boxes in the following location in the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.14. Windows Explorer Policy Settings

Policy object

Description

Default

Hide the common dialog places bar

Recommended setting: Enabled

This policy removes the Back button from the standard Open dialog box available to users in Windows® 2000 Professional, which makes this dialog box appears as it did in Windows NT 4.0 or earlier. This policy affects only programs that use the standard Open dialog box provided to developers of Windows programs.

In Window Vista, this policy applies only to applications that use the Windows XP common dialog box style. This policy does not apply to the new Windows Vista common dialog box style. Also, third-party applications running with Windows 2000 or later certification are required to adhere to this policy setting.

Not defined

Items displayed in Places Bar

Recommended setting: Enabled

This policy configures the list of items displayed in the Places Bar in the Windows File/Open dialog box. Enabling this policy allows you to specify from 1 to 5 items to display in the Places Bar.

Microsoft recommends setting specific places for your terminal server clients.

The valid items you can display in the Places Bar are:

1.         Shortcuts to local folders (for example C:\Windows).

2.         Shortcuts to remote folders (for example \\server\share).

3.         FTP folders.

4.         Web folders.

5.         Common Shell folders.

The list of Common Shell folders that you can specify include: Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments, and Saved Searches.

If you disable or do not configure this policy the default list of items display in the Places Bar.

In Windows Vista, this policy applies only to applications that use the Windows XP common dialog box style. This policy does not apply to the new Windows Vista common dialog box style.

Not defined

Task Scheduler Policy Settings

Microsoft recommends using policy settings to control Task Scheduler in the following location in the GPMC:

User Configuration\Administrative Templates\Windows Components\Task Scheduler

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.15. Task Scheduler Policy Settings

Policy object

Description

Default

Hide Property Pages

Recommended setting: Enabled

This policy prevents users from viewing and changing the properties of an existing task by removing the Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and in the task preview.

Not defined

Prohibit Task Deletion

Recommended setting: Enabled

This policy prevents users from deleting tasks from the Scheduled Tasks folder. However, this policy does not prevent administrators from deleting tasks with the AT command, or from a remote computer.

Not defined

Prevent Task Run or End

Recommended setting: Enabled

This policy prevents users from starting and stopping tasks.

Not defined

Prohibit New Task Creation

Recommended setting: Enabled

This policy removes the Add Scheduled Task item that starts the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder. This policy does not prevent administrators from creating new tasks with the AT command, or doing so from a remote computer.

Not defined

Windows Messenger Policy Settings

Microsoft recommends using a policy setting to control Windows Messenger in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows Messenger

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.16. Windows Messenger Policy Setting

Policy object

Description

Default

Do not allow Windows Messenger to be run

Recommended setting: Enabled

This policy prevents users from running Windows Messenger.

Not defined

Windows Sidebar Policy Settings

Microsoft recommends using a policy setting to control Windows Sidebar in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows Sidebar

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.17. Windows Sidebar Policy Setting

Policy object

Description

Default

Turn off Windows Sidebar

Recommended setting: Enabled

This policy prevents users from running Windows Sidebar.

Not defined

Windows PowerShell Policy Settings

The Windows PowerShell scripting environment has many advantages, but on a Terminal Server remote desktop there are security risks associated with users who can run PowerShell scripts. By default, PowerShell scripts are not allowed to execute. However, the option for this functionality can be enabled. For this reason, Microsoft recommends using Group Policy to disable this option.

Microsoft recommends using a policy setting to control Windows PowerShell in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows PowerShell

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.18. Windows PowerShell Policy Setting

Policy object

Description

Default

Turn on Script Execution

Recommended setting: Disabled

This policy allows you to configure the script execution policy to control what scripts can run.

Microsoft recommends to disable this policy so that users cannot run scripts.

Not defined

Windows Update Policy Settings

Microsoft recommends using a policy setting to control Windows Update in the following location of the GPMC:

User Configuration\Administrative Templates\Windows Components\Windows Update

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.19. Windows Update Policy Setting

Policy object

Description

Default

Remove access to use all Windows Update features

Recommended setting: Enabled

This policy removes access to Windows Update. If you enable this policy, all Windows Update features are removed. This includes blocking access to the Microsoft Windows Update Web site from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; users are not notified about critical updates and do not receive critical updates from Windows Update.

This policy also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. You can use this policy to prevent changes to the Terminal Server while it is in production. If you disable Windows Update, you should schedule periodic checks to ensure that Windows® has the latest critical updates.

Not defined

Start Menu and Taskbar Policy Settings

Microsoft recommends using policy settings to control Windows Start Menu and Taskbar in the following location of the GPMC:

User Configuration\Administrative Templates\Start Menu and Taskbar

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.20. Start Menu and Taskbar Policy Settings

Policy object

Description

Default

Remove links and access to Windows Update

Recommended setting: Enabled

This policy removes links and access to the Windows Update Web site. The Windows Update Web site is only available for administrators.

Microsoft recommends to enable this policy to remove easy access to Internet Explorer for users.

Not defined

Remove common program groups from Start Menu

Recommended setting: Enabled

This policy removes shortcuts to programs from the all users’ profile. Only the Start Menu in the user’s profile or the redirected Start Menu is available.

Microsoft recommends to enable this policy to remove easy access to built-in applications, such as games, the calculator, and Windows Media® Player.

Not defined

Remove pinned programs list from Start Menu

Recommended setting: Enabled

This policy removes the Pinned Programs list from the Start Menu. It also removes the default links to Internet Explorer and Outlook® Express if they are pinned, and it prevents users from pinning any new programs to the Start Menu. The Frequently Used Programs list is not affected.

Not defined

Remove programs on Settings menu

Recommended setting: Enabled

This policy removes Control Panel, Printers, and Network Connections from Settings on the Classic Start menu, My Computer and Windows Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to open Display Properties or right-clicking My Computer to open System Properties.

Microsoft recommends to enable this policy to prevent easy access to viewing or changing system settings.

Not defined

Remove Network Connections from Start Menu

Recommended setting: Enabled

This policy prevents the Network Connections folder from opening. The policy also removes Network Connections from Settings on the Start Menu. Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears explaining that a setting prevents this action.

Microsoft recommends to enable this policy to prevent users from creating new connections, such as VPN or dial-up connections.

Not defined

Remove Search link from Start Menu

Recommended setting: Enabled

This policy removes the Search item from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the Windows logo key)+F.

In Windows Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses CTRL+F. Also, the Search item does not appear in the context menu when you right-click an icon representing a drive or a folder.

Not defined

Remove Drag-and-Drop context menus on the Start Menu

Recommended setting: Enabled

This policy prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. This setting does not prevent users from using other methods of customizing the Start menu or performing the tasks available from the shortcut menus.

Microsoft recommends to enable this policy to remove shortcut menus from the Start menu, including tasks such as creating a new shortcut.

Not defined

Remove Favorites menu from Start Menu

Recommended setting: Enabled

This policy prevents users from adding the Favorites menu to the Start menu or the Classic Start menu. Use this policy if you do not want users to execute Internet Explorer.

The Favorites menu does not appear on the Start menu by default, but this policy disables the Favorites link. This setting only affects the Start menu. The Favorites menu still exists in Windows Explorer and Internet Explorer.

Not defined

Remove Help menu from Start Menu

Recommended setting: Enabled

This policy removes the Help link from the Start menu.

Microsoft recommends to enable this policy to prevent users from easily viewing System Information about the Terminal Server.

Not defined

Remove Run menu from Start Menu

Recommended setting: Enabled

Enabling this policy removes the Run command from the Start menu, New Task from Task Manager, and blocks users from typing a UNC path, local drive, and local folders into the Internet Explorer Address bar. Also, users with extended keyboards cannot display the Run dialog box by pressing Windows+R.

Not defined

Remove Network icon from Start Menu

Recommended setting: Enabled

This policy removes the Network icon from the Start menu.

Microsoft recommends to enable this policy to prevent easy access to browsing the network.

Not defined

Add Logoff to the Start Menu

Recommended setting: Enabled

This policy adds the Log Off <user name> item to the Start menu and prevents users from removing it. This policy affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press CTRL+ALT+DEL or CTRL+ALT+END while using a key board connected to a Terminal Server client computer.

Not defined

Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands

Recommended setting: Enabled

This policy prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy does not prevent users from running programs to shut down Windows.

Microsoft recommends to enable this policy to help remove confusion for the users and prevent administrators from shutting down the system while it is in production.

Not defined

Prevent changes to Taskbar and Start Menu Settings

Recommended setting: Enabled

This policy prevents users from customizing the taskbar and the Start menu. It can simplify the desktop enforcing the configuration set by the administrator.

Microsoft recommends to enable this policy to restrict the ability to add other applications to the Start menu by browsing or typing the location of an application.

Not defined

Remove access to the context menus for the taskbar

Recommended setting: Enabled

This policy hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons.

Microsoft recommends to enable this policy to prevent potential access to files and applications by starting Windows Explorer or Search.

Not defined

Force classic Start Menu

Recommended setting: Enabled

When this policy is enabled, the Start menu displays the classic Start menu that Windows 2000 displays and the following standard desktop icons: Documents, Pictures, Music, Computer, and Network.

When this policy is disabled, the Start menu only displays the latest UI style, which displays the desktop icons on the Start page.

Not defined

Desktop Policy Settings

Microsoft recommends using policy settings to control the Windows Desktop in the following location of the GPMC:

User Configuration\Administrative Templates\Desktop

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.21. Desktop Policy Settings

Policy object

Description

Default

Remove Properties from the Documents icon context menu

Recommended setting: Enabled

This policy hides the Properties option of the context menu for the Documents icon.

Microsoft recommends to enable this policy if shortcut menus are not disabled and you do not want users to easily view or edit the location of their Documents folder.

Not defined

Remove Properties from the Computer icon context menu

Recommended setting: Enabled

This policy hides the Properties option when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Users also cannot use the ALT+ENTER key combination to display this option when Computer is selected.

Not defined

Remove Properties from the Recycle Bin context menu

Recommended setting: Enabled

This policy removes the Properties option from the Recycle Bin context menu.

Microsoft recommends to enable this policy if context menus are not disabled and you do not want users to easily view or change Recycle Bin settings.

Not defined

Hide Network Locations icon on desktop

Recommended setting: Enabled

This policy only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network with other methods.

Microsoft recommends to enable this policy to remove easy access to browsing the network for applications.

Not defined

Hide Internet Explorer icon on the desktop

Recommended setting: Not defined

This policy removes the Internet Explorer icon from the desktop and the Quick Launch bar on the taskbar. Microsoft does not recommend to enable this setting as it does not prevent the user from starting Internet Explorer by using other methods.

Not defined

Prohibit User from manually redirecting Profile Folders

Recommended setting: Enabled

This policy prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders, such as Documents, Music, and so on by typing a new path in field for this on the Locations tab of the folder's Properties dialog box.

Microsoft recommends to enable this policy to prevent browsing for applications.

Not defined

Hide and disable all items on the desktop

Recommended setting: Not defined

This policy removes icons, shortcuts, and other default and user-defined items from the desktop, including Recycle Bin, Computer, and Network. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. Therefore, Microsoft does not recommend to enable this setting. User can still save and open items on the desktop by using the Common File dialog box or Windows Explorer. However, the items do not display on the desktop.

Not defined

Remove My Documents icon on the desktop

Recommended setting: Not defined

This policy removes most occurrences of the My Documents icon. It does not prevent users from applying other methods to gain access to the contents of the My Documents folder. Therefore, Microsoft does not recommend to enable this setting.

Not defined

Remove Computer icon on the desktop

Recommended setting: Enabled

This policy hides the Computer icon from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer by using the Up icon when this setting is enabled, an empty Computer folder displays.

Microsoft recommends to enable this policy to present users with a simpler desktop environment from using this icon, and remove easy access to Computer Management and System Properties by no longer allowing users to right-click the icon.

Not defined

Control Panel Policy Settings

Microsoft recommends using policy settings to restrict Control Panel in the following location of the GPMC:

User Configuration\Administrative Templates\Control Panel

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.22. Control Panel Policy Setting

Policy object

Description

Default

Prohibit access to the Control Panel

Recommended setting: Enabled

This policy removes access to Control Panel and disables all Control Panel programs. It also prevents Control.exe, the program file for Control Panel, from starting.

Microsoft recommends to enable this setting to prevent users from viewing configuration information about the Terminal Server.

Not defined

Add or Remove Programs Policy Settings

Microsoft recommends using policy settings to control the Add or Remove Programs Control Panel item in the following location of the GPMC:

User Configuration\Administrative Templates\Control Panel\Add or Remove Programs

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.23. Add or Remove Programs Policy Setting

Policy object

Description

Default

Remove Add or Remove Programs

Recommended setting: Enabled

This policy removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. If access to Control Panel is prohibited, you can use this policy to remove the links to Add or Remove Programs from places like Computer. The link then displays an access denied message if a user clicks it. This policy does not prevent users from using other tools and methods to install or uninstall programs.

Microsoft recommends to enable this policy to prevent users from viewing Terminal Server configuration information.

Not defined

Printer Policy Settings

Microsoft recommends using policy settings to control the Printers Control Panel item in the following location of the GPMC:

User Configuration\Administrative Templates\Control Panel\Printers

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.24. Printer Policy Setting

Policy object

Description

Default

Prevent addition of printers

Recommended setting: Enabled

This policy prevents users from using familiar methods to add local and network printers. This policy does not prevent the autocreation of Terminal Server redirected printers, nor does it prevent users from running other programs to add printers.

Microsoft recommends to enable this policy to prevent users from browsing the network or searching Active Directory for printers.

Not defined

For more information about controlling the security of printers, see Chapter 8, "Hardening Print Services" of this guide.

System Policy Settings

Microsoft recommends using policy settings to control the System in the following location of the GPMC:

User Configuration\Administrative Templates\System

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.25. System Policy Settings

Policy object

Description

Default

Prevent access to the command prompt

Recommended setting: Enabled

Configure the Disable the command prompt script processing also setting to No.

This policy prevents users from running the interactive command prompt Cmd.exe. From the command prompt users can start applications. This policy also determines whether batch files (.cmd and .bat files) can run on the computer.

Important   Do not prevent the computer from running batch files on a Terminal Server. This policy does not prevent access to Command.com (16-bit command interpreter). To disable Command.com, you can restrict access with NTFS permission, or disable all 16-bit applications with the Prevent access to 16-bit application policy setting.

Microsoft recommends to enable the Prevent access to the command prompt policy setting to prevent users from bypassing other policy settings by using the command prompt instead of Windows Explorer as the shell.

Not defined

Prevent access to registry editing tools

Recommended setting: Enabled

This policy blocks user access to Regedit.exe. It does not prevent other applications for editing the registry.

Microsoft recommends to enable this policy to prevent users from changing their shell to the command prompt or bypassing other policies.

Not defined

Run only specified Windows applications

Recommended setting: Enabled – Define list of authorized applications

This policy only prevents users from running programs that Windows Explorer starts. It does not prevent users from running programs such as Task Manager that a user can start with a system process. Also, if users can access the command prompt, Cmd.exe, this setting does not prevent them from starting programs from the command window, which they can access using Windows Explorer.

Microsoft recommends to enable this policy to restrict users to only run programs that are added to the List of Allowed Applications.

Not defined

Ctrl+Alt+Del Options Policy Settings

Microsoft recommends using policy settings to control the CTRL+ALT+DEL options in the following location of the GPMC:

User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options

The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.

Table 11.26. Ctrl+Alt+Del Options Policy Settings

Policy object

Description

Default

Remove Task Manager

Recommended setting: Enabled

This policy prevents users from starting Task Manager.

Microsoft recommends to enable this policy to prevent users from using Task Manager to start and stop programs, monitor the performance of the Terminal Server, and search for the executable names of applications.

Not defined

Remove Lock Computer

Recommended setting: Not defined

This policy prevents users from locking their sessions. Users can still disconnect and log off. While locked, the desktop cannot be used. Only the user who locked the system or the system administrator can unlock it. Microsoft does not recommend to enable this setting as users may need to lock their session to prevent access to it while they are away from their computer.

Not defined

Scripts Policy Settings

Microsoft recommends using policy settings to control script execution behavior in the following location of the GPMC:

User Configuration\Administrative Templates\System\Scripts

The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.

Table 11.27. Script Policy Setting

Policy object

Description

Default

Run legacy logon scripts hidden

Recommended setting: Enabled

This policy hides the instructions in logon scripts written for Windows NT 4.0 and earlier.

Microsoft recommends to enable this policy to prevent users from viewing or interrupting logon scripts written for Windows NT 4.0 or earlier.

Not defined

Restrict Users to Specific Programs

Software restriction policies provide administrators with a policy-driven mechanism to identify software programs running on computers in a domain and to control the ability of those programs to execute. You can use policies to block malicious scripts, to lock down a computer, or to prevent unwanted applications from running.

For more information about software restriction policies, see

"Using Software Restriction Policies."

Limit Terminal Server Security Auditing

Auditing any system can introduce significant performance overhead depending on the number of events you audit and the number of user sessions that generate the events. When you configure a terminal server on Windows Server 2008, the cumulative effect of auditing events for multiple users working on the server at one time can affect the terminal server's performance.

In addition, for event logs to have any value you need staff to effectively review the logs on a regular basis. The more events you log, the larger the impact on performance and the more effort it will take to assess them.

For these reasons, Microsoft recommends to only enable as much event auditing that your organization can effectively use to balance security logging needs with the performance requirements of your terminal servers. In addition, you should test the impact of any changes to the terminal servers' auditing policies before you introducing an updated policy set to any production servers.

The following table identifies audit policy object names, audit setting descriptions, and recommended audit settings in Windows Server 2008.

Table 11.28. Terminal Server Audit Policy Settings

Policy object

Description

Recommended setting

Audit account logon events

This policy determines whether to audit each instance of a user logging on or off from a computer that is used to validate the account. Account logon events are generated when a domain user account is authenticated on a domain controller. The event is logged in the domain controller's security log. This policy is typically enabled only on domain controllers and is not normally required on a terminal server.

No Auditing

Audit account management

This policy determines whether to audit each event of account management on the terminal server. Examples of account management events include:

  • A user account or group is created, changed, or deleted.
  • A user account is renamed, disabled, or enabled.
  • A password is set or changed.

Audit Success and Failure

Audit directory service access

This policy determines whether to audit the event of a user who accesses an Active Directory Domain Services (AD DS) object that has a specified system access control list (SACL). This policy is typically enabled only on domain controllers and is not normally required on a terminal server.

No Auditing

Audit logon events

You can use this policy to audit each instance of a user logging on or off a terminal server.

Audit Success and Failure

Audit object access

This policy determines whether to audit the event of a user who accesses an object, such as a file, folder, registry key, printer, or any object that has a specified SACL. Because this policy can generate a large number of entries, Microsoft recommends to only use this setting to audit failures that indicate unauthorized users attempting to access objects.

Audit Failure

Audit policy change

This policy determines whether to audit each instance of a change to user rights assignment policies, audit policies, or trust policies on the terminal server. Because this data should rarely change, Microsoft recommends to audit these changes.

Audit Success and Failure

Audit privilege use

This policy determines whether to audit each instance of a user exercising a user right. This policy can also generate a large number of entries in the security event log. For this reason, Microsoft does not typically recommend to log successful events for this policy because the event volume is likely to slow the performance of the terminal server.

Audit Failure

Audit process tracking

This policy determines whether to audit detailed tracking information for events, such as program activation, process exit, handle duplication, and indirect object access.

Audit Failure

Audit system events

This policy determines whether to audit users when they restart or shut down the computer or when an event occurs that affects either the system security or the security log.

Audit Success and Failure

After enabling any of these audit settings, it is important to check the event logs on the terminal server regularly and archive them as needed. If you choose to enable the Audit object access setting, you also need to configure auditing on each object that you want to track. Microsoft recommends restricting this capability to a manageable number of objects.

In addition to the ability to audit file system and registry objects, terminal servers can also report audit information about terminal server connections. These auditing reports record actions attempted during user sessions. For example, you can monitor actions such as modifying connection properties or remotely controlling a user's session after enabling connection auditing.

To enable Connection Auditing

  1. On the terminal server, click Start, click Administrative Tools, and then click Terminal Services Configuration to open this tool.
  2. In the right-hand panel, under the Connections list, right-click the desired connection name (RDP-Tcp by default), and then select Properties.
  3. In the Properties dialog box, click the Security tab. If a Terminal Services Configuration information dialog box pops up, click OK.
  4. Click the Advanced button and then select the Auditing tab.
  5. Click the Add button, type the name of the user, computer or group that you want to audit, and then click OK.
  6. Select the seven audit policies as indicated in the following figure.

d72c1848-88d8-4704-8d30-fff2baace7c2

Figure 11.2 Terminal Server Connection Audit Entry Options

The seven entries listed in the previous figure can be useful when checking for security issues on a terminal server. Typically, only a system administrator should attempt both the "remote control" and "logoff" actions on another session. If attempts for these actions occur from a standard user account, this could indicate unwanted user behavior and require further investigation.

There are also a series of events specific to TS Gateway. By default all of these event types are audited. You can use TS Gateway Manager to specify the types of events that you want to monitor, such as unsuccessful or successful connection attempts to internal network resources (computers) through a TS Gateway server. You also can configure what event types to audit by right-clicking the server you want to manage in TS Gateway Manager, and selecting Properties. Then in the Server Properties dialog box, click the Auditing tab.

4f28ff9d-c8a6-4e3a-8bbf-fef0f1ad7a2b

Figure 11.3 Terminal Server Gateway Auditing Options

For more information about TS Gateway event types, see TS Gateway Server Connections in the "Troubleshooting" section of the Windows Server 2008 Technical Library.

Securing the TS Gateway

After you install the TS Gateway role service and configure a certificate for the TS Gateway server, you must create Terminal Services connection authorization policies (TS CAPs), computer groups, and Terminal Services resource authorization policies (TS RAPs). These policies are required to ensure that the TS Gateway service functions correctly.

Although the Add Role Services Wizard for TS Gateway includes an option to generate a self-signed certificate, this selection is recommended only for testing and evaluation purposes. For your production deployment, Microsoft recommends to obtain a computer certificate from a trusted certificate authority (CA).

Microsoft recommends the following security-related configuration recommendations for the desktop environment on terminal servers. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.

Table 11.29. TS Gateway Configuration Checklist

 

Configuration tasks

 

Use Terminal Services connection authorization policy (TS CAP)

 

Use Terminal Services resource authorization policy (TS RAP)

 

Secure TS Gateway IIS installation.

Use Terminal Services Connection Authorization Policy (TS CAP)

Terminal Services connection authorization policies (TS CAPs) allow you to specify who can connect to a TS Gateway server. You can specify a user group that exists on the local TS Gateway server or in Active Directory Domain Services (AD DS). You can also specify other conditions that users must meet to access a TS Gateway server.

For example, you can specify that all users who connect to a specific terminal server that is hosting a human resources (HR) database through a TS Gateway server must be members of the "HR Users" security group. You can also specify that the client computer that initiates the connection must be a member of an Active Directory security group in the corporate network to connect to the TS Gateway server. By requiring that the computer be a member of a specific Active Directory security group in the corporate network, you can exclude users who attempt to connect to the corporate network from kiosks, airport computers, or home computers that are not trusted.

For enhanced security when client computers connect to the internal corporate network through TS Gateway, you can also specify whether to disable client device redirection for all devices supported by the Terminal Services client, or for a specific type of device, such as a disk drive or supported Plug and Play devices. If you disable client device redirection for all devices supported by the client, all device redirection is disabled, except for audio and smart card redirection.

When you select the option to disable device redirection for specific device types or to disable all device types except for smart cards, the TS Gateway server will send the request back to the client with a list of the device types to be disabled. This list is a suggestion only; it is possible for the client computer to modify the device redirection settings in the list.

Caution   Because the TS Gateway server relies on the client computer to enforce device redirection settings that the server suggests, this feature does not provide guaranteed security. Suggested device redirection settings can only be enforced for RDC clients. The settings cannot be enforced for client computers that do not use RDC. In addition, it is possible for a malicious user to modify an RDC client so that the client ignores the suggested settings. In such cases, this feature cannot provide guaranteed security, even for RDC clients.

In addition, you can specify whether remote clients must use smart card authentication or password authentication to access internal network resources through a TS Gateway server. When both of these options are selected, client computers that use either authentication method are allowed to connect.

Finally, if your organization has deployed Network Access Protection (NAP), you can specify that the client must send a statement of health (SoH). For information about how to configure TS Gateway for NAP, see "Configuring the TS Gateway NAP Scenario" in the Windows Server 2008 TS Gateway Server Step-by-Step Setup Guide.

Important   Users are granted access to a TS Gateway server if they meet the conditions specified in the TS CAP. You must also create a TS RAP. A TS RAP allows you to specify the internal network resources that users can connect to through TS Gateway. Until you create both a TS CAP and a TS RAP, users cannot connect to network resources through this TS Gateway server.

Use Terminal Services Resource Authorization Policy (TS RAP)

Terminal Services resource authorization policies (TS RAPs) allow you to specify the internal corporate network resources that remote users can connect to through a TS Gateway server. When you create a TS RAP, you can create a computer group, or a list of computers on the internal network to which you want remote users to connect, and then associate it with the TS RAP.

For example, you can specify that users who are members of the "HR Users" user group be allowed to connect only to computers that are members of the "HR Computers" computer group, and that users who are members of the "Finance Users" user group be allowed to connect only to computers that are members of the "Finance Computers" computer group.

Remote users connecting to an internal corporate network through a TS Gateway server are granted access to computers on the network if they meet the conditions specified in at least one TS CAP and one TS RAP.

Note   When you associate a TS Gateway-managed computer group with a TS RAP, you can support both fully qualified domain names (FQDNs) and NetBIOS names by adding both names to the TS Gateway-managed computer group separately. When you associate an Active Directory security group with a TS RAP, both FQDNs and NetBIOS names are supported automatically if the internal network computer that the client is connecting to belongs to the same domain as the TS Gateway server. If the internal network computer belongs to a different domain than the TS Gateway server, users must specify the FQDN of the internal network computer. Together, TS CAPs and TS RAPs provide two different levels of authorization that allow you to configure a more specific level of access control to computers on an internal corporate network.

Computer Groups Associated With TS RAPs

Remote users can connect through TS Gateway to internal corporate network resources in the following ways:

  • As members of an existing security group. The security group can exist in Local Users and Groups on the TS Gateway server, or in AD DS.
  • As members of an existing TS Gateway-managed computer group or a new TS Gateway-managed computer group. You can configure the TS Gateway-managed computer group by using TS Gateway Manager after installation.

    A TS Gateway-managed group will not appear in Local Users and Groups on the TS Gateway server, and you cannot configure it using Local Users and Groups.

  • Using any network resource. In this case, users can connect to any computer on the internal corporate network that they can connect to when they use Remote Desktop Connection. This option is not recommended because it expands the potential attack surface of your network.

Secure TS Gateway IIS installation

In high-security environments, to prevent authenticated users with valid password or smart card credentials from reaching the RPC layer, consider locking down the TS Gateway server by disabling IIS virtual directories. You can make the following modifications to the IIS installation to further decrease the attack surface of a TS Gateway server:

  • Eliminate unneeded ports from the ValidPorts registry key.
  • Disable password authorization in IIS for pure smart card deployments.
  • Limit password authorization in IIS to only users who are should authenticate to the TS Gateway.
  • Limit access to the RpcWithCert virtual directory to ensure that a username mapping has occurred in IIS.
  • Remove unneeded CA root certificates from the Trusted Root Certificate Authorities store.

More Information

The following resources on Microsoft.com can provide you with more security best practice information about how to design and maintain a server running Windows Server 2008 that performs Terminal Services:

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.

Download

Get the Windows Server 2008 Security Guide

Get the GPOAccelerator

Solution Accelerators Notifications

Sign up to learn about updates and new releases

Feedback

Send us your comments or suggestions

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft