Isolate RDP Sessions

Question

Hi all,

I'm trying to isolate remote app sessions of users from each other and from the system on Windows Server 2019.

So no viewing of system disk, control panel or any other backdoors.

People are very inventive in that matter...

e.g.: From the context menu of Chrome you can get to the print dialog and then find your way to the control panel.

I played around with Group policies preventing nearly everything the user is able to do, except the published apps (Chrome, Office and a customer app)

Is there any further dokumentation how to refine this.

Answer 1

Hello

Thank you for your question and reaching out. I can understand you are having query\issues related to GPO settings in RDS or RDP.

If you set GPO for User level then it should be also applied to Published apps as Users will first login to RDS then Published app will be open , Hence GPO settings should be applied during that process.

For Printers Add a security group 'Deny Printing' to all printers with the setting Print -> Select Deny. Use GPO to 'Disable the addition of printers' for this group.

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Thanks for your answer.

Unfortunately users need to be able to print, so I have to disable settings at more specified point.

And that was only an example of how users might end up seeing and changing parameters in the system they are not supposed to. There might be other ways that I dnon't know about.

Is there any defined use case like mine with some documentation?