Managing RDP through Group Policy

[mcseguy9]

Hi everyone. I put this in the client thread because I think that's where it should go based on what I'm trying to figure out. Let me explain. I have a friend who has a small business. He's running SBS 2003 and has all XP Pro sp3 workstations on the network. He has only 1 server. He has someone that needs to work from home (across the country) and he wants this person to RDP into a workstation at the office, not the server. That's why I put this post in this thread. I think this is where it should go, but feel free to move it if needed.

Here's the rub. He has everyone sign non-disclosure agreements, which is great and all, but he wants to add another level of security by limiting what this person can do, as well as anyone else who may end up working from home, through RDP. He'd like to now allow bringing drives over through RDP (her local C: drive mapped to her session with the XP client on the other side of the country), nor printers, nor clipboard, etc. He basically doesn't want her to have the options you would normally have when RDP'd in. He wants it to be truly as if she's just sitting in the office in front of the client PC instead of being a few thousand miles away. Does that make sense?

Anyway, I'm figuring we can accomplish all of this through Group Policy, but what I'm unsure of is if we want to edit the local group policy on the client PC or do it all through the server instead. He's really only focused right now on this one particular user and not the rest of the employee's. There are, however, 2 or 3 other employee's that do use RDP to work from home on occasion. These users are local to the area.

What are your thoughts?

[Steve R Jones]

I'm guessing you know that the person remoting can't be an Admin

In Group Policies:

Computer Config->Admin Templates->Terminal Services

and the next section called Client/Server Redirection

Would be the place to start.

[DeP]

The majority of policies can be found here:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services
There you will find policies for clipboard, drives, printers, timezone etc.
You should set those on the server and have the user log in to the server.

I take it security measures have been taken? She at least logs in trough VPN?

[HAN]

We do something similar @ our small company. The remote user logs into the VPN (that program is furnished as a feature of the hardware firewall) and then using RDP, into their desktop. Their desktop login only allows them to see what they normally see when they are in the office.

The only weakness that I have heartburn over is that the remote Windows PC can memorize the RDP password (which is their desktop PW.) As part of the conditions of remote privileges, remote users are not to use that feature.

[DeP]

The only weakness that I have heartburn over is that the remote Windows PC can memorize the RDP password

You should be able to turn this off here:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client

[mcseguy9]

Thanks for the information. That's exactly what I needed to know. I'll check it out and see what the options are. I'll get back to you to let you know how it works.

[mcseguy9]

The majority of policies can be found here:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services
There you will find policies for clipboard, drives, printers, timezone etc.
You should set those on the server and have the user log in to the server.

I take it security measures have been taken? She at least logs in trough VPN?

She logs in through the SBS web portal, which is supposed to be secure as I understand it.

[HAN]

My concern would be that while the login might be secure through the web portal, the data between her and the SBS box would be wide open unless it's in an encrypted VPN tunnel. Most firewalls, even inexpensive ones should support VPN in some form I would think...

[mcseguy9]

Ah, that is interesting. I'll have to bring this up to my friend and see what we can do.