How to secure your remote desktop server with GPO

imagesRemote Desktop Services is a great way to provide remote access to employees who travel, or it can even be used as a primary use of computing using thin clients. When you have multiple employees connecting to a remote desktop server, you will need to take the appropriate steps to secure the environment, just like you would a normal workstation .  This includes but not limited to installing anti-virus , limiting the ability to install software without administrative privileges, as well as accessing areas of the system they shouldn’t be able to.  In this article, we will specifically talk about how to lock down your RDS session using group policy, WITHOUT having that GPO apply to the employees regular workstation.

Step 1.) Create an organization unit in Active Directory called “Restricted” (Or something of your choice)

Step 2.) Move your Remote Desktop Server computer object into that OU

Step 3.)  Great a group policy object, and link it to that specific OU.

Image

When you create this group policy object, you want to apply this to the security group that your RDS users belong to using the “Security Filtering” on the bottom of the scope tab.

Image

Step 3.)  Edit the group policy object you just created, and expand Computer Configuration –> Administrative Templates –> System –> Group Policy

Step 4.) Modify the “User Group Policy Loopback Processing Mode” and select the “REPLACE” option in the drop down menu.

Image

Step 5.) Lock down your user settings as needed:  The amount of restrictions you would like to enable here is personal preference.  For the environments we manage, some of the items I like to limit access to are as follows:

— Control Panel: Prohibit Access to the Control Panel

Image

Image

— Desktop: Limit access to most desktop items.

Image

— Start menu and taskbar items: Remove items such as RUN, network places etc.

ImageImage

— System changes: Remove access to things like Windows updates.

Image

— CNTRL + ALT + DEL options:

Image

— Windows Components

Image

These are just a few examples of restrictions you can enable with group policy.  I recommend you go through the user configuration settings within GPO, and see what else you can restrict to meet the needs of your environment.

Nick

Advertisements

2 comments on “How to secure your remote desktop server with GPO

  1. I just like the valuable information you provide to your articles.
    I will bookmark your blog and test once more right here regularly.

    I am relatively sure I will be told many new stuff proper here!
    Best of luck for the following!

    • Hello,

      Thanks for stopping by and I’m happy to hear that you find the information useful! I will be posting regularly with various “how to” articles and my overall view on the IT and cloud industry.

      Thanks for the comment!

      Nick

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s