How to secure your remote desktop server with GPO
Remote Desktop Services is a great way to provide remote access to employees who travel, or it can even be used as a primary use of computing using thin clients. When you have multiple employees connecting to a remote desktop server, you will need to take the appropriate steps to secure the environment, just like you would a normal workstation . This includes but not limited to installing anti-virus , limiting the ability to install software without administrative privileges, as well as accessing areas of the system they shouldn’t be able to. In this article, we will specifically talk about how to lock down your RDS session using group policy, WITHOUT having that GPO apply to the employees regular workstation.
Step 1.) Create an organization unit in Active Directory called “Restricted” (Or something of your choice)
Step 2.) Move your Remote Desktop Server computer object into that OU
Step 3.) Great a group policy object, and link it to that specific OU.
When you create this group policy object, you want to apply this to the security group that your RDS users belong to using the “Security Filtering” on the bottom of the scope tab.
Step 3.) Edit the group policy object you just created, and expand Computer Configuration –> Administrative Templates –> System –> Group Policy
Step 4.) Modify the “User Group Policy Loopback Processing Mode” and select the “REPLACE” option in the drop down menu.
Step 5.) Lock down your user settings as needed: The amount of restrictions you would like to enable here is personal preference. For the environments we manage, some of the items I like to limit access to are as follows:
— Control Panel: Prohibit Access to the Control Panel
— Desktop: Limit access to most desktop items.
— Start menu and taskbar items: Remove items such as RUN, network places etc.
— System changes: Remove access to things like Windows updates.
— CNTRL + ALT + DEL options:
— Windows Components
These are just a few examples of restrictions you can enable with group policy. I recommend you go through the user configuration settings within GPO, and see what else you can restrict to meet the needs of your environment.
Nick
source: https://nikoscloud.wordpress.com/2013/04/23/how-to-secure-your-remote-desktop-server-with-gpo/