by lunarg on July 2nd 2012, at 17:19

This article is a reference to a number of articles and links to provide information about how to succesfully lock down your Remote Desktop Server (2008R2) or Terminal Server (2003 / 2008). It is not a definite guide to how to perform a lock down, but will provide certain pointers, and highlight certain pitfalls. It is a work-in-progress and several additions will be made as the guide progresses.


You obviously need a Windows-domain running AD for lockdown to work properly. A standalone server running a local group policy can't be locked down enough to be useful. A domain is highly recommended.

Your DC or a member server (can be the RDS / TS as well) should have the Group Policy Management tools installed. This is required to create GPOs and have them applied.

If one or more of your TS servers are running 2003 or a 2008 without service packs, you may have to install the Group Policy Preference Client Side Extensions for the proper application of your GPOs. This update is required if you want the GPP part of a GPO to be applied.

Basic lockdown through GPO

Further lockdown of your server