When planning the workload configuration for terminal server sessions, there is a number of important steps you can take to optimize the security of sessions for users. Microsoft recommends applying these settings to user accounts that are in the locked down terminal servers OU. If you use loopback processing, all user accounts that log on to computers in the locked down OU also have these restrictions applied.
While many of the settings in this guide work on client computers running Windows Vista SP1 or Windows XP Professional SP3 or later, testing for this guide was only performed on computers running Windows Vista SP1. Ensure to perform your own testing for all of these settings on the client computers that you support in your production environment.
You can use the GPMC to edit policy objects that affect Remote Desktop security. The following list represents some of the key areas:
Folder Redirection
Internet Explorer Search
Internet Explorer Browser Menus
Application Compatibility
Internet Explorer
Common Open File Dialog
Task Scheduler
Windows Messenger
Windows Sidebar
Windows PowerShell™
Windows Update
Start Menu and Taskbar
Desktop
Control Panel
Add or Remove Programs
Printer
System
Ctrl+Alt+Del Options
Scripts
Microsoft recommends using policy settings to control folder redirection in the following location of the GPMC:
User Configuration\Windows Settings\Folder Redirection
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.9 Terminal Server Computer Folder Redirection Policy Settings
Policy object
|
Description
|
Default
|
Application data
|
Recommended setting: Basic redirection and create a folder for each user under the root path.
To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when the policy is removed.
|
Not defined
|
Desktop
|
Recommended setting: Basic redirection and create a folder for each user under the root path.
To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when the policy is removed.
|
Not defined
|
My Documents
|
Recommended setting: Basic redirection and create a folder for each user under the root path.
To do this, on the Settings tab, enable the option to grant the user exclusive rights. Enable the option to move the contents of the folder to a new location. Also set the policy removal to redirect the folder back to the local user profile location when policy is removed.
|
Not defined
|
Start Menu
|
Recommended setting: Basic redirection and redirect to the following location.
To do this, on the Settings tab, set the policy removal to redirect the folder back to the local user profile location when the policy is removed. Create a \Programs\Startup folder under this shared folder.
Enabling these policies can provide a central point for backing up user data. In addition, if the policy to restrict access to local hard disk drives is enabled, users need folder redirection if they do not want to see messages saying that they have restricted access.
If a roaming profile server is not available, you can use local shares. To do this, create a master folder for all of the user data (such as C:\userdata). Create four subfolders, one for each folder type (such as AppData, Desktop, MyDocs, and Start). Share each of the subfolders and then set the share permissions for the Everyone group to Change. Finally, set each path to its corresponding share.
You also can configure the Start Menu differently to share it across all users. To do this, change the share permissions from the Everyone group to Read. Ensure to manually create the Programs\Startup folder under the shared Startup folder (C:\userdata\Start\Programs\Startup).
|
Not defined
|
Internet Explorer Search Policy Settings
Microsoft recommends using policy settings to control Microsoft Internet Explorer® search behavior in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Internet Explorer
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.10 Terminal Server Computer Internet Explorer Search Policy Setting
Policy object
|
Description
|
Default
|
Search: Disable Find Files via F3 within the browser
|
Recommended setting: Enabled
This policy disables the use of the F3 key to search in Internet Explorer and Windows Explorer. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk drive (from Windows Explorer).
If the user presses F3, a prompt appears informing the user that this feature is disabled. Microsoft recommends enabling this policy to prevent users from searching for applications on their hard disk drives or browsing the Internet.
|
Not defined
|
Microsoft recommends using policy settings to control Internet Explorer browser menus in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.11 Internet Explorer Menus Policy Settings
Policy object
|
Description
|
Default
|
Disable Context menu
|
Recommended setting: Enabled
This policy prevents the shortcut menu from appearing when users click the right mouse button while using the browser.
Microsoft recommends enabling this policy to prevent use of the shortcut menu as an alternate method of running commands.
|
Not defined
|
Hide Favorites menu
|
Recommended setting: Enabled
This policy prevents users from adding, removing, or editing the list of Favorites links. If you enable this policy, the Favorites menu is removed from the interface and the Favorites button on the browser toolbar appears dimmed. Use this policy if you want to remove the Favorites menu from Windows Explorer and you do not want to give users easy access to Internet Explorer.
|
Not defined
|
For additional Internet Explorer 7.0 security settings that you can use to provide additional restrictions on the browser, see the Windows Vista Security Guide.
Application Compatibility Policy Settings
Microsoft recommends using a policy setting to control 16-bit application execution in the following location in the GPMC:
User Configuration\Administrative Templates\Windows Components\Application Compatibility
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.12 Application Compatibility Policy Setting
Policy object
|
Description
|
Default
|
Prevent access to 16-bit applications
|
Recommended setting: Enabled
This policy prevents the MS-DOS® subsystem (ntvdm.exe) from running for the user. This setting affects the start of all 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users. Many MS-DOS applications are not Terminal Server friendly and can cause high CPU utilization due to constant polling of the keyboard.
Microsoft recommends enabling this policy with the Computer Configuration (system-wide) to block 16-bit applications on the entire terminal server.
|
Not defined
|
Internet Explorer Policy Settings
Microsoft recommends using policy settings to control Windows Explorer in the following location in the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.13 Windows Explorer Policy Settings
Policy object
|
Description
|
Default
|
Remove the Folder Options menu item from the Tools menu
|
Recommended setting: Enabled
This policy removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box.
Microsoft recommends enabling this policy to prevent users from configuring many properties of Windows Explorer, such as Active Desktop®, Web view, Offline Files, hidden system files, and file types.
|
Not defined
|
Remove File menu from Windows Explorer
|
Recommended setting: Enabled
This policy removes the File menu from My Computer and Windows Explorer. It does not prevent users from using other methods to perform tasks available on the File menu.
Microsoft recommends enabling this policy to remove easy access to tasks such as "New," and "Open With," as well as shell extensions for some applications. Enabling this policy also prevents easy creation of shortcuts to executables.
|
Not defined
|
Remove "Map Network Drive" and "Disconnect Network Drive"
|
Recommended setting: Enabled
This policy prevents users from connecting and disconnect to shares with Windows Explorer. It does not prevent mapping and disconnecting hard disk drives from other applications or the run command.
Microsoft recommends enabling this policy to remove easy access to browsing the domain from Windows Explorer. If mapped drives are necessary, you can map them from a logon script.
|
Not defined
|
Remove Search button from Windows Explorer
|
Recommended setting: Enabled
Microsoft recommends enabling this policy to prevent users from searching for applications from Windows Explorer. This policy does not prevent search routines in other applications or the Start Menu.
|
Not defined
|
Remove Security Tab
|
Recommended setting: Enabled
This policy removes the Security tab from Windows Explorer. Even if users can open the Properties dialog box for file system objects, including folders, files, shortcuts, and drives, they cannot access the Security tab.
Microsoft recommends enabling this policy to prevent users from changing the security settings or viewing a list of all users who have access to the object.
|
Not defined
|
Remove Windows Explorer's default context menu
|
Recommended setting: Enabled
This policy removes the shortcut menu from Windows Explorer.
Microsoft recommends enabling this policy to prevent easy access to applications that place hooks into the shortcut menu. This policy does not remove other methods of accessing applications on the shortcut menu, such as using shortcut hotkeys.
|
Not defined
|
Hides the Manage item on the Windows Explorer context menu
|
Recommended setting: Enabled
This policy removes the Manage option from Windows Explorer or My Computer. The Manage option opens the Computer Management MMC snap-in (compmgmt.msc). Users can access items like Event Viewer, System Information, and Disk Administrator from Computer Management. This policy does not restrict access to these tasks from other methods, such as Control Panel and the run command.
Microsoft recommends enabling this policy to remove easy access to system information about the Terminal Server.
|
Not defined
|
Hide these specified drives in My Computer
|
Recommended setting: Enabled – Restrict A, B, C, and D drives only.
This policy only removes the icons from My Computer, Windows Explorer, and the standard file dialog box. It does not prevent users from access to these drives by other means, such as the command prompt. The policy only allows you to hide drives A through D.
Microsoft recommends enabling this policy to hide the floppy disk drive, the CD-ROM drive, and the operating system partition. You can configure a partition for public data to be the only drive that users can view. If required, you can use NTFS permissions to restrict access to this partition.
Important If you are using BitLocker™ Drive Encryption do not attempt to hide the BitLocker boot drive.
|
Not defined
|
Prevent access to drives from My Computer
|
Recommended setting: Enabled – A, B, C, and D drives only.
This policy prevents access to drives A through D with My Computer, Windows Explorer, and the standard file dialog box. This policy does not prevent access from programs that do not use the common dialog boxes. Users can still start applications that reside on the restricted drives.
Microsoft recommends enabling this policy to restrict file browsing of system partitions.
|
Not defined
|
Remove Hardware tab
|
Recommended setting: Enabled
This policy removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices items in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard disk drives, floppy disk drives, and CD-ROM drives.
Microsoft recommends enabling this policy to prevent users from using the Hardware tab to view the device list or device properties.
|
Not defined
|
No Computers Near Me in Network Locations
|
Recommended setting: Enabled
Removes computers in the user's workgroup and domain from lists of network resources in Windows Explorer and Network Locations. This policy removes the Computers Near Me option and the icons representing nearby computers from Network Locations. This setting also removes these icons from the Map Network Drive browser.
This policy does not prevent users from connecting to computers in their workgroup or domain by other common methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box.
|
Not defined
|
No Entire Network in Network Locations
|
Recommended setting: Enabled
This policy removes all computers outside of the user's workgroup or local domain from lists of network resources in Windows Explorer and Network Locations. This setting removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option.
This policy does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.
|
Not defined
|
Turn on Classic Shell
|
Recommended setting: Enabled
This policy stops users from configuring their system to open items by single-clicking. As a result, the user interface looks and operates like the interface for Windows NT® 4.0, and users cannot restore the new features.
Enabling this policy also turns off the preview pane, sets the folder options for Windows Explorer to use the classic folders view, and prevents users from changing these options.
Note: In operating systems earlier than Windows Vista, enabling this policy also disables the Active Desktop and Web view. This setting also takes precedence over the Enable Active Desktop setting. If both policies are enabled, Active Desktop is disabled.
Microsoft recommends enabling this policy to remove Folder Tasks. You can use some folder tasks, such as the one for the My Music folder to start Internet Explorer.
|
Not defined
|
Common Open File Dialog Policy Settings
Microsoft recommends using policy settings to control file dialog boxes in the following location in the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows Explorer\Common Open File Dialog
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.14 Windows Explorer Policy Settings
Policy object
|
Description
|
Default
|
Hide the common dialog places bar
|
Recommended setting: Enabled
This policy removes the Back button from the standard Open dialog box available to users in Windows® 2000 Professional, which makes this dialog box appears as it did in Windows NT 4.0 or earlier. This policy affects only programs that use the standard Open dialog box provided to developers of Windows programs.
In Window Vista, this policy applies only to applications that use the Windows XP common dialog box style. This policy does not apply to the new Windows Vista common dialog box style. Also, third-party applications running with Windows 2000 or later certification are required to adhere to this policy setting.
|
Not defined
|
Items displayed in Places Bar
|
Recommended setting: Enabled
This policy configures the list of items displayed in the Places Bar in the Windows File/Open dialog box. Enabling this policy allows you to specify from 1 to 5 items to display in the Places Bar.
Microsoft recommends setting specific places for your terminal server clients.
The valid items you can display in the Places Bar are:
1. Shortcuts to local folders (for example C:\Windows).
2. Shortcuts to remote folders (for example \\server\share).
3. FTP folders.
4. Web folders.
5. Common Shell folders.
The list of Common Shell folders that you can specify include: Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments, and Saved Searches.
If you disable or do not configure this policy the default list of items display in the Places Bar.
In Windows Vista, this policy applies only to applications that use the Windows XP common dialog box style. This policy does not apply to the new Windows Vista common dialog box style.
|
Not defined
|
Task Scheduler Policy Settings
Microsoft recommends using policy settings to control Task Scheduler in the following location in the GPMC:
User Configuration\Administrative Templates\Windows Components\Task Scheduler
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.15 Task Scheduler Policy Settings
Policy object
|
Description
|
Default
|
Hide Property Pages
|
Recommended setting: Enabled
This policy prevents users from viewing and changing the properties of an existing task by removing the Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, users cannot change any properties of a task. They can only see the properties that appear in Detail view and in the task preview.
|
Not defined
|
Prohibit Task Deletion
|
Recommended setting: Enabled
This policy prevents users from deleting tasks from the Scheduled Tasks folder. However, this policy does not prevent administrators from deleting tasks with the AT command, or from a remote computer.
|
Not defined
|
Prevent Task Run or End
|
Recommended setting: Enabled
This policy prevents users from starting and stopping tasks.
|
Not defined
|
Prohibit New Task Creation
|
Recommended setting: Enabled
This policy removes the Add Scheduled Task item that starts the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder. This policy does not prevent administrators from creating new tasks with the AT command, or doing so from a remote computer.
|
Not defined
|
Windows Messenger Policy Settings
Microsoft recommends using a policy setting to control Windows Messenger in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows Messenger
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.16 Windows Messenger Policy Setting
Policy object
|
Description
|
Default
|
Do not allow Windows Messenger to be run
|
Recommended setting: Enabled
This policy prevents users from running Windows Messenger.
|
Not defined
|
Microsoft recommends using a policy setting to control Windows Sidebar in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows Sidebar
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.17 Windows Sidebar Policy Setting
Policy object
|
Description
|
Default
|
Turn off Windows Sidebar
|
Recommended setting: Enabled
This policy prevents users from running Windows Sidebar.
|
Not defined
|
Windows PowerShell Policy Settings
The Windows PowerShell scripting environment has many advantages, but on a Terminal Server remote desktop there are security risks associated with users who can run PowerShell scripts. By default, PowerShell scripts are not allowed to execute. However, the option for this functionality can be enabled. For this reason, Microsoft recommends using Group Policy to disable this option.
Microsoft recommends using a policy setting to control Windows PowerShell in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows PowerShell
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.18 Windows PowerShell Policy Setting
Policy object
|
Description
|
Default
|
Turn on Script Execution
|
Recommended setting: Disabled
This policy allows you to configure the script execution policy to control what scripts can run.
Microsoft recommends disabling this policy so that users cannot run scripts.
|
Not defined
|
Windows Update Policy Settings
Microsoft recommends using a policy setting to control Windows Update in the following location of the GPMC:
User Configuration\Administrative Templates\Windows Components\Windows Update
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.19 Windows Update Policy Setting
Policy object
|
Description
|
Default
|
Remove access to use all Windows Update features
|
Recommended setting: Enabled
This policy removes access to Windows Update. If you enable this policy, all Windows Update features are removed. This includes blocking access to the Microsoft Windows Update Web site from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; users are not notified about critical updates and do not receive critical updates from Windows Update.
This policy also prevents Device Manager from automatically installing driver updates from the Windows Update Web site. You can use this policy to prevent changes to the Terminal Server while it is in production. If you disable Windows Update, you should schedule periodic checks to ensure that Windows® has the latest critical updates.
|
Not defined
|
Start Menu and Taskbar Policy Settings
Microsoft recommends using policy settings to control Windows Start Menu and Taskbar in the following location of the GPMC:
User Configuration\Administrative Templates\Start Menu and Taskbar
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.20 Start Menu and Taskbar Policy Settings
Policy object
|
Description
|
Default
|
Remove links and access to Windows Update
|
Recommended setting: Enabled
This policy removes links and access to the Windows Update Web site. The Windows Update Web site is only available for administrators.
Microsoft recommends enabling this policy to remove easy access to Internet Explorer for users.
|
Not defined
|
Remove common program groups from Start Menu
|
Recommended setting: Enabled
This policy removes shortcuts to programs from the all users’ profile. Only the Start Menu in the user’s profile or the redirected Start Menu is available.
Microsoft recommends enabling this policy to remove easy access to built-in applications, such as games, the calculator, and Windows Media® Player.
|
Not defined
|
Remove pinned programs list from Start Menu
|
Recommended setting: Enabled
This policy removes the Pinned Programs list from the Start Menu. It also removes the default links to Internet Explorer and Outlook® Express if they are pinned, and it prevents users from pinning any new programs to the Start Menu. The Frequently Used Programs list is not affected.
|
Not defined
|
Remove programs on Settings menu
|
Recommended setting: Enabled
This policy removes Control Panel, Printers, and Network Connections from Settings on the Classic Start menu, My Computer and Windows Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running. However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to open Display Properties or right-clicking My Computer to open System Properties.
Microsoft recommends enabling this policy to prevent easy access to viewing or changing system settings.
|
Not defined
|
Remove Network Connections from Start Menu
|
Recommended setting: Enabled
This policy prevents the Network Connections folder from opening. The policy also removes Network Connections from Settings on the Start Menu. Network Connections still appears in Control Panel and in Windows Explorer, but if users try to start it, a message appears explaining that a setting prevents this action.
Microsoft recommends enabling this policy to prevent users from creating new connections, such as VPN or dial-up connections.
|
Not defined
|
Remove Search link from Start Menu
|
Recommended setting: Enabled
This policy removes the Search item from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the Windows logo key) +F.
In Windows Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses CTRL+F. Also, the Search item does not appear in the context menu when you right-click an icon representing a drive or a folder.
|
Not defined
|
Remove Drag-and-Drop context menus on the Start Menu
|
Recommended setting: Enabled
This policy prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. This setting does not prevent users from using other methods of customizing the Start menu or performing the tasks available from the shortcut menus.
Microsoft recommends enabling this policy to remove shortcut menus from the Start menu, including tasks such as creating a new shortcut.
|
Not defined
|
Remove Favorites menu from Start Menu
|
Recommended setting: Enabled
This policy prevents users from adding the Favorites menu to the Start menu or the Classic Start menu. Use this policy if you do not want users to execute Internet Explorer.
The Favorites menu does not appear on the Start menu by default, but this policy disables the Favorites link. This setting only affects the Start menu. The Favorites menu still exists in Windows Explorer and Internet Explorer.
|
Not defined
|
Remove Help menu from Start Menu
|
Recommended setting: Enabled
This policy removes the Help link from the Start menu.
Microsoft recommends enabling this policy to prevent users from easily viewing System Information about the Terminal Server.
|
Not defined
|
Remove Run menu from Start Menu
|
Recommended setting: Enabled
Enabling this policy removes the Run command from the Start menu, New Task from Task Manager, and blocks users from typing a UNC path, local drive, and local folders into the Internet Explorer Address bar. Also, users with extended keyboards cannot display the Run dialog box by pressing Windows+R.
|
Not defined
|
Remove Network icon from Start Menu
|
Recommended setting: Enabled
This policy removes the Network icon from the Start menu.
Microsoft recommends enabling this policy to prevent easy access to browsing the network.
|
Not defined
|
Add Logoff to the Start Menu
|
Recommended setting: Enabled
This policy adds the Log Off <user name> item to the Start menu and prevents users from removing it. This policy affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press CTRL+ALT+DEL or CTRL+ALT+END while using a key board connected to a Terminal Server client computer.
|
Not defined
|
Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands
|
Recommended setting: Enabled
This policy prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy does not prevent users from running programs to shut down Windows.
Microsoft recommends enabling this policy to help remove confusion for the users and prevent administrators from shutting down the system while it is in production.
|
Not defined
|
Prevent changes to Taskbar and Start Menu Settings
|
Recommended setting: Enabled
This policy prevents users from customizing the taskbar and the Start menu. It can simplify the desktop enforcing the configuration set by the administrator.
Microsoft recommends enabling this policy to restrict the ability to add other applications to the Start menu by browsing or typing the location of an application.
|
Not defined
|
Remove access to the context menus for the taskbar
|
Recommended setting: Enabled
This policy hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons.
Microsoft recommends enabling this policy to prevent potential access to files and applications by starting Windows Explorer or Search.
|
Not defined
|
Force classic Start Menu
|
Recommended setting: Enabled
When this policy is enabled, the Start menu displays the classic Start menu that Windows 2000 displays and the following standard desktop icons: Documents, Pictures, Music, Computer, and Network.
When this policy is disabled, the Start menu only displays the latest UI style, which displays the desktop icons on the Start page.
|
Not defined
|
Desktop Policy Settings
Microsoft recommends using policy settings to control the Windows Desktop in the following location of the GPMC:
User Configuration\Administrative Templates\Desktop
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.21 Desktop Policy Settings
Policy object
|
Description
|
Default
|
Remove Properties from the Documents icon context menu
|
Recommended setting: Enabled
This policy hides the Properties option of the context menu for the Documents icon.
Microsoft recommends enabling this policy if shortcut menus are not disabled and you do not want users to easily view or edit the location of their Documents folder.
|
Not defined
|
Remove Properties from the Computer icon context menu
|
Recommended setting: Enabled
This policy hides the Properties option when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Users also cannot use the ALT+ENTER key combination to display this option when Computer is selected.
|
Not defined
|
Remove Properties from the Recycle Bin context menu
|
Recommended setting: Enabled
This policy removes the Properties option from the Recycle Bin context menu.
Microsoft recommends enabling this policy if context menus are not disabled and you do not want users to easily view or change Recycle Bin settings.
|
Not defined
|
Hide Network Locations icon on desktop
|
Recommended setting: Enabled
This policy only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network with other methods.
Microsoft recommends enabling this policy to remove easy access to browsing the network for applications.
|
Not defined
|
Hide Internet Explorer icon on the desktop
|
Recommended setting: Not defined
This policy removes the Internet Explorer icon from the desktop and the Quick Launch bar on the taskbar. Microsoft does not recommend enabling this setting as it does not prevent the user from starting Internet Explorer by using other methods.
|
Not defined
|
Prohibit User from manually redirecting Profile Folders
|
Recommended setting: Enabled
This policy prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders, such as Documents, Music, and so on by typing a new path in field for this on the Locations tab of the folder's Properties dialog box.
Microsoft recommends enabling this policy to prevent browsing for applications.
|
Not defined
|
Hide and disable all items on the desktop
|
Recommended setting: Not defined
This policy removes icons, shortcuts, and other default and user-defined items from the desktop, including Recycle Bin, Computer, and Network. Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent. Therefore, Microsoft does not recommend enabling this setting. User can still save and open items on the desktop by using the Common File dialog box or Windows Explorer. However, the items do not display on the desktop.
|
Not defined
|
Remove My Documents icon on the desktop
|
Recommended setting: Not defined
This policy removes most occurrences of the My Documents icon. It does not prevent users from applying other methods to gain access to the contents of the My Documents folder. Therefore, Microsoft does not recommend enabling this setting.
|
Not defined
|
Remove Computer icon on the desktop
|
Recommended setting: Enabled
This policy hides the Computer icon from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer by using the Up icon when this setting is enabled, an empty Computer folder displays.
Microsoft recommends enabling this policy to present users with a simpler desktop environment from using this icon, and remove easy access to Computer Management and System Properties by no longer allowing users to right-click the icon.
|
Not defined
|
Control Panel Policy Settings
Microsoft recommends using policy settings to restrict Control Panel in the following location of the GPMC:
User Configuration\Administrative Templates\Control Panel
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.22 Control Panel Policy Setting
Policy object
|
Description
|
Default
|
Prohibit access to the Control Panel
|
Recommended setting: Enabled
This policy removes access to Control Panel and disables all Control Panel programs. It also prevents Control.exe, the program file for Control Panel, from starting.
Microsoft recommends enabling this setting to prevent users from viewing configuration information about the Terminal Server.
|
Not defined
|
Add or Remove Programs Policy Settings
Microsoft recommends using policy settings to control the Add or Remove Programs Control Panel item in the following location of the GPMC:
User Configuration\Administrative Templates\Control Panel\Add or Remove Programs
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.23 Add or Remove Programs Policy Setting
Policy object
|
Description
|
Default
|
Remove Add or Remove Programs
|
Recommended setting: Enabled
This policy removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. If access to Control Panel is prohibited, you can use this policy to remove the links to Add or Remove Programs from places like Computer. The link then displays an access denied message if a user clicks it. This policy does not prevent users from using other tools and methods to install or uninstall programs.
Microsoft recommends enabling this policy to prevent users from viewing Terminal Server configuration information.
|
Not defined
|
Printer Policy Settings
Microsoft recommends using policy settings to control the Printers Control Panel item in the following location of the GPMC:
User Configuration\Administrative Templates\Control Panel\Printers
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.24 Printer Policy Setting
Policy object
|
Description
|
Default
|
Prevent addition of printers
|
Recommended setting: Enabled
This policy prevents users from using familiar methods to add local and network printers. This policy does not prevent the autocreation of Terminal Server redirected printers, nor does it prevent users from running other programs to add printers.
Microsoft recommends enabling this policy to prevent users from browsing the network or searching Active Directory for printers.
|
Not defined
|
For more information about controlling the security of printers, see Chapter 8, "Hardening Print Services" of this guide.
System Policy Settings
Microsoft recommends using policy settings to control the System in the following location of the GPMC:
User Configuration\Administrative Templates\System
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.25 System Policy Settings
Policy object
|
Description
|
Default
|
Prevent access to the command prompt
|
Recommended setting: Enabled
Configure the Disable the command prompt script processing also setting to No.
This policy prevents users from running the interactive command prompt Cmd.exe. From the command prompt users can start applications. This policy also determines whether batch files (.cmd and .bat files) can run on the computer.
Important Do not prevent the computer from running batch files on a Terminal Server. This policy does not prevent access to Command.com (16-bit command interpreter). To disable Command.com, you can restrict access with NTFS permission, or disable all 16-bit applications with the Prevent access to 16-bit application policy setting.
Microsoft recommends enabling the Prevent access to the command prompt policy setting to prevent users from bypassing other policy settings by using the command prompt instead of Windows Explorer as the shell.
|
Not defined
|
Prevent access to registry editing tools
|
Recommended setting: Enabled
This policy blocks user access to Regedit.exe. It does not prevent other applications for editing the registry.
Microsoft recommends enabling this policy to prevent users from changing their shell to the command prompt or bypassing other policies.
|
Not defined
|
Run only specified Windows applications
|
Recommended setting: Enabled – Define list of authorized applications
This policy only prevents users from running programs that Windows Explorer starts. It does not prevent users from running programs such as Task Manager that a user can start with a system process. Also, if users can access the command prompt, Cmd.exe, this setting does not prevent them from starting programs from the command window, which they can access using Windows Explorer.
Microsoft recommends enabling this policy to restrict users to only run programs that are added to the List of Allowed Applications.
|
Not defined
|
Ctrl+Alt+Del Options Policy Settings
Microsoft recommends using policy settings to control the CTRL+ALT+DEL options in the following location of the GPMC:
User Configuration\Administrative Templates\System\Ctrl+Alt+Del Options
The following table identifies policy object names, recommended settings and setting descriptions, and the setting defaults in Windows Server 2008.
Table 11.26 Ctrl+Alt+Del Options Policy Settings
Policy object
|
Description
|
Default
|
Remove Task Manager
|
Recommended setting: Enabled
This policy prevents users from starting Task Manager.
Microsoft recommends enabling this policy to prevent users from using Task Manager to start and stop programs, monitor the performance of the Terminal Server, and search for the executable names of applications.
|
Not defined
|
Remove Lock Computer
|
Recommended setting: Not defined
This policy prevents users from locking their sessions. Users can still disconnect and log off. While locked, the desktop cannot be used. Only the user who locked the system or the system administrator can unlock it. Microsoft does not recommend enabling this setting as users may need to lock their session to prevent access to it while they are away from their computer.
|
Not defined
|
Scripts Policy Settings
Microsoft recommends using policy settings to control script execution behavior in the following location of the GPMC:
User Configuration\Administrative Templates\System\Scripts
The following table identifies the policy object name, the recommended setting and setting description, and the setting default in Windows Server 2008.
Table 11.27 Script Policy Setting
Policy object
|
Description
|
Default
|
Run legacy logon scripts hidden
|
Recommended setting: Enabled
This policy hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
Microsoft recommends enabling this policy to prevent users from viewing or interrupting logon scripts written for Windows NT 4.0 or earlier.
|
Not defined
|
|
