In this post we’ll see how we can use the Windows Server Group Policy Management Console (GPMC) to globally disable some useful – yet potentially harmful – features that natively come with the Remote Desktop protocol, such as:
- Clipboard redirection, which can be used to cut/paste text and files from the remote PC to the local PC and vice-versa (thus allowing file copy/download).
- Drive mapping/redirection, which allows the remote user to access their local drive(s) through the remote PC (thus allowing file copy/download).
- COM port redirection, which can be used to make some local COM devices available to the remote PC.
- LPT port redirection, which can be used to make some local Line Printer Terminal devices available to the remote PC (thus allowing local printing of remote files).
As we can easily see those functions can be quite powerful, since they allow the remote user to easily access to the files hosted on the company-owned PC in various ways: this can be great when they (and/or the company they work for) have full ownership and rights to handle them in any way, yet it can also pose severe risks of unauthorized data breaches if they don’t.
As a matter of fact, the remote workers rarely have full ownership rights over company documents: they are often allowed to access them only from corporate-owned devices, without being authorized to copy or print them somewhere else. When such limitations are in force, preventing those users from being able to copy, download and/or print those files to their local PC could be very useful to comply with the company policies.
Luckily enough, the Windows Server Group Policy Management Console (GPMC) can be configured to disallow those features for all RDP users with the following steps:
- Access a computer upon which the Active Directory Domain Services server role is installed.
- Launch Server Manager, click Tools, and then click Group Policy Management.
- In the Group Policy Management console, expand the following path: Forest > example.com > Domains > example.com > Group Policy Objects, where example.com is the name of the domain where the RDP client computer policies that you want to configure are located.
- Right click the Default Domain Policy node and select Modify to open the Group Policy Management Console (GPMC).
- Use the GPMC user interface to navigate through the following path: Windows Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
- Access the following group policy settings and enable/disable them accordingly with your needs:
- Do not allow Clipboard redirection
- Do not allow COM port redirection
- Do not allow drive redirection
- Do not allow LPT port redirection
As you can see, in order to prevent the users from using each feature you need to enable the group policy that actively blocks it, thus overriding the default value that allows it for all users.
That’s it, at least for now: I hope that this post will help those System Administrators that are looking for a way to prevent their users from using RDP connections to copy, download and/or print company-owned documents from their local device.