Computer security is of the utmost importance. However, in addition to preventing attacks from the outside, you should also protect against those in your organisation that may wish to disrupt your business. Whilst you should protect important servers, such as your mail and database servers, you should also think about protecting individual machines.
If one of your users breaks his own machine, it isn't that much of a problem. However, if you happen to use a Terminal Server, one user breaking his 'machine' can effect all of the other users on the machine too. Therefore, it's important to secure each user's session so they don't have access to anything that could cause damage to the system, unintentionally or otherwise.
These instructions assume that you are using Windows 2000 with an Active Directory.
To lock down a terminal session, you should create an Organisational Unit to contain your terminal server users. Then for this OU, you need to create a Group Policy object.
To create a Group Policy Object for the new OU:
Right-click on the OU and select Properties. On the Properties page, click the Group Policy tab.
Click the New button. A new policy will appear in the list. You can name it according to your wishes.
To edit the Group Policy object, click Edit.
A group policy is split into two sections - machine, and user. Because you're typing down a terminal session, you only want to apply policy setting to the user. The Group Policy is arranged in a tree system. You can drill down different sections, and we will represent different policies in a path format. To enable a policy, double click on the individual entry, then select the Enable option.
Policies to be considered:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer
Prevent access to drives from My Computer
Hide Hardware Tab
User Configuration\Administrative Templates\Windows Components\Task Scheduler
Prevent Task Run or End
Disable New Task Creation
User Configuration\Administrative Templates\Start Menu & Taskbar
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings
User Configuration\Administrative Templates\Desktop
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path
User Configuration\Administrative Templates\Control Panel
Disable Control Panel
User Configuration\Administrative Templates\System
Disable the command prompt (Set Disable Scripts to No)
Disable registry editing tools
User Configuration\Administrative Templates\System\Logon / Logoff
Disable Task Manager
Disable Lock Computer
In addition, you may also wish to set the contents of the user's Start Menu and Desktop, and place their My Documents and Application Settings folders in a central location. To do this, go to:
User Configuration\Windows Settings\Folder Redirection
Application Data
Desktop
My Documents
Start Menu
To set Folder Redirection, right click on the folder listing you wish to set, then select Properties.
If you already have group policies configured for your users but wish to apply alternative policies when said users are using a terminal services box, you may wish to consider implementing policy loopback processing.
As a user cannot exist in more than one OU, and a policy cannot detect which type of machine a user's on, policy loopback processing allows for a user policy to be applied to an OU containing only the computer accounts of the machines involved.
When the user logs in to a machine inside that OU, the user policy defined within the computer policy is applied. The policy can either be set to merge with or replace the policy defined within the user's OU. For this reason, it's important to set permissions on the loopback policy correctly to prevent administrative users having the same restrictions applied to them.
To set a loopback policy:
Create an OU to hold the computer accounts of the terminal server machines to which you wish to apply the loopback policy.
Move the computer accounts into the created OU.
Create a group policy for the created OU. Set the permissions on it accordingly to prevent application to administrative users.
If you want to have another policy applied to administrative users, then create a separate policy with application permissions only for administrative users and repeat the steps listed below.
Edit the created group policy and apply all the user settings as necessary.
To make the policy work in loopback processing mode, open: Computer Configuration\Administrative Templates\System\Group Policy
Double-click on User Group Policy loopback processing mode.
Select Enabled then select the processing mode.
Replace is generally preferred to Merge because the results can be hard to predict. In general, when in merge mode, settings defined in the Computer GPOs take preference over those defined in the User GPOs.
If one of your users breaks his own machine, it isn't that much of a problem. However, if you happen to use a Terminal Server, one user breaking his 'machine' can effect all of the other users on the machine too. Therefore, it's important to secure each user's session so they don't have access to anything that could cause damage to the system, unintentionally or otherwise.
These instructions assume that you are using Windows 2000 with an Active Directory.
To lock down a terminal session, you should create an Organisational Unit to contain your terminal server users. Then for this OU, you need to create a Group Policy object.
To create a Group Policy Object for the new OU:
Right-click on the OU and select Properties. On the Properties page, click the Group Policy tab.
Click the New button. A new policy will appear in the list. You can name it according to your wishes.
To edit the Group Policy object, click Edit.
A group policy is split into two sections - machine, and user. Because you're typing down a terminal session, you only want to apply policy setting to the user. The Group Policy is arranged in a tree system. You can drill down different sections, and we will represent different policies in a path format. To enable a policy, double click on the individual entry, then select the Enable option.
Policies to be considered:
User Configuration\Administrative Templates\Windows Components\Windows Explorer
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer
Prevent access to drives from My Computer
Hide Hardware Tab
User Configuration\Administrative Templates\Windows Components\Task Scheduler
Prevent Task Run or End
Disable New Task Creation
User Configuration\Administrative Templates\Start Menu & Taskbar
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings
User Configuration\Administrative Templates\Desktop
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path
User Configuration\Administrative Templates\Control Panel
Disable Control Panel
User Configuration\Administrative Templates\System
Disable the command prompt (Set Disable Scripts to No)
Disable registry editing tools
User Configuration\Administrative Templates\System\Logon / Logoff
Disable Task Manager
Disable Lock Computer
In addition, you may also wish to set the contents of the user's Start Menu and Desktop, and place their My Documents and Application Settings folders in a central location. To do this, go to:
User Configuration\Windows Settings\Folder Redirection
Application Data
Desktop
My Documents
Start Menu
To set Folder Redirection, right click on the folder listing you wish to set, then select Properties.
If you already have group policies configured for your users but wish to apply alternative policies when said users are using a terminal services box, you may wish to consider implementing policy loopback processing.
As a user cannot exist in more than one OU, and a policy cannot detect which type of machine a user's on, policy loopback processing allows for a user policy to be applied to an OU containing only the computer accounts of the machines involved.
When the user logs in to a machine inside that OU, the user policy defined within the computer policy is applied. The policy can either be set to merge with or replace the policy defined within the user's OU. For this reason, it's important to set permissions on the loopback policy correctly to prevent administrative users having the same restrictions applied to them.
To set a loopback policy:
Create an OU to hold the computer accounts of the terminal server machines to which you wish to apply the loopback policy.
Move the computer accounts into the created OU.
Create a group policy for the created OU. Set the permissions on it accordingly to prevent application to administrative users.
If you want to have another policy applied to administrative users, then create a separate policy with application permissions only for administrative users and repeat the steps listed below.
Edit the created group policy and apply all the user settings as necessary.
To make the policy work in loopback processing mode, open: Computer Configuration\Administrative Templates\System\Group Policy
Double-click on User Group Policy loopback processing mode.
Select Enabled then select the processing mode.
Replace is generally preferred to Merge because the results can be hard to predict. In general, when in merge mode, settings defined in the Computer GPOs take preference over those defined in the User GPOs.
