Operating Systems / Windows

Windows - Disable file copy through RDP with Group Policy How to configure the Local or AD Group Policy Objects to disable Clipboard redirection, Drive mapping/redirection, LPT port redirection and/or COM port redirection through Remote Desktop Protocol

- by Ryan - 1 Comment 67.7K
How to stop (or prevent) massive login attempts to Remote Desktop RDP on Windows Server

In this post we'll see how we can use the Windows Server Group Policy Management Console (GPMC) to globally disable some useful - yet potentially harmful - features that natively come with the Remote Desktop protocol, such as:

  • Clipboard redirection, which can be used to cut/paste text and files from the remote PC to the local PC and vice-versa (thus allowing file copy/download).
  • Drive mapping/redirection, which allows the remote user to access their local drive(s) through the remote PC (thus allowing file copy/download).
  • COM port redirection, which can be used to make some local COM devices available to the remote PC.
  • LPT port redirection, which can be used to make some local Line Printer Terminal devices available to the remote PC (thus allowing local printing of remote files).

As we can easily see those functions can be quite powerful, since they allow the remote user to easily access to the files hosted on the company-owned PC in various ways: this can be great when they (and/or the company they work for) have full ownership and rights to handle them in any way, yet it can also pose severe risks of unauthorized data breaches if they don't.

As a matter of fact, the remote workers rarely have full ownership rights over company documents: they are often allowed to access them only from corporate-owned devices, without being authorized to copy or print them somewhere else. When such limitations are in force, preventing those users from being able to copy, download and/or print those files to their local PC could be very useful to comply with the company policies.

Luckily enough, the Windows Server Group Policy Management Console (GPMC) can be configured to disallow those features for all RDP users with the following steps:

  • Access a computer upon which the Active Directory Domain Services server role is installed.
  • Launch Server Manager, click Tools, and then click Group Policy Management.
  • In the Group Policy Management console, expand the following path: Forest > example.com > Domains > example.com > Group Policy Objects, where example.com is the name of the domain where the RDP client computer policies that you want to configure are located.
  • Right click the Default Domain Policy node and select Modify to open the Group Policy Management Console (GPMC).
  • Use the GPMC user interface to navigate through the following path: Windows Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
  • Access the following group policy settings and enable/disable them accordingly with your needs:
    • Do not allow Clipboard redirection
    • Do not allow COM port redirection
    • Do not allow drive redirection
    • Do not allow LPT port redirection
IMPORTANT: The above instructions are meant for Active Directory networks: if you don't have a Windows Domain you can still use the GPMC to enforce those policies, but you'll have to perform those steps on each company PC you'll want to prevent them from.

As you can see, in order to prevent the users from using each feature you need to enable the group policy that actively blocks it, thus overriding the default value that allows it for all users.

Once you have set up these new Group Policy, you might want to immediately apply them everywhere by forcing a Group Policy refresh on all the Windows client machines within the Organizational Unit. To learn how you can do that, take a look at our How to force a Remote Group Policy Refresh with GPUpdate post that explains how to pull off such task selectively or globally using either CMD, Powershell or the Group Policy Management Console (GPMC).

Conclusions

That's it, at least for now: I hope that this post will help those System Administrators that are looking for a way to prevent their users from using RDP connections to copy, download and/or print company-owned documents from their local device.

Print Friendly, PDF & EmailPrint Friendly & PDF Download

Related Posts

How to block File Sharing for one or more IP Addresses in Windows

How to disable the Task Scheduler Service on Windows Server A useful method to stop / disable the Task Scheduler Service in all editions of Windows

Stellar Repair for Excel - Review and Test Drive

Stellar Repair for Photo - Review and Test Drive Review and Test Drive of Stellar Repair for Photo, a software for repairing corrupt or damaged image files by Stellar Information Technology

How to Remove Duplicate Files on Windows 10 for Free?

How to Remove Duplicate Files on Windows 10 for Free? Do you need to remove duplicate files or similar images from Windows 10? Here's a list of some simple and reliable techniques with and without tools

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

One Comment on “Windows - Disable file copy through RDP with Group Policy How to configure the Local or AD Group Policy Objects to disable Clipboard redirection, Drive mapping/redirection, LPT port redirection and/or COM port redirection through Remote Desktop Protocol

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.