If system-wide restrictions must be applied to the Terminal Server, place the Terminal Server computer object into the locked down OU. Doing so enforces computer-based restrictions on the Terminal Server. Administrators have the option to apply user-based restrictions to all users, including administrators who log on to the Terminal Server. These restrictions can be in addition to, or in place of policies the user typically has when logging on to the domain. Refer to the computer loopback policy for additional information.

After installing and configuring all applications on the Terminal Server, place the Terminal Server computer object into the locked down OU. Enable loopback processing. All users who log on to the Terminal Server are then restricted by user-based policies as defined by the locked down Terminal Server GPO, regardless of the OU the user is located in. This can prevent many local changes from being applied to the Terminal Server; however, the server can still be remotely maintained. If administrators need access to the Terminal Server, log off all users and temporarily restrict their logons to the Terminal Server. Move the Terminal Server computer object out of the locked down OU, then log on. Return the Terminal Server computer object to the locked down OU, and re-enable user logins after maintenance is complete. This implementation does not require users to have multiple user accounts. It can also prevent configuration changes to the Terminal Server while it is in production. These policies are only applied to computer objects that are placed into the locked down OU. These settings are system wide, affecting all users.

In the GPO to be applied to the Terminal Server OU make all of the settings outlined below effective. The first group of settings are for the computer policy section of the GPO and the second group of settings are user settings.

Computer Settings Rectrictions
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]
• Devices: Restrict CD-ROM access to locally logged-on user only
Recommended setting: Enabled
This policy allows only users who log on to the console of the Terminal Server access to the CD-ROM drive. It is recommended that you enable this policy to prevent users and administrators from remotely accessing programs or data on a CD-ROM.

• Devices: Restrict floppy access to locally logged-on user only
Recommended setting: Enabled
This policy allows only users who log on to the console of the Terminal Server access to the floppy disk drive. It is recommended that you to enable this policy to prevent users and administrators from remotely accessing programs or data on a floppy disk.

• Interactive logon: Do not display last user name
Recommended setting: Enabled
This policy does not display the last logged on user account at the Windows logon prompt on the console of the Terminal Server. This policy does not affect Terminal Server clients that locally cache the logon user name.

• Interactive logon: Message text for users attempting to log on
Recommended setting: Enabled
This is a warning that people will see when they try to log onto the computer. The text should read: “Information in DOMAIN computers, systems, applications, and databases is the confidential property of DOMAIN and is protected by U.S. and International intellectual property and trade secret laws. You must be an authorized user and must be given specific permission to access information. All usage must conform to the Information Technology Use Policy and Guidelines. IT resources are protected by a security system. Your activities may be subject to monitoring in compliance with applicable laws, regulations, and directives. Violations may be reported to governmental authorities.”

• Interactive logon: Message title for users attempting to log on
Recommended setting: Enabled
This is a warning that people will see when they try to log onto the computer. The text should read: “WARNING:”

• Network Access: Do not allow anonymous enumeration of SAM accounts
Recommended setting: Enabled
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By default, an anonymous user has the same access that is granted to the Everyone group for a given resource. Setting this to enabled replaces the “Everyone” group with “Authenticated Users” in resource rights assignments.

• Network Access: Do not allow anonymous enumeration of SAM accounts and shares
Recommended setting: Enabled
Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By default, an anonymous user has the same access that is granted to the Everyone group for a given resource. Setting this to enabled replaces the “Everyone” group with “Authenticated Users” in resource rights assignments.

[Computer Configuration\Windows Settings\Security Settings\System Services]
• Help and Support
Recommended setting: Disabled
This policy disables Help and Support Center service. It prevents users from starting the new Windows Help and Support Center application. This policy does not disable the old help files (such as the *.chm) or Help in other applications. Disabling this service might cause issues with other programs and services that depend on this service. It is recommended that you disable this service to prevent users from starting other applications or viewing system information about the Terminal Server.

[Computer Configuration\Administrative Templates\Windows Components\Terminal Services]
• Restrict Terminal Services users to a single remote session
Recommended setting: Enabled
This policy can prevent a single user from creating multiple sessions on the Terminal Server using a single user account. You will definitely want to use this setting to prevent a single user from monopolizing the resources of 3 users by maintaining 3 concurrent sessions on the server. If a user disconnects without logging off they will simply be reconnected to the open session when they log back on.

• Remove Disconnect option from Shut Down dialog box
Recommended setting: Enabled
This policy removes the disconnect option from the Shut Down Windows dialog box. It does not prevent users from disconnecting session to the Terminal Server. Use this policy if you do not want users to easily disconnect from their session and you have not removed the Shut Down Windows dialog box.

• Limit Maximum Color Depth
Recommended setting: Enabled
This setting should be set to 15 bit to allow good video quality while preventing users from consuming excessive bandwidth. If this setting is too high (and it will be for many bandwidth-deprived remote workers), feel free to go down to 256 colors. This setting is fine for any normal office work as long as the user has broadband.