Hi everyone -
I recently finished a go-live with my first multi-server Windows 2012 R2 environment. Thanks to some great help I received here, I was able to resolve a couple of strange issues and bring the environment online for production.
There is still one thing I'd like to see to, however. I want to tighten up my RDS Session Hosts so that users who log into them can't create havoc. To that end I've already done a few simple things like disabled the command prompt and the registry editor as well as hiding the C: drive via group policy. But there's much more I would like to do, For example, I want to get rid of most of the control panel applets and several start menu items (I'm using Classic Shell, a 3rd part utility, to provide a more recognizable Start Menu). I'd also like to disable access to the Administrative Tools.
Can anyone recommend an approach to securing these kinds of things - either through Group Policy or some other means? I've done some research, but it seems that much of what's out there doesn't take into account the kind of environment I have where numerous users are all logging into Remote Desktop provided by one common server. Thus, they all have their own profiles but they're all accessing the same machine.
Any hints or tips would be greatly appreciated.