Server 2012 RD Session Host Lockdown Policy

Hi everyone -

I recently finished a go-live with my first multi-server Windows 2012 R2 environment. Thanks to some great help I received here, I was able to resolve a couple of strange issues and bring the environment online for production.

There is still one thing I'd like to see to, however. I want to tighten up my RDS Session Hosts so that users who log into them can't create havoc. To that end I've already done a few simple things like disabled the command prompt and the registry editor as well as hiding the C: drive via group policy. But there's much more I would like to do, For example, I want to get rid of most of the control panel applets and several start menu items (I'm using Classic Shell, a 3rd part utility, to provide a more recognizable Start Menu). I'd also like to disable access to the Administrative Tools.

Can anyone recommend an approach to securing these kinds of things - either through Group Policy or some other means? I've done some research, but it seems that much of what's out there doesn't take into account the kind of environment I have where numerous users are all logging into Remote Desktop provided by one common server. Thus, they all have their own profiles but they're all accessing the same machine.

Any hints or tips would be greatly appreciated.

Thanks much!
Chris CollinsOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
The following link is the one I use to lock down RDS environments and it seems to work quite well:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We set up a dedicated Security Group that allows users access to the RDS Standalone or Farm. It is not a good idea to use a universal like Domain Users.

Domain Controllers have a dedicated set of policies on the Gateway that allow only Domain Administrators access to DCs on the network. I suggest not lumping them in with the default policies.

All Session Hosts get two partitions. One for the host's OS and the other for the applications and data. Unfortunately, some apps still require some sort of user access and/or read/write abilities that can't be done if there is only a C: partition and it's masked.

Use User Profile Disks (UPDs). Put them somewhere on the network with a decent amount of bandwidth between them and the Session Hosts. They allow for a cleaner C:\Users, the ability to scope a user's local profile simply, and the ability to re-create a user's local profile if they get pooched by simply renaming the user's UPD and logging them on to create a new one. Mount the old one and copy contents to get things settled in again.

Note that there can be some funky behaviours with the user's My Documents and other such local profile folders if the C: partition is masked and UPDs are not used.

Always use Remote Desktop Gateway for external access. Never publish a RD listener to the Internet (TCP 3389 or any other port).
Chris CollinsOwnerAuthor Commented:
All three of these were great resources. Thank you so much!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.