Windows – Disable file copy through RDP with Group Policy How to configure the Local or AD Group Policy Objects to disable Clipboard redirection, Drive mapping/redirection, LPT port redirection and/or COM port redirection through Remote Desktop Protocol

How to stop (or prevent) massive login attempts to Remote Desktop RDP on Windows Server

In this post we’ll see how we can use the Windows Server Group Policy Management Console (GPMC) to globally disable some useful – yet potentially harmful – features that natively come with the Remote Desktop protocol, such as:

  • Clipboard redirection, which can be used to cut/paste text and files from the remote PC to the local PC and vice-versa (thus allowing file copy/download).
  • Drive mapping/redirection, which allows the remote user to access their local drive(s) through the remote PC (thus allowing file copy/download).
  • COM port redirection, which can be used to make some local COM devices available to the remote PC.
  • LPT port redirection, which can be used to make some local Line Printer Terminal devices available to the remote PC (thus allowing local printing of remote files).

As we can easily see those functions can be quite powerful, since they allow the remote user to easily access to the files hosted on the company-owned PC in various ways: this can be great when they (and/or the company they work for) have full ownership and rights to handle them in any way, yet it can also pose severe risks of unauthorized data breaches if they don’t.

As a matter of fact, the remote workers rarely have full ownership rights over company documents: they are often allowed to access them only from corporate-owned devices, without being authorized to copy or print them somewhere else. When such limitations are in force, preventing those users from being able to copy, download and/or print those files to their local PC could be very useful to comply with the company policies.

Luckily enough, the Windows Server Group Policy Management Console (GPMC) can be configured to disallow those features for all RDP users with the following steps:

  • Access a computer upon which the Active Directory Domain Services server role is installed.
  • Launch Server Manager, click Tools, and then click Group Policy Management.
  • In the Group Policy Management console, expand the following path: Forest > example.com > Domains > example.com > Group Policy Objects, where example.com is the name of the domain where the RDP client computer policies that you want to configure are located.
  • Right click the Default Domain Policy node and select Modify to open the Group Policy Management Console (GPMC).
  • Use the GPMC user interface to navigate through the following path: Windows Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
  • Access the following group policy settings and enable/disable them accordingly with your needs:
    • Do not allow Clipboard redirection
    • Do not allow COM port redirection
    • Do not allow drive redirection
    • Do not allow LPT port redirection
IMPORTANT: The above instructions are meant for Active Directory networks: if you don’t have a Windows Domain you can still use the GPMC to enforce those policies, but you’ll have to perform those steps on each company PC you’ll want to prevent them from.

As you can see, in order to prevent the users from using each feature you need to enable the group policy that actively blocks it, thus overriding the default value that allows it for all users.

Once you have set up these new Group Policy, you might want to immediately apply them everywhere by forcing a Group Policy refresh on all the Windows client machines within the Organizational Unit. To learn how you can do that, take a look at our How to force a Remote Group Policy Refresh with GPUpdate post that explains how to pull off such task selectively or globally using either CMD, Powershell or the Group Policy Management Console (GPMC).

Conclusions

That’s it, at least for now: I hope that this post will help those System Administrators that are looking for a way to prevent their users from using RDP connections to copy, download and/or print company-owned documents from their local device.

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.