installing2003服务器系统

LockingDownWindowsServer2003TerminalServerSessionsMicrosoftCorporationPublished:July,2003AbstractThisarticledemonstratestheabilityofActiveDirectorytorestrictMicrosoftWindowsServer2003TerminalServersessionstothefunctionalityallowedbyanadministrator.
Highlightingimportantgrouppolicies,considerationsareoutlinedforconfiguringuserinteractionswiththeoperatingsystemforawidevarietyofdeployments.
MicrosoftWindowsServer2003WhitePaperThisisapreliminarydocumentandmaybechangedsubstantiallypriortofinalcommercialreleaseofthesoftwaredescribedhereinTheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.
MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.
Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Theexamplecompanies,organizations,products,peopleandeventsdepictedhereinarefictitious.
Noassociationwithanyrealcompany,organization,product,personoreventisintendedorshouldbeinferred.
2003MicrosoftCorporation.
Allrightsreserved.
Microsoft,Windows,theWindowslog,andWindowsServerareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
MicrosoftWindowsServer2003WhitePaperContentsIntroduction.
1Howcanthisbeimplemented1Planning2InstallingTerminalServer.
3RestrictiveComputerPolicies.
4RestrictiveUserPolicies.
7Non-PolicySettings.
20DisableInternetExplorerSearchCompanion20RemovePrintersandFaxesfromNewStartMenu.
20DisabletheFullPathinWindowsExplorer.
21RemoveInternetExplorerandWindowsExplorerfromtheQuickLaunchBar21DisableHelp.
21NetworkBrowsingbyUsingtheCommonOpen/SaveFileDialogBox.
21AdditionalRestrictions.
23SoftwareRestrictionPolicies23InternetExplorerinKioskMode.
23Summary.
24RelatedLinks.
25MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions1IntroductionUsingTerminalServerinWindowsServer2003,youcanoperate32-bitapplications,suchasMicrosoftWordandMicrosoftExcel,anytimeandanywhere.
TerminalServerprovidescentralizedapplicationprocessing,management,andmaintenance.
Withthisflexibility,TerminalServercanbeusedinawidevarietyofapplicationsandenvironments.
Aterminalcanresideinanoffice,kiosk,classroom,laboratory,onafactoryfloor,oracrosstheinternetinanothercountrywhiletheserverisinasecureserverroom.
Forexample;TerminalServercanbeusedbyApplicationServiceProviderstoprovideaccessformultipleapplicationstocustomersovertheInternet.
Incertaindeployments,itmightbenecessarytorestrictuseractivitytoapredefinedsetofapplicationsorWindowsoperatingsystemfunctionality.
HowcanthisbeimplementedThiswhitepaperisintendedforadministratorswhoarealreadyfamiliarwithTerminalServerandtheActiveDirectory.
ItexplainshowyoucanusethefeaturesofActiveDirectorytorestrictusersessionsontheTerminalServertoonlytheapplicationsanddesktopfunctionalitythattheadministratordeemsnecessary.
Certaingrouppoliciesarehighlightedherewithbriefexplanationsoftheirbenefits.
Notallofthesettingsarenecessarybecausetheycancreateahighlyrestricteduserinterface.
UsethispaperasaguidetoconfigureTerminalServerforyourenvironment.
Foradetailedexplanationofeachpolicymentioned,seetheExplaintabintheGroupPolicyObjectEditor.
IfActiveDirectoryisnotavailable,administratorscanuseNTFSpermissionsorthelocalpolicyeditortorestrictapplicationaccess.
AlthoughmanypoliciescanbeappliedwithoutActiveDirectorybymeansofthelocalpolicyeditor,thatmethodisnotrecommended.
EnablingthesepoliciesinthelocalpolicyeditorrestrictsallaccountsontheTerminalServer,includingtheadministratoraccount.
Usingthelocalpolicyeditorcanalsobecumbersomeandisoutsidethescopeofthispaper.
UsingActiveDirectorytorestrictfunctionalityistherecommendedmeanstorestrictTerminalServersessionsinWindowsServer2003.
NoteThisarticledoesnotaddressmethodstosecuretheTerminalServeragainstmaliciousattacks.
Itdoesnotprovideaguaranteeagainsthackers,creativeusers,applications,ordriversthatcircumventtherestrictionsmentionedinthispaper.
FormoreinformationaboutsecuringTerminalServicesinMicrosoftWindows2000,seeSecuringWindows2000TerminalServicesat:http://go.
microsoft.
com/fwlink/LinkId=18404.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions2PlanningThepolicieshighlightedinthearticlearebasicrestrictionsfortheuserinterfacefortheoperatingsystem.
Notallofthepoliciesarerequired,andsomemightnotbeappropriateincertainenvironments.
Testyourimplementationbeforedeployment.
Inadditiontodeterminingwhichrestrictionsaresuitableforyourenvironment,decidehowthesepolicieswillbeimplemented.
Thepoliciesmentionedinthisarticlecanseverelyrestrictfunctionalityforeventheadministratoraccount.
Itishighlyrecommendedthataneworganizationalunit(OU)andGroupPolicyobject(GPO)becreated.
Ifsystem-widerestrictionsmustbeappliedtotheTerminalServer,placetheTerminalServercomputerobjectintothelockeddownOU.
Doingsoenforcescomputer-basedrestrictionsontheTerminalServer.
Administratorshavetheoptiontoapplyuser-basedrestrictionstoallusers,includingadministratorswhologontotheTerminalServer.
Theserestrictionscanbeinadditionto,orinplaceofpoliciestheusertypicallyhaswhenloggingontothedomain.
Refertothecomputerloopbackpolicyforadditionalinformation.
Ifper-userrestrictionsneedtobeapplied,placetheuseraccountobjectintothelockeddownOU.
Doingso,however,enforcesuser-basedrestrictionsforthatuseraccountregardlessofwhichcomputertheuserusestologontothedomain.
Herearetworecommendationsforimplementationofgrouppolicies:1.
UseraccountsareplacedintothelockeddownOU.
CreateTerminal-Server-onlyuseraccountsandplacetheminthelockeddownOU.
AllowuserlogonstotheTerminalServerforonlytheseusersbyusingtheTerminalServerConfigurationMMCsnap-in.
InstructtheuserstoonlyusetheseaccountsontheTerminalServer.
Ifsomecomputerrestrictionsarenecessary,disableloopbackprocessingandplacetheTerminalServercomputerobjectintotheOU.
Asidefromtherestrictivecomputerpolicies,userscanhavedifferentlevelsofrestrictionsonthesameTerminalServer.
ThisimplementationallowsAdministratorstoperformsomeoperationsontheTerminalServerwhileusersareactive.
2.
OnlytheTerminalServercomputerobjectisplacedintothelockeddownOU.
AfterinstallingandconfiguringallapplicationsontheTerminalServer,placetheTerminalServercomputerobjectintothelockeddownOU.
Enableloopbackprocessing.
AlluserswhologontotheTerminalServerarethenrestrictedbyuser-basedpoliciesasdefinedbythelockeddownGPO,regardlessoftheOUtheuserislocatedin.
ThiscanpreventmanylocalchangesfrombeingappliedtotheTerminalServer;however,theservercanstillberemotelymaintained.
IfadministratorsneedaccesstotheTerminalServer,logoffallusersandtemporarilyrestricttheirlogonstotheTerminalServer.
MovetheTerminalServercomputerobjectoutofthelockeddownOU,thenlogon.
ReturntheTerminalServercomputerobjecttothelockeddownOU,andre-enableuserloginsaftermaintenanceiscomplete.
Thisimplementationdoesnotrequireuserstohavemultipleuseraccounts.
ItcanalsopreventconfigurationchangestotheTerminalServerwhileitisinproduction.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions3Formoreinformationonconfiguringsecuritysettings,see"ToeditasecuritysettingonaGroupPolicyobject"at:http://go.
microsoft.
com/fwlink/linkid=18541.
InstallingTerminalServerWheninstallingTerminalServeronaWindowsServer2003computer,youareaskedtoselectapermissionscompatibilitysettingforeitherFullSecurityorRelaxedSecurity.
ThissettingcanbechangedlaterbyusingtheTerminalServerConfigurationMMCsnap-in.
ItisrecommendedthatyouselecttheFullSecurityoption.
DoingsorestrictspermissionsforTerminalServeruserstothe-Usersgroup.
TheFullSecuritysetting,however,mighthavecompatibilityissueswithsomelegacyapplications.
Ifthisisthecase,selecttheRelaxedSecuritysetting.
TheRelaxedSecuritysettingprovidesTerminalServeruserswithnearlyPowerUserlevelaccesstocertainsystemfoldersandregistrykeys.
IftheRelaxedSecuritysettingisselected,considerenablingpoliciestorestrictaccesstoregistryeditorsandfilebrowsers.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions4RestrictiveComputerPoliciesThesepoliciesareonlyappliedtocomputerobjectsthatareplacedintothelockeddownOU.
Thesesettingsaresystemwide,affectingallusers.
[ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\SecurityOptions]Devices:RestrictCD-ROMaccesstolocallylogged-onuseronlyRecommendedsetting:EnabledThispolicyallowsonlyuserswhologontotheconsoleoftheTerminalServeraccesstotheCD-ROMdrive.
ItisrecommendedthatyouenablethispolicytopreventusersandadministratorsfromremotelyaccessingprogramsordataonaCD-ROM.
Devices:Restrictfloppyaccesstolocallylogged-onuseronlyRecommendedsetting:EnabledThispolicyallowsonlyuserswhologontotheconsoleoftheTerminalServeraccesstothefloppydiskdrive.
Itisrecommendedthatyoutoenablethispolicytopreventusersandadministratorsfromremotelyaccessingprogramsordataonafloppydisk.
Interactivelogon:DonotdisplaylastusernameThispolicydoesnotdisplaythelastloggedonuseraccountattheWindowslogonpromptontheconsoleoftheTerminalServer.
ThispolicydoesnotaffectTerminalServerclientsthatlocallycachethelogonusername.
[ComputerConfiguration\WindowsSettings\SecuritySettings\SystemServices]HelpandSupportRecommendedsetting:DisabledThispolicydisablesHelpandSupportCenterservice.
ItpreventsusersfromstartingthenewWindowsHelpandSupportCenterapplication.
Thispolicydoesnotdisabletheoldhelpfiles(suchasthe*.
chm)orHelpinotherapplications.
Disablingthisservicemightcauseissueswithotherprogramsandservicesthatdependonthisservice.
ItisrecommendedthatyoudisablethisservicetopreventusersfromstartingotherapplicationsorviewingsysteminformationabouttheTerminalServer.
[ComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices]RestrictTerminalServicesuserstoasingleremotesessionThispolicycanpreventasingleuserfromcreatingmultiplesessionsontheTerminalServerusingasingleuseraccount.
RemoveDisconnectoptionfromShutDowndialogboxMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions5ThispolicyremovesthedisconnectoptionfromtheShutDownWindowsdialogbox.
ItdoesnotpreventusersfromdisconnectingsessiontotheTerminalServer.
UsethispolicyifyoudonotwantuserstoeasilydisconnectfromtheirsessionandyouhavenotremovedtheShutDownWindowsdialogbox.
[ComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices\Client/Serverdataredirection]DonotallowdriveredirectionRecommendedsetting:EnabledBydefault,TerminalServermapsclientdrivesautomaticallyuponconnection.
Itisrecommendedthatyouenablethispolicytopreventusersfromhavingeasyaccesstoapplicationsontheirlocalcomputer.
[ComputerConfiguration\AdministrativeTemplates\WindowsComponents\TerminalServices\Sessions]SettimelimitfordisconnectedsessionsBydefault,TerminalServerallowsuserstodisconnectfromasessionandkeepalloftheirapplicationsactiveforanunlimitedamountoftime.
ThispolicyspecifiesatimelimitfordisconnectedTerminalServersessionstoremainactive.
UsethispolicyifyoudonotwantdisconnectedsessionstoremainactiveforalongtimeontheTerminalServer.
[ComputerConfiguration\AdministrativeTemplates\WindowsComponents\WindowsInstaller]DisableMicrosoftWindowsInstallerRecommendedsetting:Enabled-AlwaysIfthisissetfornon-managedapplicationsonly,theWindowsInstallerstillfunctionsforapplicationsthatarepublishedorassignedbymeansofgrouppolicies.
IfthisissettoAlways,WindowsInstalleriscompletelydisabled.
ThismaybebeneficialifsomepublishedorassignedapplicationsarenotwantedonTerminalServer.
DisablingWindowsInstallerdoesnotpreventinstallationofapplicationsbymeansofothersetupprogramsormethods.
Itisrecommendedthatapplicationsbeinstalledandconfiguredpriortoenablingthispolicy.
Afterthepolicyisenabled,administratorscannotinstallapplicationsthatuseWindowsInstaller.
[ComputerConfiguration\AdministrativeTemplates\System\GroupPolicy]UserGroupPolicyloopbackprocessingmodeIftheTerminalServercomputerobjectisplacedinthelockeddownOU,andtheuseraccountisnot,loopbackprocessingappliestherestrictiveuserconfigurationpoliciestoallusersontheTerminalServer.
Ifthispolicyisenabled,allusers,includingadministrators,loggingontotheTerminalServerareaffectedbytherestrictiveuserconfigurationpolicies,regardlessofwheretheuseraccountislocated.
Twomodesareavailable.
Mergemodefirstappliestotheuser'sownGPO,thentothelockeddownpolicy.
Thelockdownpolicytakesprecedenceovertheuser'sGPO.
ReplacemodejustusestheMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions6lockeddownpolicyandnottheuser'sownGPO.
Thispolicyisintendedforrestrictionsbasedoncomputersinsteadoftheuseraccount.
Ifthispolicyisdisabled,andtheTerminalServercomputerobjectisplacedinthelockeddownOU,onlythecomputerconfigurationpoliciesisappliedtotheTerminalServer.
EachuseraccountmustbeplacedintotheOUtohaveuserconfigurationrestrictionplacedonthatuser.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions7RestrictiveUserPoliciesThesepoliciesareappliedtouseraccountsthatareinthelockeddownOU.
Ifloopbackprocessingisused,alluseraccountsthatlogontocomputersthatareinthelockeddownOUalsohavetheserestrictionapplied.
[UserConfiguration\WindowsSettings\FolderRedirection]ApplicationDataRecommendedsetting:Basicredirectionandcreateafolderforeachuserundertherootpath.
OntheSettingstab,enablegranttheuserexclusiverights.
Enablemovecontentsoffoldertonewlocation.
Setthepolicyremovaltoredirectthefolderbacktothelocaluserprofilelocationwhenpolicyisremoved.
DesktopRecommendedsetting:Basicredirectionandcreateafolderforeachuserundertherootpath.
OntheSettingstab,enablegranttheuserexclusiverights.
Enablemovecontentsoffoldertonewlocation.
Setthepolicyremovaltoredirectthefolderbacktothelocaluserprofilelocationwhenpolicyisremoved.
MyDocumentsRecommendedsetting:Basicredirectionandcreateafolderforeachuserundertherootpath.
OntheSettingstab,enablegranttheuserexclusiverights.
Enablemovecontentsoffoldertonewlocation.
Setthepolicyremovaltoredirectthefolderbacktothelocaluserprofilelocationwhenpolicyisremoved.
StartMenuRecommendedsetting:Basicredirectionandredirecttothefollowinglocation.
OntheSettingstab,setthepolicyremovaltoredirectthefolderbacktothelocaluserprofilelocationwhenthepolicyisremoved.
Createa\Programs\Startupfolderunderthissharedfolder.
Enablingthesepoliciescanprovideacentralpointforbackingupuserdata.
Additionally,ifthepolicytorestrictaccesstolocaldrivesisenabled(below),theusersneedfolderredirectioniftheydonotwanttoseemessagessayingthattheyhaverestrictedaccess.
Ifaroamingprofileserverisnotavailable,localsharescanbeused.
Createamasterfolderforalloftheuserdata(suchasC:\userdata).
Createfoursubfolders,oneforeachfoldertype(suchasAppData,Desktop,MyDocs,andStart).
Shareeachofthesubfoldersandsetthesharepermissionsforthe"everyone"groupto"change".
Seteachpathtoitscorrespondingshare.
TheStartMenucanbeconfigureddifferently.
Itcanbesharedacrossallusers.
Placelinkstoapplicationsinhere.
Changethesharepermissionsforthe"everyone"groupto"read".
Youshouldmanuallycreatethe"Programs\Startup"folderunderthesharedStartupfolder(C:\userdata\Start\Programs\Startup).
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions8[UserConfiguration\AdministrativeTemplates\WindowsComponents\InternetExplorer]Search:DisableFindFilesviaF3withinthebrowserRecommendedsetting:EnabledThispolicydisablestheuseoftheF3keytosearchinMicrosoftInternetExplorerandWindowsExplorer.
UserscannotpressF3tosearchtheInternet(fromInternetExplorer)ortosearchtheharddisk(fromWindowsExplorer).
IftheuserpressesF3,apromptappearsthatinformstheuserthatthisfeaturehasbeendisabled.
Thispolicycanpreventauserformeasilysearchingforapplicationsontheharddisk.
ItisrecommendedthatyouenablethispolicytopreventusersfromsearchingforapplicationsonharddriveorbrowsingtheInternet.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\InternetExplorer\Browsermenus]DisableContextmenuRecommendedsetting:EnabledThispolicypreventstheshortcutmenufromappearingwhenusersclicktherightmousebuttonwhileusingthebrowser.
Itisrecommendedthatyouenablethispolicytopreventusersfromusingtheshortcutmenuasanalternatemethodofrunningcommands.
HideFavoritesmenuThispolicypreventsusersfromadding,removing,oreditingthelistofFavoritelinks.
Ifyouenablethispolicy,theFavoritesmenuisremovedfromtheinterfaceandtheFavoritesbuttononthebrowsertoolbarappearsdimmed.
UsethispolicyifyouwanttoremovetheFavoritesmenufromWindowsExploreranddonotwanttogiveuserseasyaccesstoInternetExplorer.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\ApplicationCompatibility]Preventaccessto16-bitapplicationsRecommendedsetting:EnabledThispolicypreventstheMS-DOSsubsystem(ntvdm.
exe)fromrunningfortheuser.
Thissettingaffectsthestartingofall16-bitapplicationsintheoperatingsystem.
Bydefault,theMS-DOSsubsystemrunsforallusers.
ManyMS-DOSapplicationsarenotTerminalServerfriendlyandcancausehighCPUutilizationduetoconstantpollingofthekeyboard.
Itisrecommendedthatyouenablethispolicytopreventthe16-bitcommandinterpreter,Command.
com,fromexecuting.
NoteThe"Preventaccessto16-bitapplications"policycanbeconfiguredinbothComputerConfiguration(system-wide)andUserConfiguration(userspecific).
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions9[UserConfiguration\AdministrativeTemplates\WindowsComponents\WindowsExplorer]RemovestheFolderOptionsmenuitemfromtheToolsmenuRecommendedsetting:EnabledRemovestheFolderOptionsitemfromallWindowsExplorermenusandremovestheFolderOptionsitemfromControlPanel.
Asaresult,userscannotusetheFolderOptionsdialogbox.
ItisrecommendedthatyouenablethispolicytopreventusersfromconfiguringmanypropertiesofWindowsExplorer,suchasActiveDesktop,Webview,OfflineFiles,hiddensystemfiles,andfiletypes.
RemoveFilemenufromWindowsExplorerRecommendedsetting:EnabledThispolicyremovestheFilemenufromMyComputerandWindowsExplorer.
ItdoesnotpreventusersfromusingothermethodstoperformtasksavailableontheFilemenu.
Itisrecommendedthatyouenablethispolicytoremoveeasyaccesstotaskssuchas"New,""OpenWith,"andshellextensionsforsomeapplications.
Enablingthispolicyalsopreventseasycreationofshortcutstoexecutables.
RemoveMapNetworkDriveandDisconnectNetworkDriveRecommendedsetting:EnabledThispolicypreventsusersfromconnectinganddisconnecttoshareswithWindowsExplorer.
Itdoesnotpreventmappinganddisconnectingdrivesfromotherapplicationsortheruncommand.
ItisrecommendedthatyouenablethispolicytoremoveeasyaccesstobrowsingthedomainfromWindowsExplorer.
Ifmappeddrivesarenecessary,theycanbemappedfromalogonscript.
RemoveSearchbuttonfromWindowsExplorerRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytopreventusersfromsearchingforapplicationsfromWindowsExplorer.
ThispolicydoesnotpreventsearchroutinesinotherapplicationsortheStartMenu.
RemoveSecurityTabRecommendedsetting:EnabledThispolicyremovestheSecuritytabfromWindowsExplorer.
IfuserscanopenthePropertiesdialogboxforfilesystemobjects,includingfolders,files,shortcuts,anddrives,theycannotaccesstheSecuritytab.
Itisrecommendedthatyouenablethispolicytopreventusersfromchangingthesecuritysettingsorviewingalistofalluserswhohaveaccesstotheobject.
RemoveWindowsExplorer'sdefaultcontextmenuRecommendedsetting:EnabledThissettingremovestheshortcutmenufromWindowsExplorer.
ItisrecommendedthatyouenablethispolicytopreventeasyaccesstoapplicationsthatplacehooksintotheshortcutMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions10menu.
Thispolicydoesnotremoveothermethodsofaccessingapplicationsontheshortcutmenu,suchasusingshortcuthotkeys.
HidestheManageitemontheWindowsExplorershortcutmenuRecommendedsetting:EnabledThispolicyremovestheManageoptionfromWindowsExplorerorMyComputer.
TheManageoptionopenstheComputerManagementMMCsnap-in(compmgmt.
msc).
ItemslikeEventViewer,SystemInformation,andDiskAdministratorcanbeaccessedfromComputerManagement.
ThispolicydoesnotrestrictaccesstothesetasksfromothermethodssuchasControlPanelandtheruncommand.
ItisrecommendedthatyouenablethispolicytoremoveeasyaccesstosysteminformationabouttheTerminalServer.
HidethesespecifieddrivesinMyComputerRecommendedsetting:Enabled–RestrictA,B,C,andDdrivesonlyThispolicyonlyremovestheiconsfromMyComputer,WindowsExplorer,andthestandardfiledialogbox.
Itdoesnotpreventusersfromaccessthesedrivesbyusingothermeanssuchasthecommandprompt.
ThepolicyonlyallowsyoutohidedrivesAthroughD.
Itisrecommendedthatyouenablethispolicytohidethefloppydiskdrive,theCD-ROMdrive,andtheoperatingsystempartition.
Apartitionforpublicdatacanbeconfiguredtobetheonlydriveviewabletotheusers.
Ifrequired,NTFSpermissionscanbeusedtorestrictaccesstothispartition.
PreventaccesstodrivesfromMyComputerRecommendedsetting:Enabled–A,B,C,andDdrivesonlyThispolicypreventsaccesstodrivesAthroughDwithMyComputer,WindowsExplorerandthestandardfiledialogbox.
Thispolicydoesnotpreventaccessfromprogramsthatdonotusethecommondialogboxes.
Theuserscanstillstartapplicationsthatresideontherestricteddrives.
Itisrecommendedthatyouenablethispolicytorestrictfilebrowsingofsystempartitions.
RemoveHardwaretabRecommendedsetting:EnabledThispolicyremovestheHardwaretabfromMouse,Keyboard,andSoundsandAudioDevicesinControlPanel.
ItalsoremovestheHardwaretabfromthePropertiesdialogboxforalllocaldrives,includingharddrives,floppydiskdrives,andCD-ROMdrives.
ItisrecommendedthatyouenablethispolicytopreventusersfromusingtheHardwaretabtoviewthedevicelistordeviceproperties.
RemoveOrderPrintsfromPictureTasksRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytoremovethe"OrderPrintsOnlinefromPictureTasks"linkintheMyPicturesfolder.
RemovePublishtoWebfromFileandFoldersTasksRecommendedsetting:EnabledMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions11ThispolicysettingremovesPublishthisfiletotheWeb,PublishthisfoldertotheWeb,andPublishtheselecteditemstotheWebfromFileandFoldertasksinWindowExplorer.
ItisrecommendedthatyouenablethispolicytopreventusersfrompublishingfilesorfolderstoaWebpage.
No"ComputersNearMe"inMyNetworkPlacesRecommendedsetting:EnabledThispolicyremovescomputersintheuser'sdomainfromlistsofnetworkresourcesinWindowsExplorerandMyNetworkPlaces.
Itdoesnotpreventusersfromconnectingtoothercomputersbyothermethods,suchasthecommandpromptortheMapNetworkDrivedialogbox.
Itisrecommendedthatyouenablethispolicytoremoveeasyaccesstobrowsingthedomain.
No"EntireNetwork"inMyNetworkPlacesRecommendedsetting:EnabledThispolicyremovesallcomputersoutsideoftheuser'slocaldomainfromlistsofnetworkresourcesinWindowsExplorerandMyNetworkPlaces.
Itdoesnotpreventusersfromconnectingtoothercomputersbyothermethods,suchascommandpromptortheMapNetworkDrivedialogbox.
Itisrecommendedthatyouenablethispolicytoremoveeasyaccesstobrowsingthenetwork.
TurnoffWindows+XhotkeysRecommendedsetting:EnabledThispolicyturnsoffWindows+Xhotkeys.
KeyboardswithaWindowslogokeyprovideuserswithshortcutstocommonshellfeatures.
Forexample,pressingthekeyboardsequenceWindows+RopenstheRundialogbox;pressingtheWindows+EstartsWindowsExplorer.
ItisrecommendedthatyouenablethispolicytopreventusersfromstartingapplicationswiththeWindowslogohotkey.
TurnonClassicShellRecommendedsetting:EnabledThispolicyallowsyoutoremovetheActiveDesktopandWebviewfeatures.
Ifyouenablethissetting,itdisablestheActiveDesktopandWebview.
Also,userscannotconfiguretheirsystemtoopenitemsbysingle-clicking(suchasinMouseinControlPanel).
Asaresult,theuserinterfacelooksandoperatesliketheinterfaceforWindowsNT4.
0,anduserscannotrestorethenewfeatures.
ItisrecommendedthatyouenablethispolicytoremoveFolderTasks.
SomeFolderTask,suchasfortheMyMusicfoldercanstartInternetExplorer.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\WindowsExplorer\CommonOpenFileDialog]HidethecommondialogplacesbarRecommendedsetting:EnabledThispolicyremovestheshortcutbarfromtheCommonOpenFiledialogbox.
ThisfeaturewasoriginallyaddedinWindows2000,sodisablingitmakesitlookasitdidinWindowsNT4.
0andMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions12earlier.
Thesepoliciesaffectonlyprogramsthatusethecommondialogbox.
Itisrecommendedthatyouenablethispolicytoremoveeasyaccesstobrowsingthenetworkorthelocalcomputer.
ItemsdisplayedinPlacesBarThispolicyallowsyoutoreplacethePlaceBaritemsintheCommonOpenFiledialogboxwithpredefinedentries.
Toviewthisbar,startNotepad,selectFile,andthenclickOpen.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\TaskScheduler]HidePropertyPagesRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytopreventusersfromviewingandchangingthepropertiesofanexistingtask.
ProhibitTaskDeletionThispolicypreventsadministratorsfromdeletingtasksfromtheScheduledTasksfolder.
ThisdoesnotpreventadministratorsfromdeletingtaskswiththeATcommand,orfromaremotecomputer.
PreventTaskRunorEndThispolicypreventsadministratorsfromstartingandstoppingtasks.
ProhibitNewTaskCreationRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytopreventusersfromcreatingnewscheduledtasksandbrowsingforapplications.
ThisdoesnotpreventadministratorsfromcreatingnewtaskswiththeATcommand,orfromaremotecomputer.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\WindowsMessenger]DonotallowWindowsMessengertoberunRecommendedsetting:EnabledThispolicydisablesWindowsMessengerfortheuser.
ItisrecommendedthatyouenablethispolicytopreventusersfromreceivinglinksorfilesfromotherWindowsMessengerusers.
[UserConfiguration\AdministrativeTemplates\WindowsComponents\WindowsUpdate]RemoveaccesstouseallWindowsUpdatefeaturesThispolicyremovesaccesstoWindowsUpdate.
Ifyouenablethissetting,allWindowsUpdatefeaturesareremoved.
ThisincludesblockingaccesstotheMicrosoftWindowsUpdateWebsiteathttp://go.
microsoft.
com/fwlink/LinkId=18539,fromtheWindowsUpdatehyperlinkontheStartmenu,andalsoontheToolsmenuinInternetExplorer.
WindowsautomaticupdatingisMicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions13alsodisabled;youareneithernotifiedaboutcriticalupdatesnordoyoureceivecriticalupdatesfromWindowsUpdate.
ThissettingalsopreventsDeviceManagerfromautomaticallyinstallingdriverupdatesfromtheWindowsUpdateWebsite.
ThispolicycanbeusedtopreventchangestotheTerminalServerwhileitisproduction.
IfyoudisableWindowsUpdate,youshouldscheduleperiodiccheckstoensureWindowshaslatestcriticalupdates.
[UserConfiguration\AdministrativeTemplates\StartMenu&Taskbar]RemovelinksandaccesstoWindowsUpdateRecommendedsetting:EnabledThispolicyremoveslinksandaccesstotheWindowsUpdateWebsite.
TheWindowsUpdateWebsiteisonlyavailableforadministrators.
ItisrecommendedthatyouenablethispolicytoremoveeasyaccesstoInternetExplorerforusers.
RemovecommonprogramgroupsfromStartMenuRecommendedsetting:EnabledThispolicyremovesshortcutstoprogramsfromtheallusers'profile.
OnlytheStartMenuintheuser'sprofileortheredirectedStartMenuisavailable.
Itisrecommendedthatyouenablethispolicytoremoveeasyaccesstobuilt-inapplicationslikegames,calculator,andmediaplayer.
RemovepinnedprogramslistfromStartMenuThispolicyremovesthePinnedProgramslistfromthenewStartMenu.
ItalsoremovesthedefaultlinkstoInternetExplorerandOutlookExpressiftheyarepinned,anditpreventsusersfrompinninganynewprogramstotheStartMenu.
TheFrequentlyUsedProgramslistisnotaffected.
RemoveprogramsonSettingsmenuRecommendedsetting:EnabledThispolicyremovesControlPanel,Printers,andNetworkConnectionsfromSettingsontheClassicStartmenu,MyComputerandWindowsExplorer.
Italsopreventstheprogramsrepresentedbythesefolders(suchasControl.
exe)fromrunning.
However,userscanstillstartControlPanelitemsbyusingothermethods,suchasright-clickingthedesktoptoopenDisplayPropertiesorright-clickingMyComputertoopenSystemProperties.
Itisrecommendedthatyouenablethispolicytopreventeasyaccesstoviewingorchangingsystemsettings.
RemoveNetworkConnectionsfromStartMenuRecommendedsetting:EnabledThispolicypreventstheNetworkConnectionsfolderfromopening.
ThepolicyalsoremovesNetworkConnectionsfromSettingsonStartMenu.
NetworkConnectionsstillappearsinControlPanelandinWindowsExplorer,butifuserstrytostartit,amessageappearsexplainingthatasettingpreventstheaction.
ItisrecommendedthatyouenablethispolicytopreventusersfromcreatingnewconnectionssuchasVPNorDial-up.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions14RemovetheSearchmenufromStartMenuRecommendedsetting:EnabledThispolicyremovesthesearchfunctionfromtheStartmenu.
ThissettingremovesSearchfromtheStartmenuandfromtheshortcutmenuthatappearswhenyouright-clickStartMenu.
Also,thesystemdoesnotrespondwhenuserspressWindows+FortheF3key.
InWindowsExplorer,thesearchitemstillappearsontheStandardbuttonstoolbar,butthesystemdoesnotrespondwhentheuserpressesCTRL+F.
Also,Searchdoesnotappearintheshortcutmenuwhenyouright-clickaniconrepresentingadriveorafolder.
Thissettingaffectsthespecifieduserinterfaceelementsonly.
ItdoesnotaffectInternetExploreranddoesnotpreventtheuserfromusingothermethodstosearch.
Itisrecommendedthatyouenablethispolicytopreventusersfromeasilysearchingforapplicationsthattheyarenotassignedtothem.
RemoveDrag-and-DropshortcutmenusonStartMenuRecommendedsetting:EnabledThispolicypreventsusersfromusingthedrag-and-dropmethodtoreorderorremoveitemsontheStartmenu.
ThissettingdoesnotpreventusersfromusingothermethodsofcustomizingtheStartmenuorperformingthetasksavailablefromtheshortcutmenus.
ItisrecommendedthatyouenablethispolicytoremoveshortcutmenusfromtheStartmenu,includingtaskssuchascreatinganewshortcut.
RemoveFavoritesmenufromStartMenuThispolicypreventsusersfromaddingtheFavoritesmenutotheStartmenuortheClassicStartmenu.
UsethispolicyifyoudonotwantuserstoexecuteInternetExplorer.
NoteTheFavoritesmenudoesnotappearontheStartmenubydefault,butthispolicydisablestheFavoriteslink.
ThissettingonlyaffectstheStartmenu.
TheFavoritesmenustillexistsinWindowsExplorerandInternetExplorer.
RemoveHelpmenufromStartMenuRecommendedsetting:EnabledThispolicyremovestheHelplinkfromtheStartmenu.
ThissettingonlyaffectstheStartmenu.
TodisablethenewHelpandSupportapplicationdisabletheserviceinComputerConfiguration(SeeRestrictedComputerPolicies).
ItisrecommendedthatyouenablethispolicytopreventusersfromeasilyviewingSystemInformationabouttheTerminalServer.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions15RemoveRunmenufromStartMenuRecommendedsetting:EnabledItishighlyrecommendedthatyouenablethispolicytopreventusersfromattemptingtoexecuteanyapplication.
ThisisverycriticalforlockingdowntheTerminalServer.
EnablingthisremovestheRuncommandfromtheStartmenu,NewTaskfromTaskManager,andusersareblockedfromenteringaUNCpath,localdrive,andlocalfoldersintotheInternetExploreraddressbar.
Also,userswithextendedkeyboardscannolongerdisplaytheRundialogboxbypressingWindows+R.
NoteThe"RemoveRunmenufromStartMenu"settingaffectsthespecifiedinterfaceonly.
Itdoesnotpreventusersfromusingothermethodstorunprograms.
RemoveMyNetworkPlaceiconfromStartMenuRecommendedsetting:EnabledThispolicyremovestheMyNetworkPlacesiconfromtheStartmenu.
Itisrecommendedthatyouenablethispolicytopreventeasyaccesstobrowsingthenetwork.
AddLogofftoStartMenuRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytomakeiteasyforuserstologoffoftheirTerminalServersessions.
Thispolicyaddsthe"LogOff"itemtotheStartmenuandpreventsusersfromremovingit.
ThissettingaffectstheStartmenuonly.
ItdoesnotaffecttheLogOffitemontheWindowsSecuritydialogboxthatappearswhenyoupressCTRL+ALT+DELorCTRL+ALT+ENDfromaTerminalServerclient.
RemoveandpreventaccesstoShutDowncommandRecommendedsetting:EnabledThispolicyremovestheabilityfortheusertoopentheShutdowndialogboxfromtheStartmenuandfromtheWindowsSecuritydialogbox(CTRL+ALT+DEL).
ThispolicydoesnotpreventusersfromrunningprogramstoshutdownWindows.
Itisrecommendedthatyouenablethispolicyhelpremoveconfusionfromtheusersandpreventadministratorsfromshuttingdownthesystemwhileitisinproduction.
PreventchangestoTaskbarandStartMenusettingsRecommendedsetting:EnabledThispolicypreventscustomizationofthetaskbarandtheStartmenu.
Itcansimplifythedesktopbyadheringtotheconfigurationsetbytheadministrator.
Itisrecommendedthatyouenablethispolicytorestricttheabilitytoaddotherapplicationstothestartmenubybrowsingortypingthelocationofanapplication.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions16RemoveaccesstotheshortcutmenusforthetaskbarRecommendedsetting:EnabledThispolicyremovestheright-clickmenuonthetaskbar.
Thissettingdoesnotpreventusersfromusingothermethodstoissuethecommandsthatappearonthismenu.
ItisrecommendedthatyouenablethispolicytopreventpotentialaccesstofilesandapplicationsbystartingWindowsExplorerorSearch.
ForceClassicStartMenuThispolicyeffectsthepresentationoftheStartmenu.
TheClassicStartmenuinWindows2000allowsuserstobegincommontasks,whilethenewStartmenuconsolidatescommonitemsontoonemenu.
WhentheClassicStartmenuisused,thefollowingiconsareplacedonthedesktop:MyDocuments,MyPictures,MyMusic,MyComputer,andMyNetworkPlaces.
ThenewStartmenustartsthemdirectly.
DisablingthenewStartmenuremovesPrintersandFaxes.
FromPrintersandFaxes,userscanviewServerPropertiestoseewheretheSpoolfolderisinstalled.
[UserConfiguration\AdministrativeTemplates\Desktop]RemovePropertiesfromMyDocumentsshortcutmenuRecommendedsetting:EnabledThissettinghidesPropertiesfortheshortcutmenuonMyDocuments.
ItisrecommendedthatyouenablethispolicyifshortcutmenusarenotdisabledandyoudonotwanttheuserstoeasilyvieworeditthelocationoftheirMyDocumentfolder.
RemovePropertiesfromMyComputershortcutmenuRecommendedsetting:EnabledThissettinghidesPropertiesontheshortcutmenuforMyComputer.
ItisrecommendedthatyouenablethispolicyifshortcutmenusarenotdisabledandyoudonotwanttheuserstoeasilyviewconfigurationinformationabouttheTerminalServer.
RemovePropertiesfromRecycleBinshortcutmenuRecommendedsetting:EnabledThispolicyremovesthePropertiesoptionfromtheRecycleBinshortcutmenu.
ItisrecommendedthatyouenablethispolicyifshortcutmenusarenotdisabledandyoudonotwanttheuserstoeasilyvieworchangeRecycleBinsettings.
HideMyNetworkPlacesiconondesktopRecommendedsetting:EnabledItisrecommendedthatyouenablethispolicytoremoveeasyaccesstobrowsingthenetworkforapplications.
Thissettingonlyaffectsthedesktopicon.
Itdoesnotpreventusersfromconnectingtothenetworkorbrowsingforsharedcomputersonthenetworkwithothermethods.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions17HideInternetExplorerIcononthedesktopThispolicyremovestheInternetExplorericonfromthedesktop.
ThissettingdoesnotpreventtheuserfromstartingInternetExplorerbyusingothermethods.
ProhibituserfromchangingMyDocumentspathRecommendedsetting:EnabledThispolicyrestrictstheMyDocumentslocationtothedesignatedlocation.
Itisrecommendedthatyouenablethispolicytopreventbrowsingforapplications.
HideanddisableallitemsonthedesktopThispolicyremovesicons,shortcuts,andotherdefaultanduser-defineditemsfromthedesktop,includingBriefcase,RecycleBin,MyComputer,andMyNetworkPlaces.
Removingiconsandshortcutsdoesnotpreventtheuserfromusinganothermethodtostarttheprogramsoropeningtheitemstheyrepresent.
UsercanstillsaveandopenitemsonthedesktopbyusingtheCommonFiledialogboxorWindowsExplorer.
Theitems;however,arenotdisplayedonthedesktop.
RemoveMyDocumentsicononthedesktopThispolicyremovesmostoccurrencesoftheMyDocumentsicon.
ItdoesnotpreventtheuserfromusingothermethodstogainaccesstothecontentsoftheMyDocumentsfolder.
RemoveMyComputericononthedesktopRecommendedsetting:EnabledThispolicyhidesMyComputerfromthedesktopandfromthenewStartmenu.
ItalsohideslinkstoMyComputerintheWebviewofallExplorerwindows,andithidesMyComputerintheExplorerfoldertreepane.
IftheusernavigatesintoMyComputerbyusingtheUpiconwhilethissettingisenabled,theyviewanemptyMyComputerfolder.
ItisrecommendedthatyouenablethispolicytopresentuserswithasimplerdesktopenvironmentandremoveeasyaccesstoComputerManagementandSystemPropertiesbynolongerallowingright-clickingoftheicon.
NoteHidingMyComputeranditscontentsdoesnothidethecontentsofthechildfoldersofMyComputer.
Forexample,iftheusersnavigateintooneoftheirharddrives,theyseealloftheirfoldersandfilesthereevenifthissettingisenabled.
[UserConfiguration\AdministrativeTemplates\ControlPanel]ProhibitaccesstotheControlPanelRecommendedsetting:EnabledThispolicyremovesaccesstoControlPanelanddisablesallControlPanelprograms.
ItalsopreventsControl.
exe,theprogramfileforControlPanel,fromstarting.
ItisrecommendedthatyouenablethissettingtopreventusersfromviewingconfigurationinformationabouttheTerminalServer.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions18[UserConfiguration\AdministrativeTemplates\ControlPanel\AddorRemovePrograms]RemoveAddorRemoveProgramsRecommendedsetting:EnabledThispolicyremovesAddorRemoveProgramsfromControlPanelandremovestheAddorRemoveProgramsitemfrommenus.
IfaccesstoControlPanelisprohibited,thispolicycanbeusedtoremovethelinkstoAddorRemoveProgramsfromplaceslikeMyComputer.
Thelinkthendisplaysanaccessdeniedmessageifclicked.
Thissettingdoesnotpreventusersfromusingothertoolsandmethodstoinstalloruninstallprograms.
ItisrecommendedthatyouenablethispolicytopreventuserstoviewingTerminalServerconfigurationinformation.
[UserConfiguration\AdministrativeTemplates\ControlPanel\Printers]PreventadditionofprintersRecommendedsetting:EnabledThispolicypreventsusersfromusingfamiliarmethodstoaddlocalandnetworkprinters.
Itisrecommendedthatyouenablethispolicytopreventusersfrombrowsingthenetworkorsearchingtheactivedirectoryforprinters.
Thispolicydoesnotpreventtheauto-creationofTerminalServerredirectedprinters,nordoesitpreventusersfromrunningotherprogramstoaddprinters.
[UserConfiguration\AdministrativeTemplates\System]PreventaccesstothecommandpromptRecommendedsetting:Enabled–Set"Disablethecommandpromptscriptprocessingalso"toNo.
ThispolicypreventsusersfromrunningtheinteractivecommandpromptCmd.
exe.
Fromthecommandpromptuserscanstartapplications.
Thissettingalsodetermineswhetherbatchfiles(.
cmdand.
bat)canrunonthecomputer.
NoteDonotpreventthecomputerfromrunningbatchfilesonaTerminalServer.
ThispolicydoesnotpreventaccesstoCommand.
com(16-bitcommandinterpreter).
TodisabletheCommand.
com,youcanrestrictaccesswithNTFSpermission,ordisableall16-bitapplicationswiththe"Preventaccessto16-bitapplication"policy.
Itisrecommendedthatyouenablethe"Preventaccesstothecommandprompt"policytopreventusersfrombypassingotherpoliciesbyusingthecommandpromptinsteadofWindowsExplorerastheshell.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions19PreventaccesstoregistryeditingtoolsRecommendedsetting:EnabledThispolicyrestrictsusersfromchangingregistrysettingsbydisablingRegedit.
exe.
Itisrecommendedthatyouenablethispolicytopreventusersfromchangingtheirshelltothecommandpromptorbypassingseveralotherpolicies.
Thispolicydoesnotpreventotherapplicationsforeditingtheregistry.
RunonlyallowedWindowsapplicationsRecommendedsetting:Enabled–DefinelistofauthorizedapplicationsItisrecommendedthatyouenablethispolicytorestrictuserstoonlyrunprogramsthatareaddedtotheListofAllowedApplications.
ThissettingonlypreventsusersfromrunningprogramsthatarestartedbyWindowsExplorer.
ItdoesnotpreventusersfromrunningprogramssuchasTaskManager,whichcanbestartedbyasystemprocess.
Also,ifusershaveaccesstothecommandprompt,Cmd.
exe,thissettingdoesnotpreventthemfromstartingprogramsfromthecommandwindowthattheyarenotpermittedtostartbyusingWindowsExplorer.
[UserConfiguration\AdministrativeTemplates\System\CTRL+ALT+DELOptions]RemoveTaskManagerRecommendedsetting:EnabledThispolicypreventsusersfromstartingTaskManager.
Itisrecommendedthatyouenablethispolicytopreventusersfromusingtaskmanagertostartandstopprograms;monitortheperformanceoftheTerminalServer;andfindtheexecutablenamesforapplications.
RemoveLockComputerThispolicypreventsusersfromlockingtheirsessions.
Userscanstilldisconnectandlogoff.
Whilelocked,thedesktopcannotbeused.
Onlytheuserwholockedthesystemorthesystemadministratorcanunlockit.
[UserConfiguration\AdministrativeTemplates\System\Scripts]RunlegacylogonscriptshiddenRecommendedsetting:EnabledThispolicyhidestheinstructionsinlogonscriptswrittenforWindowsNT4.
0andearlier.
ItisrecommendedthatyouenablethispolicytopreventusersfromviewingorinterruptinglogonscriptswrittenforWindowsNT4.
0andearlier.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions20Non-PolicySettingsDisableInternetExplorerSearchCompanionUserscanaccesstheInternetExplorerSearchCompanionbyclickingSearchonthetoolbar,orpressingCTRL-EinInternetExplorer.
WiththeInternetExplorerSearchCompanion,userscanbrowseorsearchforfilesandfolders.
ThereisnopolicytodisabletheInternetExplorerSearchCompanion.
Thisoperationneedstobepreformedmanually.
1.
Createatextfileonthelocalpartition,(c:\windows\nosearch.
txt)2.
Thecontentofthetextfilecanbe"Searchisdisabled.
"3.
SettheNTFSpermissionsofthefileto"Everyone–ReadandExecute".
4.
Thenmodifythefollowingregistryvalues:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Search"SearchAssistant"=REG_SZ:c:\windows\nosearch.
txt"CustomizeSearch"=REG_SZ:c:\windows\nosearch.
txtWhentheusersopentheSearchCompanion,thecontentsofthetextfilearedisplayed.
ItispossibletouseaHypertext(Html)fileinsteadofatextfile.
RemovePrintersandFaxesfromNewStartMenuThenewStartMenuoffersalinktothePrintersandFaxesfolder.
FromthisfolderuserscanviewServerPropertiesfortheprintspooler.
OntheAdvancedtab,userscanview,notedit,thelocationofthespoolfolder.
TodisableeasyaccesstotheServerPropertiesdialogbox,dooneofthefollowing:1.
Enablethe"TurnonClassicShell"and"RemoveFilemenufromWindowsExplorer"policies.
2.
Setthefollowingregvalue:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"Start_ShowPrinters"=REG_DWORD:0x000000003.
Enablethe"PreventchangestoTaskbarandStartMenuSettings"policy.
(Theregistrysettingcanbedeployedbymeansoflogonscripts(executingregedit/shideprinters.
reg)orbyusingacustomADMfile.
)4.
Right-clicktheStartbutton,selectProperties,selecttheStartMenutab,andthenclickCustomize.
5.
SelecttheAdvancedtab,clearthePrintersandFaxescheckbox,andthenenablethe"PreventchangestoTaskbarandStartMenuSettings"policy.
(ItisrecommendedthatyouremovetheStartMenushortcutmenus,andthendisableaccesstoControlPanel.
6.
DisablethenewStartMenubyenablingthe"ForceClassicStartMenu"policy,andthenenablethe"RemoveFilemenufromWindowsExplorer"policy.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions21DisabletheFullPathinWindowsExplorerBydefaultthefullpathtothecurrentfolderinWindowsExplorerisdisplayed.
IfFolderRedirectionisusedandusersnavigatebeyondtheMyDocumentsfolder,theaddressbardisplaysthefullpathtothefolder.
ThisisaconfigurableFolderOptionthatcannotbesetbygrouppolicies.
Todisablethefullpath,dooneofthefollowing:1.
InWindowsExplorer,clickToolsontheToolbar,thenselectFolderOptions.
2.
ClicktheViewtab,andthencleartheDisplaythefullpathintheaddressbarandDisplaythefullpathinthetitlebarcheckboxes.
3.
Enablethe"RemoveFolderOptionsmenuitemfromToolsmenu"policy.
4.
Setthefollowingregvalues:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]"FullPathAddress"=REG_DWORD:0x00000000"FullPath"=REG_DWORD:0x00000000Theregistrysettingcanbedeployedbymeansoflogonscripts(executingregedit/saddressbar.
reg)orbyusingacustomADMfile.
RemoveInternetExplorerandWindowsExplorerfromtheQuickLaunchBarBydefaultlinkstoInternetExplorerandWindowsExplorerareaddedtotheQuickLaunchbar.
Theselinkscanberemovedfromalogonscriptbyaddingthefollowinglines:del"%userprofile%\ApplicationData\Microsoft\InternetExplorer\QuickLaunch\explorer.
exe.
lnk"del"%userprofile%\ApplicationData\Microsoft\InternetExplorer\QuickLaunch\LaunchInternetExplorerBrowser.
lnk"DisableHelpHelpfilescanbeopenedfrommanyapplicationsbypressingF1.
ManyofthesehelpfilescanprovideuserswithlinkstootherapplicationsandWebsitesthattheywouldnormallynothaveaccessto.
GroupPolicydoesnotexisttorestrictaccesstohelpinapplications.
ItisnecessarytorestrictNTFSaccessto.
chmand.
hlpfiles.
ThemajorityofWindowshelpfilesresideinthe%SystemRoot%\Helpfolder—typically,c:\windows\help.
Simplyremovetheusergroupsfromtheaccesscontrollisttothefolder.
Thenselecttheoptiontoreplacepermissionentriesonallchildobjects.
DoingsopreventsHelpfilesfromopeningforusers.
NetworkBrowsingbyUsingtheCommonOpen/SaveFileDialogBoxTheCommonOpen/SaveFiledialogboxisusedbymanyapplicationstoopenorsavefiles.
ItcanbeseenbyselectingOpenorSaveontheFilemenufromapplicationssuchasNotepad.
Fromthepathentrybox,userscanbrowsethenetwork.
FromtheOpen/SaveFiledialogbox,userscanenterUNCpaths,suchas\\localhost,andthenbrowsethesharesforthelocalserver.
ByusingtheUPARROWtogettotheparentobject,theusercanbrowseeitherthedomainorthenetwork.
Althoughusersmightbeabletoseeserverandsharenames,theyarestillrestrictedbyshare-levelandNTFS-levelpermissions.
Ifyouneedtopreventusersfromviewingserverorsharenames,thefollowingoptionsareavailable:MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions221.
UsetheRestrictAnonymousregistryvalueinconjunctionwithshareandNTFSpermissionstorestrictaccess.
Formoreinformation,seeKnowledgeBasearticle246261,"HowtoUsetheRestrictAnonymousRegistryValueinWindows2000"athttp://go.
microsoft.
com/fwlink/LinkId=18396.
2.
Hideasharenamebyaddingatrailing"$"totheendofthesharename.
Formoreinformation,KnowledgeBasearticle90929,"ShareNamesWitha"$"CharacterattheEndAreHidden"athttp://go.
microsoft.
com/fwlink/LinkId=18403.
3.
Configurecomputerstonotsendannouncementstobrowsersonthedomain.
Thiscanbeaccomplishedbyaddingthefollowingregistryvalueorexecutingthefollowingcommand:Fromtheregistry:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\ParametersValuename:HiddenDatatype:REG_DWORDValuedata:1Theregistrysettingcanbedeployedbymeansoflogonscripts(executingregedit/saddressbar.
reg)orbyusingacustomADMfile.
Fromthecommandline:"netconfigserver/hidden:yes"Formoreinformation,seeKnowledgeBasearticle321710,"HOWTO:HideaWindows2000-BasedComputerfromtheBrowserList"athttp://go.
microsoft.
com/fwlink/LinkId=18397MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions23AdditionalRestrictionsSoftwareRestrictionPoliciesSoftwarerestrictionpoliciesareanewfeatureinMicrosoftWindowsXPandWindowsServer2003.
Thisimportantfeatureprovidesadministratorswithapolicy-drivenmechanismforidentifyingsoftwareprogramsrunningoncomputersinadomain,anditcontrolstheabilityofthoseprogramstoexecute.
Policiescanbeusedtoblockmaliciousscripts,helplockdownacomputer,orpreventunwantedapplicationsfromrunning.
ForadditionalinformationaboutSoftwareRestrictionPolicies,seethewhitepaper,"UsingSoftwareRestrictionPoliciestoProtectAgainstUnauthorizedSoftware,"athttp://go.
microsoft.
com/fwlink/LinkId=17299andKnowledgeBasearticle324036,"HOWTO:UseSoftwareRestrictionPoliciesinWindowsServer2003,"athttp://go.
microsoft.
com/fwlink/LinkId=18400.
InternetExplorerinKioskModeAdministratorscanreplacethestandardWindowsExploreruserinterfacewithInternetExplorerinKioskmode.
WhenyourunInternetExplorerinKioskmode,theInternetExplorertitlebar,menus,toolbars,andstatusbararenotdisplayed,andInternetExplorerrunsinFullScreenmode.
OnlyWebpagesaredisplayed.
InternetExplorerinKioskmodecanbeenabledbyenablingthefollowingpolicy:[UserConfiguration\AdministrativeTemplates\System]CustomuserinterfaceRecommendedsetting:EnabledInterfacefilename:"%ProgramFiles%\InternetExplorer\IExplore.
exe"–KIfInternetExplorerinKioskmodeisusedastheuserinterface,itisstronglyrecommendreviewingandenablingInternetExplorerrestrictivepoliciesunderthefollowingsections:[ComputerConfiguration\AdministrativeTemplates\WindowsComponents\InternetExplorer][UserConfiguration\AdministrativeTemplates\WindowsComponents\InternetExplorer]MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions24SummaryWindowsServer2003isafeature-richplatformthatcanprovidethefunctionalityofTerminalServertoawidevarietyofenvironments.
Thesedeploymentsrequirevariousdegreesofcontrolandmanageability.
UsingActiveDirectory,youcanquicklyandeasilyconfigureTerminalServertointegratewithdiverseenvironments,providingcontrolleddesktopfunctionalityandmanagedaccesstoapplications.
MicrosoftWindowsServer2003WhitePaperLockingDownWindowsServer2003TerminalServerSessions25RelatedLinksSeethefollowingresourcesforfurtherinformation:MicrosoftWindowsServer2003TerminalServerOverviewathttp://go.
microsoft.
com/fwlink/LinkId=17300MicrosoftWindowsServer2003ActiveDirectoryOverviewathttp://go.
microsoft.
com/fwlink/LinkId=18540SecuringWindows2000TerminalServicesathttp://go.
microsoft.
com/fwlink/LinkId=18404.
HowtoUsetheRestrictAnonymousRegistryValueinWindows2000athttp://go.
microsoft.
com/fwlink/LinkId=18396KnowledgeBasearticle90929"ShareNamesWitha"$"CharacterattheEndAreHidden"athttp://go.
microsoft.
com/fwlink/LinkId=18403.
KnowledgeBasearticle321710,"HOWTO:HideaWindows2000-BasedComputerfromtheBrowserList"athttp://go.
microsoft.
com/fwlink/LinkId=18397UsingSoftwareRestrictionPoliciestoProtectAgainstUnauthorizedSoftwareathttp://go.
microsoft.
com/fwlink/LinkId=17299KnowledgeBasearticle324036"HOWTO:UseSoftwareRestrictionPoliciesinWindowsServer2003,"athttp://go.
microsoft.
com/fwlink/LinkId=18400Windows2003ServerWebsiteathttp://go.
microsoft.
com/fwlink/LinkId=18405