Support Telephone: +61 2 9212 0811 | Support Email: support@itng.com.au  
Home | Contact | Search Knowledge Base    
 Information
About ITNG
Services
Experience
NextDSL Internet
NextHOST Website Design
NextWARE Software
News
Contact Us
 
 
 Support
Support
Customer Login

Support
Knowlege Base
 

Search our Knowledge Base for technical articles. This database may contain information sourced from other sites.

You can enter up to 100 characters in your search term. We continue to add articles in this database as we encounter issues in our support work.

If you are directed to this page to start a support session click on the logo below. You will be prompted to install a file. Please follow the directions provided by support.
 

Search Knowledge Base
 
Search Terms
Enter up to 10 search terms. Up to 99 pages that contain ANY of yor search terms will be returned - the pages will be listed in order with the best results listed first.
Clear

How to Lock Down a Windows 2000 Terminal Server Session 
How to Lock Down a Windows 2000 Terminal Server Session

Applies To
This article was previously published under Q278295
SUMMARY
You can use Group Policies to lock down a Terminal Server session on a Windows 2000-based computer. With the following settings, even the administrator account will have restricted access. It is highly recommended that you create a new Organizational Unit instead of modifying the polices on an existing one.

Note: The use of these policies does not guarantee a secure computer, and you should use them only as a guideline.
MORE INFORMATION
Use Active Directory Users and Computers to create a new Organizational Unit (OU). Right-click the OU, click Properties, and then on the Group Policy tab, click New Policy. Edit this policy with the following settings:
[Computer Configuration\Admin Templates\System\Group Policy]

Enable the following setting:
User Group Policy loopback processing mode

[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]

Enable the following settings:
Do not display last user name in logon screen
Restrict CD-ROM access to locally logged-on user only
Restrict floppy access to locally logged-on user only

[Computer Configuration\Administrative Templates\Windows Components\Windows Installer]

Enable the following setting, and set it to Always:
Disable Windows Installer

[User Configuration\Windows Settings\Folder Redirection]

Enable the following settings:
Application Data
Desktop
My Documents
Start Menu

[User Configuration\Administrative Templates\Windows Components\Windows Explorer]

Enable the following settings:
Remove Map Network Drive and Disconnect Network Drive
Remove Search button from Windows Explorer
Disable Windows Explorer's default context menu
Hides the Manage item on the Windows Explorer context menu
Hide these specified drives in My Computer (Enable this setting for A through D.)
Prevent access to drives from My Computer (Enable this setting for A through D.)
Hide Hardware Tab

[User Configuration\Administrative Templates\Windows Components\Task Scheduler]

Enable the following settings:
Prevent Task Run or End
Disable New Task Creation

[User Configuration\Administrative Templates\Start Menu & Taskbar]

Enable the following settings:
Disable and remove links to Windows Update
Remove common program groups from Start Menu
Disable programs on Settings Menu
Remove Network & Dial-up Connections from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Add Logoff to Start Menu
Disable and remove the Shut Down command
Disable changes to Taskbar and Start Menu Settings

[User Configuration\Administrative Templates\Desktop]

Enable the following settings:
Hide My Network Places icon on desktop
Prohibit user from changing My Documents path

[User Configuration\Administrative Templates\Control Panel]

Enable the following setting:
Disable Control Panel

[User Configuration\Administrative Templates\System]

Enable the following settings:
Disable the command prompt (Set Disable scripts to No)
Disable registry editing tools

[User Configuration\Administrative Templates\System\Logon/Logoff]

Enable the following settings:
Disable Task Manager
Disable Lock Computer

The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Last Reviewed: 11/4/2002 (1.0)
Keywords: kbhowto kbnetwork KB278295
 
Link http://support.microsoft.com/default.aspx?scid=kb;en-us;278295

 
File  
 

©2006 IT Next Generation Pty Ltd | Suite 103, 330 Wattle Street, Ultimo NSW 2007
T: +61 2 9212 0811 | F: +61 2 9212 0833 | E: support@itng.com.au | W: www.itng.com.au
Website Design and Solutions | Business Grade Internet Solutions
Microsoft Small Business Specialist | Cisco Partner | Trend Micro | Destra Business