Lets say your group policy is not passed down from e hierarchical structure like AD and you have to manage each servers settings either via some scripting process or via manualy adding the settings to the local group policy yourself. Either way, there is chance for security concerns. Here is some decent documentation to follow, and build off of in the event you are looking for something to start from. Any commentary is greatly appreciated! Commands used to lock down a terminal server or citrix/xenapp server for the standard, non administrative user.
Export local group policy. The following command can be used both on a workstation or a citrix | terminal server: gpresult /v
To hide items from non administrative users, use the Attrib command: attrib +H startup will remove the startup folder for all users
expanded example: attrib +H “C:\Documents and Settings\all users\Start Menu\Programs\Accessories”
Commands to remove unnecessary items from all user profiles on your citrix/xenapp or terminal server.
To delete the Internet explorer shortcut from all users taskbar enter the following command from the root of c:\: del “launch Internet explorer browser.lnk” /s /q
To delete any references from all user profiles to remote assistance, enter the following command from the root of c:\: del “remote assistance.lnk” /s /q
To delete any references from all user profiles to outlook express, enter the following command from the root of c:\: del “del “outlook express.lnk” /s /q”
To delete any references from all user profiles to Internet explorer (assuming its not needed), enter the following command from the root of c:\: del “Internet explorer.lnk” /s /q
The following group policy settings are also usefull if you want to lock down a terminal server, citrix or xenapp server.
- Local Computer Policy > User Configuration > Administrative Templates > Windows Explorer
Enabled: Remove Windows Explorer’s Default context menu
Enabled: Hide these specified drives in My Computer
Enabled: Prevent access to drives from My Computer - Local Computer Policy > User Configuration > Administrative Templates > Start Menu and Taskbar
Enabled: Remove Documents menu from Start Menu
Enabled: Remove programs on Settings menu
Enabled: Remove Network Connections from Start Menu
Enabled: Remove Search menu from Start Menu
Enabled: Remove Help menu from the Start Menu
Enabled: Remove Run from the Start Menu
Enabled:Add Logoff to the start menu
Enabled: Remove and prevent access to the Shut Down Command
Enabled:Prevent changes to Taskbar and Start Menu Settings
Enabled:Remove access to the context menus for the taskbar - Local Computer Policy > User Configuration > Administrative Templates > Desktop
Enabled: Hide and disable all items on the desktop
Enabled: Remove My documents icon on the desktop
Enabled: Remove Recycle Bin icon from desktop
Enabled: Remove Properties from the My Documents context menu
Enabled: Hide My Network Places icon on desktop
Enabled: Hide Internet Explorer icon on desktop - Computer Policy > User Configuration > Administrative Templates > Control Panel
Enabled: Prohibit Access to the Control Panel - Computer Policy > User Configuration > Administrative Templates > Control Panel > Printers
Enabled: Browse the network to find printers
Enabled: Prevent addition of printers - Computer Policy > User Configuration > Administrative Templates > System > User Profiles
Enabled: Connect home directory to the root of the share
User reports they see Windows Security > Task Manager in the start menu and they shouldn’t.
- User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoNtSecurity – corrects task manager via windows security
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = display, 1 = remove) - User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoSimpleStartMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = display, 1 = remove) - User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: ShowSuperHidden
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = display, 1 = remove) - SystemKey:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value Name: NoActiveDesktop
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = display, 1 = remove)
Purpose: remove right click on the tray
Rename:
HKEY_CLASSES_ROOT\Directory\shell
HKEY_CLASSES_ROOT\Folder\shell
To:
HKEY_CLASSES_ROOT\Directory\shell.old
HKEY_CLASSES_ROOT\Folder\shell.old
This is great! Just don’t do the same thing we did and lock down the XenApp 6.5 server so much that we could no longer access the server as administrator. Oh, and local group policy is much better than that domain based stuff. Especially when you have no control over active directory or policy implementation!