04 February, 2012

Terminal Server Lockdown

Terminal Servers are one of the most critical servers of our domain. Terminal Servers are basically used to deploy applications on them so that users can do a RDP session on to the Terminal Server and can access the applications. This way, an administrator do not have to install the applications on each and every client machine.

Also, what if the applications are resource hungry. Then adding hardware on every client machine would be mandatory. On the other hand, by the use of Terminal Server, we just need to upgrade one server (Terminal Server), Install all the applications on it and let the users do a remote session to that Terminal Server. In this scenario, the hardware that would be used by the client machines will be that of the Terminal Server and not of the client machine for those Applications.

Since, Terminal Server plays an important role, it is thus very important for an administrator to secure it. Exploring which is hidden is a human tendency. There might be few users who when do the remote session to the Terminal Server, try to explore the Terminal Server and can/might do some harm to the Terminal Server (In terms of data/trying to get the product keys of the software/etc...)

The best way to make a Terminal Server secure and at the same time granting its access to the Users is by Locking Down the Terminal Server. Locking Down will mean restricting access of the users to only those applications which they require

Lets see how we can lock down a Terminal Server

Following Group Policies Needs to be Enabled on the Terminal Server

The Effect of those Group Policies will be as follow. We will now have only 3 Icons “Libraries”, “Control Panel” and “Application (Which User Should get)”

Our goal will now be to remove “Libraries”, “Control Panel” from the Desktop

Following Keys needs to be deleted from the Terminal Server so that users will not get the Icons “Libraries”, “Control Panel” on the desktop

To hide icons “Libraries” and “Control Panel” available on the desktop

Remove the Libraries icon from the desktop


Remove Control Panel icon from the desktop



To hide user's files folder from Desktop create the following key

Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\

Value: {59031a47-3f72-44a7-89c5-5595fe6b30ee}
Data:  0 (not hide, display), 1 (hide)

To Disable Right Click

User Key:

System Key:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Hide Administrative tools option from start menu for normal users through GPO

Value = 0

Once the keys are deleted, we will now have only the application that we want the user should get