PSS ID Number: Q278295
Article last modified on
03-14-2001
:2000
======================================================================
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft
Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
-------------------------------------------------------------------------------
SUMMARY
=======
You can use Group Policies to lock down a Terminal
Server session on a Windows
2000-based computer. With the following
settings, even the administrator account
will have restricted access. It is highly recommended
that you create a new
Organizational Unit instead of modifying the polices
on an existing one.
Note: The use of these policies does not guarantee a
secure computer, and you
should use them only as a guideline.
MORE INFORMATION
================
Use Active Directory Users and Computers to create a
new Organizational Unit
(OU). Right-click the OU, click Properties, and then
on the Group Policy tab,
click New Policy. Edit this policy with the following
settings:
- [Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options]
Enable the
following settings:
"Do not
display last user name in logon screen"
"Restrict CD-ROM access to locally logged-on user only"
"Restrict floppy access to locally logged-on user only"
- [Computer
Configuration\Administrative Templates\Windows Components\Windows
Installer]
Enable the
following setting, and set it to Always:
"Disable Windows Installer"
- [User
Configuration\Windows Settings\Folder Redirection]
Enable the
following settings:
Application
Data
Desktop
My Documents
Start Menu
- [User
Configuration\Administrative Templates\Windows Components\Windows
Explorer]
Enable the
following settings:
"Remove
Map Network Drive and Disconnect Network Drive"
"Remove
Search button from Windows Explorer"
"Disable
Windows Explorer's default context menu"
"Hides
the Manage item on the Windows Explorer context menu"
"Hide
these specified drives in My Computer" (Enable this setting for A
through D.)
"Prevent
access to drives from My Computer" (Enable this setting for A through
D.)
"Hide
Hardware Tab"
- [User
Configuration\Administrative Templates\Windows Components\Task
Scheduler]
Enable the
following settings:
"Prevent Task Run or End"
"Disable
New Task Creation"
- [User
Configuration\Administrative Templates\Start Menu & Taskbar]
Enable the
following settings:
"Disable and remove links to Windows Update"
"Remove
common program groups from Start Menu"
"Disable
programs on Settings Menu"
"Remove
Network & Dial-up Connections from Start Menu"
"Remove
Search menu from Start Menu"
"Remove
Help menu from Start Menu"
"Remove
Run menu from Start Menu"
"Add
Logoff to Start Menu"
"Disable
and remove the Shut Down command"
"Disable
changes to Taskbar and Start Menu Settings"
- [User
Configuration\Administrative Templates\Desktop]
Enable the
following settings:
"Hide
My Network Places icon on desktop"
"Prohibit user from changing My Documents path"
- [User
Configuration\Administrative Templates\Control Panel]
Enable the
following setting:
"Disable Control Panel"
- [User
Configuration\Administrative Templates\System]
Enable the
following settings:
"Disable the command prompt" (Set Disable scripts to No)
"Disable
registry editing tools"
- [User
Configuration\Administrative Templates\System\Logon/Logoff]
Enable the
following settings:
"Disable Task Manager"
"Disable
Lock Computer"
Additional query words: desktop
======================================================================
Keywords
: kbnetwork kbtool
Technology
: kbwin2000AdvServSearch kbwin2000Ssearch kbWinAdvServSearch
Version
: :2000
Issue type
: kbhowto
=============================================================================
Copyright Microsoft Corporation 2001.