Terminal Services Lockdown Checklist

Note: This is a work in progress

[Computer ConfigurationAdmin TemplatesSystemGroup Policy]

Enable the following setting:
User Group Policy loopback processing mode

[Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options]

Enable the following settings:
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only

[Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Installer]

Enable the following setting, and set it to Always:
Disable Windows Installer

Note The default setting for Disable Windows Installer prevents any non-managed applications from being installed by a non-administrator. Setting Disable Windows Installer to Always may prevent some of the newer updates from Windows Update from being applied. Therefore, we recommend that you only set Disable Windows Installer to Always if there is a specific need or an identified threat that you must address. 

[User ConfigurationWindows SettingsFolder Redirection]

Enable the following settings:
Application Data
My Documents
Start Menu

[User ConfigurationAdministrative TemplatesWindows ComponentsWindows Explorer]

Enable the following settings:
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer’s default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab

[User ConfigurationAdministrative TemplatesWindows ComponentsTask Scheduler]

Enable the following settings:
Prevent Task Run or End
Disable New Task Creation

[User ConfigurationAdministrative TemplatesStart Menu & Taskbar]

Enable the following settings:
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings

[User ConfigurationAdministrative TemplatesDesktop]

Enable the following settings:
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path

[User ConfigurationAdministrative TemplatesControl Panel]

Enable the following setting:
Disable Control Panel
Important When you enable this setting, you prevent administrators from installing any MSI package on to the Terminal Server, even if the explicit Deny is set for the Administrator account. 

[User ConfigurationAdministrative TemplatesSystem]

Enable the following settings:
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools

[User ConfigurationAdministrative TemplatesSystemLogon/Logoff]

Enable the following settings:
Disable Task Manager
Disable Lock Computer

[Computer ConfigurationAdministrative TemplatesSystemUser Profiles]

Enable the following settings:

Delete Cached Copies of Roaming Profiles

[User ConfigurationAdministrative TemplatesInternet ExplorerInternet Control PanelAdvanced Page]

Enable the following settings:

Empty Temporary Internet Files Folder when browser is closed

Turn off Internet Explorer enhanced Security for regualar users



Leave a Reply