b l o g » security http://www.cibengineering.com/blog Remote access engineering, citrix and terminal services Sun, 15 Aug 2010 01:32:38 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 group policy http://www.cibengineering.com/blog/servergroup-policy/ http://www.cibengineering.com/blog/servergroup-policy/#comments Tue, 26 Jan 2010 17:19:59 +0000 admin http://www.cibengineering.com/blog/?p=241 Lets say your group policy is not passed down from e hierarchical structure like AD and you have to manage each servers settings either via some scripting process or via manualy adding the settings to the local group policy yourself. Either way, there is chance for security concerns. Here is some decent documentation to follow, and build off of in the event you are looking for something to start from.  Any commentary is greatly appreciated! Commands used to lock down a terminal server or citrix/xenapp server for the standard, non administrative user.

Export local group policy. The following command can be used both on a workstation or a citrix | terminal server: gpresult /v
To hide items from non administrative users, use the Attrib command: attrib +H startup will remove the startup folder for all users
expanded example: attrib +H “C:\Documents and Settings\all users\Start Menu\Programs\Accessories”
Commands to remove unnecessary items from all user profiles on your citrix/xenapp or terminal server.

To delete the Internet explorer shortcut from all users taskbar enter the following command from the root of c:\: del “launch Internet explorer browser.lnk” /s /q
To delete any references from all user profiles to remote assistance, enter the following command from the root of c:\: del “remote assistance.lnk” /s /q
To delete any references from all user profiles to outlook express, enter the following command from the root of c:\: del “del “outlook express.lnk” /s /q”
To delete any references from all user profiles to Internet explorer (assuming its not needed), enter the following command from the root of c:\: del “Internet explorer.lnk” /s /q

The  following group policy settings are also usefull if you want to lock down a terminal server, citrix or xenapp server.

  • Local Computer Policy > User Configuration > Administrative Templates > Windows Explorer
    Enabled: Remove Windows Explorer’s Default context menu
    Enabled: Hide these specified drives in My Computer
    Enabled: Prevent access to drives from My Computer
  • Local Computer Policy > User Configuration > Administrative Templates > Start Menu and Taskbar
    Enabled: Remove Documents menu from Start Menu
    Enabled: Remove programs on Settings menu
    Enabled: Remove Network Connections from Start Menu
    Enabled: Remove Search menu from Start Menu
    Enabled: Remove Help menu from the Start Menu
    Enabled: Remove Run from the Start Menu
    Enabled:Add Logoff to the start menu
    Enabled: Remove and prevent access to the Shut Down Command
    Enabled:Prevent changes to Taskbar and Start Menu Settings
    Enabled:Remove access to the context menus for the taskbar
  •  Local Computer Policy > User Configuration > Administrative Templates > Desktop
    Enabled: Hide and disable all items on the desktop
    Enabled: Remove My documents icon on the desktop
    Enabled: Remove Recycle Bin icon from desktop
    Enabled: Remove Properties from the My Documents context menu
    Enabled: Hide My Network Places icon on desktop
    Enabled: Hide Internet Explorer icon on desktop
  • Computer Policy > User Configuration > Administrative Templates > Control Panel
     Enabled: Prohibit Access to the Control Panel
  • Computer Policy > User Configuration > Administrative Templates > Control Panel > Printers
    Enabled: Browse the network to find printers
    Enabled: Prevent addition of printers
  • Computer Policy > User Configuration > Administrative Templates > System > User Profiles
    Enabled: Connect home directory to the root of the share

User reports they see Windows Security > Task Manager in the start menu and they shouldn’t.

  • User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Value Name: NoNtSecuritycorrects task manager via windows security
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = display, 1 = remove)
  • User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Value Name: NoSimpleStartMenu
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = display, 1 = remove)
  • User Key: [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    System Key: [HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    Value Name: ShowSuperHidden
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = display, 1 = remove)
  • SystemKey:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Value Name: NoActiveDesktop
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = display, 1 = remove)
    Purpose: remove right click on the tray

Rename:

HKEY_CLASSES_ROOT\Directory\shell
HKEY_CLASSES_ROOT\Folder\shell

To:

HKEY_CLASSES_ROOT\Directory\shell.old
HKEY_CLASSES_ROOT\Folder\shell.old

]]> http://www.cibengineering.com/blog/servergroup-policy/feed/ 0