There are a number of Group Policy settings that you can use to configure Terminal Services on a terminal server. This section includes policy object names, descriptions and the purpose of the settings, and recommendations where applicable.
You can use the GPMC to edit policy objects that affect Terminal Services security. The following list represents some of the key areas:
Security Options
System Services
Connections
Device and Resource Redirection
Session Time Limits
Windows Installer
Group Policy
Security Options Policy Settings
Microsoft recommends using policy settings to control security options in the following location of the GPMC:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.2 Terminal Server Computer Security Options Policy Settings
Policy object
|
Description
|
Default
|
Devices: Restrict CD-ROM access to locally logged-on user only
|
Recommended setting: Enabled
This policy allows only users who log on to the console of the Terminal Server access to the CD-ROM drive. Microsoft recommends enabling this policy to prevent users and administrators from remotely accessing programs or data on a CD-ROM.
|
Not defined
|
Devices: Restrict floppy access to locally logged-on user only
|
Recommended setting: Enabled
This policy allows only users who log on to the console of the Terminal Server access to the floppy disk drive. Microsoft recommends enabling this policy to prevent users and administrators from remotely accessing programs or data on a floppy disk.
|
Not defined
|
Interactive logon: Do not display last user name
|
Recommended setting: Enabled
This policy determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.
If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box.
By default the name of the last user to log on is displayed. Microsoft recommends enabling this setting to hide logon names from users who access the server.
|
Disabled
|
System Services Policy Settings
Microsoft recommends using policy settings to control system services in the following location of the GPMC:
Computer Configuration\Windows Settings\Security Settings\System Services
The following table identifies policy object name, recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.3 Terminal Server Computer System Services Policy Setting
Policy object
|
Description
|
Default
|
Help and Support
|
Recommended setting: Disabled
This policy disables the Help and Support Center service. It prevents users from starting the Windows Help and Support Center application. This policy does not disable help files (such as the *.chm) or Help in other applications.
Disabling this service might cause issues with other programs and services that depend on it. Microsoft recommends disabling this service to prevent users from starting other applications or viewing system information about the Terminal Server.
|
Not defined
|
Connections Policy Settings
Microsoft recommends using policy settings to control connections in the following location of the GPMC:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connections
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.4 Terminal Server Computer Connections Policy Settings
Policy object
|
Description
|
Default
|
Restrict Terminal Services users to a single remote session
|
Recommended setting: Enabled
This policy can prevent a single user from creating multiple sessions on the Terminal Server using a single user account.
|
Not defined
|
Remove Disconnect option from Shut Down dialog box
|
Recommended setting: Enabled
This policy removes the disconnect option from the Shut Down Windows dialog box. It does not prevent users from disconnecting the session to the Terminal Server. Use this policy if you do not want users to easily disconnect from their session and you have not removed the Shut Down Windows dialog box.
|
Not defined
|
Device and Resource Redirection Policy Settings
Microsoft recommends using policy settings to control resource redirection in the following location of the GPMC:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.5 Terminal Server Computer Device and Resource Redirection Policy Settings
Policy object
|
Description
|
Default
|
Allow audio redirection
|
Recommended setting: Disabled
This policy specifies whether users can choose where to play the remote computer's audio output during a Terminal Services session. Users can use the Remote computer sound option on the Local Resources tab of Remote Desktop Connection to choose whether to play the remote audio on the remote computer or on the local computer. Users can also choose to disable the audio.
|
Disabled
|
Do not allow clipboard redirection
|
Recommended setting: Enabled
By default, Terminal Services allows clipboard redirection. This policy specifies whether to prevent the sharing of clipboard contents between a remote computer and a client computer during a Terminal Services session. You can use this setting to prevent users from redirecting clipboard data to and from the remote computer and the local computer.
|
Not defined
|
Do not allow COM port redirection
|
Recommended setting: Enabled
By default, Terminal Services allows this COM port redirection. This policy specifies whether to prevent the redirection of data to client COM ports during a Terminal Services session. You can use this setting to prevent users from mapping local COM ports and redirecting data from the remote computer to local COM port peripherals.
|
Not defined
|
Do not allow drive redirection
|
Recommended setting: Enabled
By default, Terminal Server maps client hard disk drives automatically upon connection. Microsoft recommends enabling this policy to prevent users from gaining easy access to applications on their local computer via the drive redirection.
|
Not defined
|
Do not allow LPT port redirection
|
Recommended setting: Enabled
By default, Terminal Services allows LPT port redirection. This policy specifies whether to prevent the redirection of data to client LPT ports during a Terminal Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals.
|
Not defined
|
Do not allow supported Plug and Play device redirection.
|
Recommended setting: Enabled
By default, Terminal Services allows redirection of supported Plug and Play devices. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose supported Plug and Play devices to redirect then to the remote computer.
If you enable this policy, users cannot redirect their supported Plug and Play devices to the remote computer.
Note: You can also disallow redirection of supported Plug and Play devices on the Client Settings tab in the Terminal Services Configuration tool.
|
Not defined
|
Do not allow smart card device redirection
|
Recommended setting: Disabled
This policy allows you to enable or disable the redirection of smart card devices in a Terminal Services session. Microsoft recommends using smart card devices where possible, and for this reason this setting should not be enabled.
|
Not defined
|
Session Time Limits Policy Settings
Microsoft recommends using policy settings to control session time limits in the following location of the GPMC:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
The following table identifies the policy object name, recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.6 Terminal Server Computer Session Time Limits Policy Setting
Policy object
|
Description
|
Default
|
Set time limit for disconnected sessions
|
Recommended setting: Enabled
By default, Terminal Server allows users to disconnect from a session and keep all of their applications active for an unlimited amount of time. This policy specifies a time limit for disconnected Terminal Server sessions to remain active. Microsoft recommends enabling this policy if you do not want disconnected sessions to remain active for long on the Terminal Server.
|
Not defined
|
Windows Installer Policy Settings
Microsoft recommends using policy settings to control Windows® Installer in the following location of the GPMC:
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.7 Terminal Server Computer Windows Installer Policy Setting
Policy object
|
Description
|
Default
|
Disable Microsoft Windows Installer
|
Recommended setting: Enabled
If this policy is set for nonmanaged applications only, Windows Installer still functions for applications that are published or assigned by Group Policy. If this policy is set to Always, Windows Installer is completely disabled. This may be beneficial if you do not want some published or assigned applications on Terminal Server.
Disabling Windows Installer does not prevent application installations from other setup programs or methods. Microsoft recommends installing and configuring applications prior to enabling this policy. After you enable it, administrators cannot install applications that use Windows Installer.
|
Not defined
|
User Group Policy Settings
Microsoft recommends using policy settings to control user groups in the following location of the GPMC:
Computer Configuration\Administrative Templates\System\Group Policy
The following table identifies the policy object name, recommended setting and the setting description, and the setting default in Windows Server 2008.
Table 11.8 Terminal Server Computer User Group Policy Setting
Policy object
|
Description
|
Default
|
User Group Policy loopback processing mode
|
If the Terminal Server computer object is placed in the locked down OU, and the user account is not, loopback processing applies the restrictive user configuration policies to all users on the Terminal Server.
If you enable this policy, all users, including administrators who log on to the Terminal Server are affected by the restrictive user configuration policies, regardless of where the user account is located.
There are two modes for this policy:
Merge mode first applies to the user’s own GPO, then to the locked down policy. The lockdown policy takes precedence over the user’s GPO.
Replace mode only uses the locked down policy and not the user’s own GPO. This policy enforces restrictions based on computers instead of user accounts.
If you disable this policy, and the Terminal Server computer object is placed in the locked down OU, only the computer configuration policies are applied to the Terminal Server. Each user account must be placed into the OU to enforce the user configuration restriction on that user.
|
Not defined
|
|
