Articles on: Secure RDP

How to configure RDP settings via GPO

How to configure RDP settings via GPO

TruGrid SecureRDP has a ZERO TRUST feature that is enabled by default for every domain. With this feature enabled, all RDP redirections (printers, drives, etc.) between end user and remote desktops are blocked. While TruGrid Admins can enable device redirections for their own accounts, doing so for other users via the ZERO TRUST feature may not be granular enough. In other words, once ZERO TRUST is disabled for a domain, users can redirect resources via TruGrid SETTINGS.

Nonetheless, for customers using TruGrid SecureRDP in a Windows Active Directory environment, GPO (Group Policy Objects) can be used to provide granular RDP redirection and restrictions. There are multiple ways to achieve this via GPO:

One method is to put end users into different Organization Units (OU) and apply the desired RDP restrictions against the different OUs. Policies enforced this way will respectively apply to users regardless of which computers they access
Another method is to create a GPO and restict it to a security group of computers and then enforce the RDP settings and restrictions on the GPO. Policies applied this way will affect all users accessing the computers in the security group.

The steps below apply to both of the above methoss, except where noted. The settings shown below focus on redirections for PRINTERS, DEVICE & RESOURCES, SESSION TIME OUT, and how to handle multiple connections to RDS Servers (very useful for RemoteApp).

Here are the implementation steps:
Create and link a new GPO:
a. If configuring for #1 method above, apply the GPO to a USER OU
b. If configuring for #2 method above, apply the GPO at the domain level but restrict it to TG-COMPUTERS.
Add GPO Policy

This step is only for #2 method. Edit the new GPO and navigate to "COMPUTER CONFIGURATION\POLICIES\ADMINISTRATIVE TEMPLATES\SYSTEM\GROUP POLICY" to adjust the below settings.
Configure Group Policy Loopback Processing

The next steps apply to both #1 and #2 methods. Navigate to "COMPUTER CONFIGURATION\POLICIES\ADMINISTRATIVE TEMPLATES\WINDOWS COMPONENTS\REMOTE DESKTOP SERVICES" to adjust various RDP settings.

Device & Resource Redirection

Printer Redirection

Session Time Limits

Restrict to Single User Session on Server

High-Security Environment Suggested Settings
in high-security environments, and where Data Loss Prevention is a priority, just enable the TruGrid ZERO TRUST setting, or enable the following restrictions via GPO:
Do not allow clipboard direction
Do not allow drive redirection
Do not allow LPT port redirection
Do not allow client printer redirection
Set time limit for active but idle Remote Desktop Services sessions

Updated on: 08/03/2023

Was this article helpful?

Share your feedback


Thank you!