Terminal Server Security

How to Lock Down a Windows 2000 Terminal Server Session

The information in this article applies to:

	Microsoft Windows 2000 Server
	Microsoft Windows 2000 Advanced Server

This article was previously published under Q278295

SUMMARY

You can use Group Policies to lock down a Terminal Server session on a Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new Organizational Unit instead of modifying the polices on an existing one.

Note: The use of these policies does not guarantee a secure computer, and you should use them only as a guideline.

MORE INFORMATION

Use Active Directory Users and Computers to create a new Organizational Unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:

	[Computer Configuration\Admin Templates\System\Group Policy] Enable the following setting: User Group Policy loopback processing mode
	[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options] Enable the following settings: Do not display last user name in logon screen Restrict CD-ROM access to locally logged-on user only Restrict floppy access to locally logged-on user only
	[Computer Configuration\Administrative Templates\Windows Components\Windows Installer] Enable the following setting, and set it to Always: Disable Windows Installer
	[User Configuration\Windows Settings\Folder Redirection] Enable the following settings: Application Data Desktop My Documents Start Menu
	[User Configuration\Administrative Templates\Windows Components\Windows Explorer] Enable the following settings: Remove Map Network Drive and Disconnect Network Drive Remove Search button from Windows Explorer Disable Windows Explorer's default context menu Hides the Manage item on the Windows Explorer context menu Hide these specified drives in My Computer (Enable this setting for A through D.) Prevent access to drives from My Computer (Enable this setting for A through D.) Hide Hardware Tab
	[User Configuration\Administrative Templates\Windows Components\Task Scheduler] Enable the following settings: Prevent Task Run or End Disable New Task Creation
	[User Configuration\Administrative Templates\Start Menu & Taskbar] Enable the following settings: Disable and remove links to Windows Update Remove common program groups from Start Menu Disable programs on Settings Menu Remove Network & Dial-up Connections from Start Menu Remove Search menu from Start Menu Remove Help menu from Start Menu Remove Run menu from Start Menu Add Logoff to Start Menu Disable and remove the Shut Down command Disable changes to Taskbar and Start Menu Settings
	[User Configuration\Administrative Templates\Desktop] Enable the following settings: Hide My Network Places icon on desktop Prohibit user from changing My Documents path
	[User Configuration\Administrative Templates\Control Panel] Enable the following setting: Disable Control Panel
	[User Configuration\Administrative Templates\System] Enable the following settings: Disable the command prompt (Set Disable scripts to No) Disable registry editing tools
	[User Configuration\Administrative Templates\System\Logon/Logoff] Enable the following settings: Disable Task Manager Disable Lock Computer

Copyright © 2011 Compulink Business Systems. All rights reserved.
Last modified: 05/14/12.