We configure Windows Server so that you have everything, while you had nothing for it

Parallels Parallels Remote Application Server (RAS) is a RDP with a human face, but some of its chips must be configured on the Windows Server side (or in the virtual machines that you use). Under the recommendations of Matthew Korovin from Parallels technical support team about Windows Server settings when using RAS.

Below are group policies that can make your Parallels RAS (or just a terminal server) more convenient and secure. For a more targeted use of the following configurations, we recommend creating a separate Parallels RAS user group and applying group policies to it.

Part one. "Prohibition"

Hiding elements of the explorer (Disks, "Start" button, etc.)
By default, when connected to a terminal server \ virtual machine, a user added to the "Remote Desktop Users" group will see a fully functional desktop.
')
Local drives will be visible to him and often available. Agree, this is a good security hole, if the user even with his limited rights will be able to access local disks and files on a remote server.

Even if you establish the correct access control and thereby protect yourself, the shy juzver will still confuse the disks of the terminal server with his local disks and call those support in horror. The best solution to this situation is to hide the local disks of the terminal server from the inquiring gaze and user.

Group Policy Location:

User Configuration \ Policies \ Administrative Templates \ Windows Components \ Windows Explorer

And change the value of the following options:

• By changing the value of this option, you can remove the mention of specific drives from the computer menu and all related menus, but this does not prevent access to the drives. If the user sets the absolute address of the disk, it will open.
• Prevent access to drives from My Computer - block access to specific drives. When this option is enabled, disk access will be limited, but disks will be displayed in file explorer.

What else can be hidden from the user using this group policy:

• Remove Run menu from Start Menu - when activated, removes the "Start" button from the menu
• Remove Search button from Windows Explorer - everything is simple here: search in the explorer will be unavailable
• Disable Windows Explorer's default context menu - this function makes it impossible for the user to call up the menu by right-clicking the mouse (you can buy old mice from the poppy and save on one button)

After writing this part, the deputy's passion for bans woke up. Against this background, it is worth telling you how you can ban everything from the user.

And so it went:

We prohibit the use of the command line (even if the user can open the CMD, he will just have to admire the black window with the access denied notification)

Group Policy Location:

User Configuration → Policies → System → System → Prevent access to the command promt .

Change the value to enabled .

The Disable the command prompt script processing also prevents the user from running scripts.

There is one caveat: if you have logon scripts configured when you enable this option, they will not be executed.

We remove the off / reboot / sleep buttons (it will be a shame if a remote user accidentally turns off the terminal server)

Group Policy Location:

Shut Down, Restart, Sleep, and Hibernate Commands → Configuration Menu → Administrative Templates → Start Menu and Taskbar

When this option is enabled, the user can only block or log out of the session.

Forbid Autostart "Server Management" at login
Group Policy Location:

Computer Configuration → Policies → Administrative Templates → System → Server Manager → Do not display Server Manager automatically at logon

Change the value to enabled .

Forbidding the launch of PowerShell
Group Policy Location:

User Configuration → Policies → Administrative Templates → System → Windows Run

We enable this policy and add the following applications there.
powershell.exe and powershell_ise.exe

This policy can prevent the launch of any installed (and not installed) applications.

Hide control panel items
Group Policy Location:

User Configuration → Administrative Templates → Control Panel → Show only specified Control Panel items.

When this policy is enabled, all control panel items will be hidden from the user. If any items should be available to the user, add them to the exceptions.

We prohibit the launch of the registry editor
Group Policy Location:

User Configuration → Policies → Administrative Templates → System → Registry Tools

Change the value to enabled .

Ban all
The logical conclusion of this part of the article will be a story about how to prohibit all users. There is an opinion that the user should connect to a remote desktop, look at it and, after being convinced of the triumph of technical progress, disconnect.

To achieve this goal, we need to create a group policy for adding additional keys in the Windows registry:

Group Policy Location:

User Configuration \ Preferences \ Windows Settings \ Registry
Click the right mouse button on the Registry then New then the Registry item

Add a new REG_DWORD RestrictRun parameter with a value of 1 to the registry key
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \

Now the user is not allowed to run any applications other than the system ones.

How to prevent him from using CMD and Power Shell is described above.

If you still decide (solely out of the goodness of your heart) to allow users to launch any applications, they will need to be added to the “allow list” by creating in the key

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ RestrictRun

By the value of the string type, using the sequence number of the program being resolved as a name (numbering, as it is not strange, starts with 1), and the name of the program being resolved as a value.

Example:

HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ RestrictRun]
String Name: "1" = "notepad.exe"
String Name "2" = "calc.exe"

With this configuration, the user can only run a notepad and calculator.

At this point I want to finish the “Prohibition” part. Of course, you can mention a certain amount of “Low”, but all this is configured through the Parallels Client and the built-in policies of Parallels RAS.

Part two. “Time and Other Romance”

Setting time limits for remote sessions

It happens that the user runs the application in the background and may not even use it. If it is not scary for ordinary applications, then a published application / desktop running in the background is licensed, and licenses, no matter how crazy it sounds for Russia, cost money.

To address this issue, smart people from Microsoft have come up with various terminal session statuses and time limits for them.

What are the statuses of terminal sessions:

Active - the session is active and something happens in it. The user moves the mouse, presses the buttons and creates an imitation of violent activity
IDLE - there is a connection, the session is running, the application is running, but the user does not show activity
Disconnected - the user pressed the cross and disconnected. Explain to the end user what kind of animal the logof and what it eats is useless.

It is most advisable to set a time frame for IDLE and Disconnected sessions.
Nothing happens in them, and licenses are involved.

We can achieve this again using group policies.

Group Policy Location:

User Configuration → Policies → Administrative Templates Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limits

There are several options in this thread. Let's break them all down:

Remote Desktop Services Services

Maximum work time for Active sessions.

Remote Desktop Services sessions

Maximum running time for IDLE sessions.

Set time limit for disconnected sessions

Maximum running time for disconnected sessions.

End session when time limits are reached

If you set this policy to Enabled status, then upon reaching the time limit of the session will be completed, and not disabled.

Setting time limits is an important step to optimize server operation and optimize software costs.

Setting login time for users or say no to rework
Each of us has a working day, as well as morning, evening and night. But British (or Maltese) scientists recently found out that from work, it turns out, you can get sick or even die. Work is a very strong and dangerous drug, so in the ardent care of your favorite users, we must limit the time for them to log in to the server. And then they will also decide to work from home, holidays and on weekends. And not group politicians will help us in this. Setting the runtime is in the user properties. Somewhere far at the beginning of this article, I mentioned that it is better to perform all manipulations with a specially created group of Parallels RAS users, so, using this group as an example, we will discuss how to set up working hours.

Go to the lower left corner of our screen, press the start button and print dsa.msc
Open your favorite snap-in Active Directory Users and Computers .

Find the Parallels RAS user group you created, right-click on it and go to properties. In the Account tab there will be an option Logon Hours in which you need to select the allowed and prohibited hours for the group.

The result of this section:

1. You are great
2. The lives of users saved from recycling

Part Three "Interactive"

Using published resources, it is often necessary not only to prohibit everything on the server, but also to redirect local resources to a remote session. And if there are no difficulties with printers, scanners, disks, sound and COM ports, Parallels RAS perfectly redirects them without additional settings from Windows, then redirection of USB devices and webcams is not so simple.

To redirect this type of equipment, it is necessary for the stars to come together in the correct order not only on the server, but also on the client machine:

On the user's computer, change the following group policy:

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Connection Client → RemoteFX USB Device Redirection
Set it to Enabled

Now in the properties of the Parallels client ( Connection Properties → Local Resources ) you can choose which of the connected USB devices should be redirected to the server.

Note: USB device can be used either in a published application or on a local computer, but not at the same time there and there.

On the server side, you need to install drivers and all the necessary software to operate the USB device. Unfortunately, humanity has not yet invented a universal driver for everything.

This is how I would like to complete an overview of the Windows settings that will be important for the operation of Parallels RAS.



ZY Such long texts have not been written for a long time, hence the huge thanks to all those who mastered this article.