# Locking Down TS/RDS Host ## **Server Manager Console** Disable Server Manager Pop up for users logging in. This can be done from the Group Policy Microsoft Management Console (MMC): User Configuration \ Polices \ Administrative Templates \ Start Menu and Taskbar Some administrative group polices might not be available in the Group Policy Manager Console (GPMC). These can be imported from . ## **Removing Favorites and Libraries** You must perform these modifications on the RD Session Host servers. You can use the Registry to make these changes directly or using group policy preferences (GPP). {% hint style="info" %} **Note**: Back up the key first and take ownership of the ShellFolder before changing the value of Attributes. {% endhint %} * For Favorites, the key is: \[HKEY\_CLASSES\_ROOTCLSID{323CA680-C24D-4099-B94D-446DD2D7249E}ShellFolder] \ "Attributes"=dword:a0900100 \ Changing a0900100 to a9400100 will hide Favorites from the navigation pane. * For Libraries, the key is: \[HKEY\_CLASSES\_ROOTCLSID{031E4825-7B94-4dc3-B131-E946B44C8DD5}ShellFolder] \ "Attributes"=dword:b080010d \ Changing b080010d to b090010d will hide Libraries from the navigation pane. ## **Hiding/Preventing Access to Drives and other features** You can use Group Policy settings to hide and restrict access to drives on the RD Session Host server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage programs or other critical system files on drive C. This can be carried out from the Group Policy Microsoft Management Console (MMC) as follows: * For Windows Server 2008 and Windows Server 2008 R2: User Configuration\Policies\Administrative Templates\Windows Components\Windows Explorer. * For Windows Server 2012 and Windows Server 2012 R2: User Configuration/ Administrative Templates/ Windows Components/ File Explorer. Additional policies can be set to: * Hide the Manage item on the Windows Explorer context menu * Remove Hardware tab * Remove "Map Network Drive" and "Disconnect Network Drive" * Remove Search button from Windows Explorer * Disable Windows Explorer’s default context menu * Remove Run menu from Start Menu . ## **Session Limits** You can use this policy setting to specify the maximum amount of time that an active, disconnected, or idle session remains in its current state. Set the time limit for disconnected sessions. When a session is disconnected, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. Set the time limit for logoff of published resources sessions. You can specify how long a user session will remain in a disconnected state after closing all programs but before the session is logged off from the RD Session Host server. By default, if a user closes a published resource, the session is disconnected from the RD Session Host server but it is not logged off. This option can also be changed in the Parallels RAS Console by navigating to Farm \ Terminal Servers \ Properties \ Publishing Session. Set time limit for logoff of published resources sessions. When a user closes the last running published resource associated with a session, Remote Application Server will keep the session in a disconnected state until the specified time limit is reached. When it is, the session will be logged off from the RD Session Host server. If the user starts another published resource before the time limit is reached, the user will reconnect to the disconnected session on the RD Session Host server. {% hint style="info" %} **Note:** This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. These configurations can be carried out from the Group Policy Microsoft Management Console (MMC): Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-best-practices-guide/v19/remote-access-configuration/locking-down-ts-rds-host.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.