Microsoft KB Archive/278295

= How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session =

Article ID: 278295

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q278295



SUMMARY
You can use Group Policies to lock down a Terminal Server session on a Microsoft Windows Server 2003-based or Microsoft Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new organizational unit instead of modifying the policies on an existing one.

Note The use of these policies does not guarantee a secure computer, and you should use them only as a guideline.



MORE INFORMATION
Use Active Directory Users and Computers to create a new organizational unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:  [Computer Configuration\Admin Templates\System\Group Policy]

Enable the following setting:

User Group Policy loopback processing mode

 [Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]

Enable the following settings:

Do not display last user name in logon screen

Restrict CD-ROM access to locally logged-on user only

Restrict floppy access to locally logged-on user only

 [Computer Configuration\Administrative Templates\Windows Components\Windows Installer]

Enable the following setting, and set it to Always:

Disable Windows Installer

Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address. [User Configuration\Windows Settings\Folder Redirection]

Enable the following settings:

Application Data

Desktop

My Documents

Start Menu

 [User Configuration\Administrative Templates\Windows Components\Windows Explorer]

Enable the following settings:

Remove Map Network Drive and Disconnect Network Drive

Remove Search button from Windows Explorer

Disable Windows Explorer's default context menu

Hides the Manage item on the Windows Explorer context menu

Hide these specified drives in My Computer (Enable this setting for A through D.)

Prevent access to drives from My Computer (Enable this setting for A through D.)

Hide Hardware Tab

 [User Configuration\Administrative Templates\Windows Components\Task Scheduler]

Enable the following settings:

Prevent Task Run or End

Disable New Task Creation

 [User Configuration\Administrative Templates\Start Menu & Taskbar]

Enable the following settings:

Disable and remove links to Windows Update

Remove common program groups from Start Menu

Disable programs on Settings Menu

Remove Network & Dial-up Connections from Start Menu

Remove Search menu from Start Menu

Remove Help menu from Start Menu

Remove Run menu from Start Menu

Add Logoff to Start Menu

Disable and remove the Shut Down command

Disable changes to Taskbar and Start Menu Settings

</li> [User Configuration\Administrative Templates\Desktop]

Enable the following settings:

Hide My Network Places icon on desktop

Prohibit user from changing My Documents path

</li> [User Configuration\Administrative Templates\Control Panel]

Enable the following setting:

Disable Control Panel

Important When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account.</li> [User Configuration\Administrative Templates\System]

Enable the following settings:

Disable the command prompt (Set Disable scripts to No)

Disable registry editing tools

</li> [User Configuration\Administrative Templates\System\Logon/Logoff]

Enable the following settings:

Disable Task Manager

Disable Lock Computer

</li></ul>

For information on locking down Windows Server 2003 Terminal Server Sessions, visit the following Web page:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en

Additional query words: desktop

Keywords: kbhowto kbnetwork KB278295

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.