How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs

How to restrict users from accessing local drives of an RD Session Host server while using RemoteApp programs

Rate This
  • Comments 29

Hello, my name is Pankaj Pande and I would like to discuss a method that an administrator can use to keep users from storing files in public folders and scattering files randomly throughout a virtual machine pool or Remote Desktop Session Host (RD Session Host) server farm, while using Remote Desktop Services and RemoteApp programs. (Note: an “RD Session Host server” was formerly called a “terminal server” in Windows Server 2008.)

Currently, when a user creates an RDP session or a RemoteApp program, they can see, and in some cases transverse, drives C and D of the RD Session Host server. They can also save anything on the desktop, which might look like their personal desktop, but it's actually the desktop of the RD Session Host server.

Restrictions will disable Libraries and Favorites and will hide or restrict users or a group of users from accessing and viewing any drives on the RD Session Host server. Users will be provided with an error message even if they use the UNC path to access the drives.

The primary reason to remove Favorites and Libraries and access to drives is because they contain mostly accessed locations on a system, so in the case of the RD Session Host server, this includes the desktop, downloads, recent places, etc. It is recommended that a user not save any documents to these locations.

Removing Favorites and Libraries

You must perform these modifications on the RD Session Host server. You can use the Registry to make these changes.

Using the Registry (applies to all users including the administrators)

Note: Back up the key first and take ownership of the ShellFolder before changing the value of Attributes.

1. For Favorites, the key is:

[HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]
"Attributes"=dword:a0900100
Changing a0900100 to a9400100 will hide Favorites from the navigation pane.

2. For Libraries, the key is:

[HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]
"Attributes"=dword:b080010d
Changing b080010d to b090010d will hide Libraries from the navigation pane.

Hiding/Preventing Access to Drives

You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive C.

The following settings are located in the Group Policy Management Console under User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer:

  • Hide these specified drives in My Computer. You can remove the icons for specified drives from a user’s My Computer folder by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not restrict access to these drives.
  • Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of drives. Use this setting to lock down the RD Session Host server for users accessing it for their primary desktop.

Applies to:

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003

Other Group Policy Settings for Additional Security

You can also enable the following Group Policy settings at User Configuration\Administrative Templates\Windows Components\Windows Explorer:

  • Hides the Manage item on the Windows Explorer context menu — Enabled
  • Remove Hardware tab — Enabled
  • Remove “Map Network Drive” and “Disconnect Network Drive” — Enabled
  • Remove Search button from Windows Explorer — Enabled
  • Disable Windows Explorer's default context menu — Enabled
  • Remove Run menu from Start Menu — Enabled

Applies to:

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows 7
  • Windows Vista
  • Windows XP
Leave a Comment
  • Please add 6 and 4 and type the answer here:
  • Post
  • @M.Walsh

    You enable Loopback processing.

  • Wauw.. awesome.

    Made an RemoteApp for IE and with de reg hack the Libraries and Favorites disappeared. So when a user want to download a file, the only location is his personal network drive and Network.

    So is it possible to hide "Network" also?

  • To get rid of the Network icon from Windows Explorer edit this in the server’s registry:

    Path: HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder

    Key: Attributes

    Change this hex value: “b0040064” (without quotes!)

    To this value: “b0940064” (also with quotes)

    *source: www.damnthoseproblems.com

  • Hello Pankaj Pande,,, how can i edit and make drives on my computer into private? And Is it possible to hide Networks? By the way thanks for such infos.

  • Great this is exactly what I needed. Is there a setting for user profile redirection?

  • How do you prevent applications published in remoteapp programs from seeing the local drives? I have applied GPO and this works for desktop or explorer, but in word for example, when they goto file open they see local drives again??? is there a way around this or am I doing something wrong?

    Thanks

    Mo.

  • I realize this is an old thread, but a prevalent one.  I have the GPO settings made and the policy is enforced on the container where the Remote Desktop Hosts exist.  However, I can still see the A:, C: and D: drives in My Computer.

  • The GPO method outlined above to remove access to the RD Servers local drives when using RemoteApps does not work. It will work for a remote desktop session, but not for RemoteApp sessions.

  • Im have applied to reg hacks to remove Favorites and Libnraries and this works when logging into Remote Desktop. However if I use Word as a remote App I still see libraries and favorites. Any ideas how to get rid of these in remote apps?

  • This worked for me ...

    ; *******************************for 32 bit apps*******************************

    ; This will hide Favorites from the explorer windows for 32bit applications that are running a 64 bit machine

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]

    "Attributes"=dword:a9400100

    "PinToNameSpaceTree"=""

    ; This will hide Libraries from the explorer windows for 32bit applications that are running a 64 bit machine

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

    "QueryForOverlay"=""

    "HideOnDesktopPerUser"=""

    "PinToNameSpaceTree"=""

    "Attributes"=dword:b090010d

    ; This will hide Network from the explorer windows for 32bit applications that are running a 64 bit machine

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder]

    "Attributes"=dword:b0940064

    "MapNetDriveVerbs"=""

    "HideOnDesktopPerUser"=""

    "PinToNameSpaceTree"=""

    ; *******************************for 64 bit apps*******************************

    ; This will hide Favorites from the explorer windows for 64bit applications that are running a 64 bit machine

    [HKEY_CLASSES_ROOT\CLSID\{323CA680-C24D-4099-B94D-446DD2D7249E}\ShellFolder]

    "Attributes"=dword:a9400100

    "PinToNameSpaceTree"=""

    ; This will hide Libraries from the explorer windows for 64bit applications that are running a 64 bit machine

    [HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder]

    "QueryForOverlay"=""

    "HideOnDesktopPerUser"=""

    "PinToNameSpaceTree"=""

    "Attributes"=dword:b090010d

    ; This will hide Network from the explorer windows for 64bit applications that are running a 64 bit machine

    [HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder]

    "Attributes"=dword:b0940064

    "MapNetDriveVerbs"=""

    "HideOnDesktopPerUser"=""

    "PinToNameSpaceTree"=""

  • I am looking suggestions for block some blog site in my computers . How can i block these site from my server ??

    Binaya

  • Hack register not work for me, only work for Logon on Server but not on Apps. My solution -> Folder Redirection on My Documents

  • What can be done for windows server 2003, please

  • robert lotter what's your problem, for Windows Server 2003 apply Folder Redirection:

    technet.microsoft.com/.../cc782799%28v=ws.10%29.aspx

Page 2 of 2 (29 items) 12