The RDS Security group policy setting controls whether to let local administrators customize permissions.
The Horizon 7 RDS group policy settings are installed in the folder.
Setting | Description |
---|---|
Server Authentication Certificate Template | Use this policy setting to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RDS host. A certificate is needed to authenticate an RDS host when SSL (TLS 1.0) is used to secure communication between a client and an RDS host during RDP connections. If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RDS host is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template, the RDS host will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RDS host will be selected. If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the RDS host. You can select a specific certificate to be used to authenticate the RDS host on the General tab of the Remote Desktop Session Host Configuration tool.
Note: If you select a specific certificate to be used to authenticate the RDS host, that certificate will take precedence over this policy setting.
|
Set client connection encryption level | Specifies whether to require the use of a specific encryption level to secure communications between clients and RDS hosts during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RDS hosts during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
If you disable or do not configure this setting, the encryption level to be used for remote connections to RDS host is not enforced through Group Policy. However, you can configure a required encryption level for these connections by using the Remote Desktop Session Host Configuration tool.
Important: FIPS compliance can be configured through the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy setting in the
folder or, through the "FIPS Compliant" setting in Remote Desktop Session Host Configuration. The FIPS Compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. Use this encryption level when communications between clients and RDS hosts require the highest level of encryption. If FIPS compliance is already enabled through the Group Policy "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting, that setting overrides the encryption level specified in this Group Policy setting or in the Remote Desktop Session Host Configuration tool.
|
Always prompt for password upon connection | Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. If you enable this setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. If you disable this setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. If you do not configure this setting, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the Remote Desktop Session Host Configuration tool. |
Require secure RPC communication | Specifies whether an RDS host requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If you enable this setting, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. If you disable this setting, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If you do not configure this setting, unsecured communication is allowed.
Note: The RPC interface is used for administering and configuring Remote Desktop Services.
|
Require use of specific security layer for remote (RDP) connections | Specifies whether to require the use of a specific security layer to secure communications between clients and RDS hosts during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RDS hosts during remote connections must use the security method specified in this setting. The following security methods are available:
If you disable or do not configure this setting, the security method to use for remote connections to RDS hosts is not enforced through Group Policy. However, you can configure a required security method for these connections by using the Remote Desktop Session Host Configuration tool. |
Require user authentication for remote connections by using Network | Use this policy setting to specify whether to require user authentication for remote connections to the RDS host by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RDS host. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase "Network Level Authentication supported." If you disable or do not configure this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RDS host. You can specify that Network Level Authentication be required for user authentication by using Remote Desktop Session Host Configuration tool or the Remote tab in System Properties.
Important: Disabling or not configuring this policy setting provides less security because user authentication will occur later in the remote connection process.
|
Do not allow local administrators to customize permissions | Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configuration tool. By default, administrators are able to make such changes. If the status is set to Enabled, the Permissions tab in the Remote Desktop Session Host Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are Read Only. If the status is set to Disabled or Not Configured, server administrators have full Read/Write privileges to the user security descriptors on the Permissions tab in the Remote Desktop Session Host Configuration tool.
Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
|