We configure Windows Server so that you have everything, while there is nothing for you


    Parallels Parallels Remote Application Server (RAS) is an RDP with a human face, but some of its features must be configured on the Windows Server side (or in the virtual machines that you use). Under the cut, Matvey Korovin’s recommendations from the Parallels technical support team about the settings of Windows Server when using RAS.

    The following are group policies that can make your Parallels RAS (or just a terminal server) more convenient and secure. For more targeted use of the configurations below, we recommend creating a separate group of Parallels RAS users and applying group policies to it.


    Part one. “Prohibitory”


    We hide the explorer elements (Disks, the Start button, etc.)
    By default, when connected to the terminal server \ virtual machine, a user added to the Remote Desktop Users group will see a fully functional desktop.

    Local drives will be visible to him and often available. Agree, this is a good security hole if the user, even with his limited rights, will be able to access local drives and files on a remote server.

    Even if you set the correct access control and thereby protect yourself, the fearful user will still confuse the terminal server disks with their local disks and call those support in horror. The best solution to this situation is to hide the local disks of the terminal server from the inquisitive gaze of the user.

    Group Policy location:

    User Configuration \ Policies \ Administrative Templates \ Windows Components \ Windows Explorer

    And change the value of the following options:

    Hide these specified drives in My Computer - changing the value of this option, you can remove the mention of specific drives from the computer menu and all related menus However, this does not prohibit disk access. If the user sets an absolute disk address, it will open.
    Prevent access to drives from My Computer - Deny access to specific drives. When this option is enabled, access to disks will be limited, but disks will be displayed in file explorer.

    What else can you hide from the user using this group policy:

    Remove Run menu from Start Menu - when activated, removes the Start button from the menu
    Remove Search button from Windows Explorer - everything is simple: search in the explorer will be unavailable
    Disable Windows Explorer's default context menu - this function deprives the user of the ability to call the menu with the right mouse click (you can buy old mice from the poppy and save on one button)

    After writing this part, the parliamentary passion for prohibitions woke up. Against this background, it is worth telling you in what ways you can prohibit the user everything.

    And so we went: We

    prohibit the use of the command line (even if the user can open the CMD, they just have to admire the black window with a notification about access denial)

    Group Policy Location:

    User Configuration → Policies → Administrative Templates → System → Prevent access to the command promt .

    Change the value to enabled .

    The Disable the command prompt script processing option also prevents the user from running scripts.

    There is one caveat: if you have configured logon scripts when this option is enabled, they will not be executed.

    We remove the shutdown / restart / sleep buttons (it will be a shame if a remote user accidentally shuts down the terminal server)

    Group Policy Location:

    User Configuration → Administrative Templates → Start Menu and Taskbar → Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate Commands

    When this option is enabled, the user can only block the session or log out of it.

    Disable Startup "Server Management" with login
    Group Policy Location:

    Computer Configuration → Policies → Administrative Templates → System → Server Manager → Do not display Server Manager automatically at logon

    Change the value to enabled .

    We prohibit the launch of PowerShell
    Group Policy Location:

    User Configuration → Policies → Administrative Templates → System → Don’t run specified Windows applications

    Turn on this policy and add the following
    powershell.exe and powershell_ise.exe applications There

    you can prevent any installed (and also not installed) applications.

    Hiding Control Panel Elements
    Group Policy Location:

    User Configuration → Administrative Templates → Control Panel → Show only specified Control Panel items.

    When you enable this policy, all control panel items will be hidden from the user. If any items should be available to the user, add them to the exceptions. Prevent the registry

    editor from starting
    Group Policy location:

    User Configuration → Policies → Administrative Templates → System → Prevent access to registry editing tools

    Change the value to enabled .

    Forbid all
    The logical conclusion to this part of the article will be the story of how to ban users from everything. It is believed that the user should connect to the remote desktop, look at it and, making sure the triumph of technological progress, disconnect.

    To achieve this, we need to create a group policy for adding additional keys in the Windows registry:

    Group Policy location:

    User Configuration \ Preferences \ Windows Settings \ Registry
    Right-click on Registry then New then Registry item


    Add a new REG_DWORD parameter RestrictRun with value 1 in the key registry
    HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \

    Now the user is forbidden to run any applications except system ones.

    How to prevent him from using CMD and Power Shell is described above.

    If you nevertheless decide (exclusively out of kindness) to allow users to launch any applications, they will need to be added to the "permissive list" by creating in the key

    HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ RestrictRun

    Type value string, using the serial number of the resolved program as a name (numbering, as it is strange, starts with 1), and the name of the resolved program as a value.

    Example:

    HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ RestrictRun]
    String Name: "1" = "notepad.exe"
    String Name "2" = "calc.exe"


    With this configuration, the user can only start notepad and calculator.

    On this I want to finish the “Prohibitive” part. Of course, you can mention some more Nizya, but all this is configured through the Parallels Client and the built-in policies of Parallels RAS.



    Part two. "Time and other romance"


    Setting time limits for remote sessions

    It happens that the user launches the application in the background and may not even use it. If for ordinary applications this is not scary, then the published application / desktop launched in the background takes a license, and licenses, no matter how wildly this sounds for Russia, cost money.

    To solve this issue, smart people from Microsoft came up with various statuses of terminal sessions and time limits for them.

    What are the statuses of terminal sessions:

    Active - the session is active and something is happening in it. The user moves the mouse, clicks on the buttons and creates an imitation of the
    IDLE vibrant activity - there is a connection, the session is running, the application is running, but the user is not active
    Disconnected- the user clicked the cross and disconnected. It is useless to explain to the end user what kind of beast a logoff is and what it eats.

    It is most advisable to set the time frame for IDLE and Disconnected sessions.
    Nothing happens in them, but licenses are involved.

    We can achieve this again, using group policies.

    Group Policy location:

    User Configuration → Policies → Administrative Templates Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits

    There are several options in this thread. Let's look at them all:

    Set time limit for active but idle Remote Desktop Services sessions

    Maximum working time for Active sessions.

    Set time limit for active Remote Desktop Services sessions

    Maximum working time for IDLE sessions.

    Set time limit for disconnected sessions

    Maximum time for disconnected sessions.

    End session when time limits are reached

    If you set this policy to Enabled status, then when the time limit is reached, sessions will end, but not disconnect.

    Setting time limits is an important step for optimizing server performance and optimizing software costs.

    Setting login time for users or say no to rework
    Each of us has a working day, as well as morning, evening and night. But British (or Maltese) scientists recently found out that from work, it turns out, you can get sick or even die. Work is a very strong and dangerous drug, therefore, in the ardent care of our favorite users, we must limit the time for them when they can log in to the server. And then they also decide to work from home, on holidays and on weekends. And not group politicians will help us with this. Setting the run time is in the user properties. Somewhere far at the beginning of this article I mentioned that all manipulations are best done with a specially created group of users of Parallels RAS, and so, using this group as an example, we will figure out how to set the working hours.

    We go to the lower left corner of our screen, press the start button and print dsa.msc
    Everyone’s favorite Active Directory Users and Computers snap-in will open .

    Find the Parallels RAS user group that you created, right-click on it and go to the properties. In the Account tab there will be a Logon Hours option in which you need to select the allowed and forbidden hours of work for the group.

    The result of this section:

    1. You are magnificent
    2. The lives of users are saved from processing



    Part three. Interactive


    Using published resources, one often has to not only prohibit everything on the server, but also redirect local resources to the remote session. And if there are no difficulties with printers, scanners, disks, sound and COM ports, Parallels RAS perfectly redirects them without additional settings from Windows, then with the redirection of USB devices and web cameras it is not so simple.

    To redirect this type of equipment, it is necessary that the stars converge in the correct order not only on the server, but also on the client machine:

    On the user's computer, change the following group policy:

    Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Connection Client → RemoteFX USB Device Redirection
    Set it to Enabled.

    Now in the Parallels properties of the client ( Connection Properties → Local Resources ), you can choose which of the connected USB devices should be redirected to the server.

    Note: A USB device can be used either in a published application or on a local computer, but not both there and there.

    On the server side, you need to install drivers and all the necessary software for the USB device to work. Unfortunately, mankind has not yet come up with a universal driver for everything.

    With this, I would like to complete an overview of the Windows settings that will be important for Parallels RAS.



    Z.Y.Such long texts have not been written for a long time, hence the huge gratitude to all those who mastered this article.

    Also popular now: