| Terminal Server GPO Security Policies |
| Policy | Secure Setting | Explanation |
| Terminal Services (Computer Configuration\Administrative Tools\Windows Components\Terminal Services) |
| Restrict Terminal Services users to a single remote session | Enabled | Prevents users from establishing multiple remote sessions. New sessions will close old sessions |
| Deny log off of an administrator logged in to the console session | Enabled | Prevents a remote administrator from logging off an administrator already connected to the console |
| Allow users to connect remotely using Terminal Services | N/A | When disabled, prevents new users from being able to connect to the Terminal Server |
| Do not allow local administrators to customize permissions | Enabled | Local security descriptors are set to Read Only. They can't be changed by using TSCC. |
| Sets rules for remote control of Terminal Services user sessions | Disabled | Prevents specified users from remotely interacting with other users' Terminal Server sessions. (Note that even if its' disabled, it can be configured locally by using TSCC.) |
| |
| Client/Server Data Redirection (Computer Configuration\Administrative Tools\Windows Components\Terminal Services\Client\Server data redirection) |
| Do not allow clipboard redirection | Enabled | Prevents users from copying data from the Terminal Server computer to their local computer |
| Do not allow smart card device redirection | Enabled | (see above) |
| Do not allow COM port redirection | Enabled | (see above) |
| Do not allow client printer redirection | Enabled | (see above) |
| Do not allow LPT port redirection | Enabled | (see above) |
| Do not allow drive redirection | Enabled | (see above) |
| Do not set default client printer to be default printer in a session | Enabled | (see above) |
| |
| Encryption and Security (Computer Configuration\Administrative Tools\Windows Components\Terminal Services\Encryption and Security) |
| Always prompt client for password upon connection | Enabled | Requires a password to log on, even if the remote client specifies to automatically use credentials |
| Set client connection encryption level | FIPS/High | High security encrypts data to and from the Terminal Server system, using 128-bit encryption. FIPS is a new government standard that provides even higher encryption security but requires FIPS-compliant software. |
| |
| Sessions (Computer Configuration\Administrative Tools\Windows Components\Terminal Services\Sessions) |
| Set time limit for disconnected sessions | Set Time | Will automatically delete a session after set time |
| Sets a time limit for active Terminal Services sessions | Set Time | Will automatically disconnect a session after set time |
| Sets a time limit for active but idle Terminal Services sessions | Set Time | Will automatically disconnect a session after set time |
| Allow reconnection from original client only | Enabled | Ensures that repeat connections to a session are from the same client computer |
| Terminate session when time limits are reached | Enabled | Terminates a user's session instead of disconnecting it |
Knowledge Center 
