4

I recently setup a RDS server and it is working great, but I'm wanting to lock down the RDS so that when someone is on there they can't accidentally or purposely bring anything from their local machine over to their work machine.

I have found several articles online talking about changing the local policy, but not sure how to go about this because I can't very well change the local policy of their home computers. I made the change on the servers thinking that might be it, but it still allows a user to copy/paste between their home desktop to their work machine via RDP. I've also set the CAP to "disable device redirection for the following client device types" and selected all of the options, then restarted the services, still no go. I'm fairly certain at my previous job (I had it setup there, but it's been awhile) all I had to do was change the local policy settings on the server but I could be remembering that wrong.

The section in the server policy that I changed was Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Redirection. I enabled Do not allow Clipboard redirection, COM port redirection, drive redirection and LPT port redirection. Rebooted the server and same result, so I assume it has to be set on their local machine.

If these were company issued laptops it'd be easy to set it here first, but not sure how to go about policing their home machines and hoping there's a way to turn this off on the server itself. I've even moved these servers into a new OU, created a new GPO and made the adjustment mentioned above at the domain level, then verified the servers are getting the policy, but still the same results. When a user logs in remotely from a home computer, they can still copy a document from their desktop at home to their desktop at work.

Any help would be appreciated, thanks!

JasonM
  • 105
  • 1
  • 1
  • 5
  • 2
    The policy settings you're describing, assuming you set them in the server computer's Local Group Policy (and assuming they're not being overridden by a Group Policy Object from Active Directory) are what you're looking for. It's unclear to me why setting them didn't work for you. – Evan Anderson Oct 14 '14 at 15:26

1 Answers1

4

You can disable drive, device and printer redirection via local or group policy.

In order to disable clipboard redirection you have to kill the rdpclip.exe process in the remote session. You can do this by writing a batch file that kills that process and using it as a login script for the remote session.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Strange, I tried this several times over last week, but hadn't tried it yet today when I posted the message. I just tried and it's working as expected now. I am not sure why it would have taken time to "catch up" as I updated the GPO, restarted servers, etc, with the same result. Either way it seems to not allow me to copy/paste between laptop and local machine when using RDS, so I'm happy! Thanks to both of you for your input! – JasonM Oct 14 '14 at 19:32
  • Hello, i have a question. Is there any way that can configure separately for specified users? For example, i want to give mapping permission to my Admin group while not giving permission to member group. If we enable "do not allow drive configuration" in Computer configuration, all user can't map their local disk. That was driving me crazy! – The One Feb 24 '17 at 06:01