+1 As well as know how much more secure (or unstable) it makes the machine than controlling that local group membership via GPO.
Could be some hack (deemed "our computer guru" by the non-tech savvy company) displayed some hacking skills that he showed them really locked a machine down, without considering the portability/reliability of it. Company says "this is cool, let's recommend this to our clients too", and they tell two people, and they tell two people, and so on, and so on... From: Webster [mailto:[email protected]] Sent: Wednesday, April 11, 2012 7:47 AM To: NT System Admin Issues Subject: Re: Changing permissions on RDP connector via Registry I agree, I would like to know where this Best Practice comes from. I have never heard of it. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Michael Smith <[email protected]<mailto:[email protected]>> Subject: RE: Changing permissions on RDP connector via Registry I don't have an answer to your question - but I'd love to know where this "best practice" is documented, in any of Microsoft's documentation, NIST documentation, ITIL, or where? From: James Rankin [mailto:[email protected]] Subject: Changing permissions on RDP connector via Registry I have a client with a requirement to remove the Remote Desktop Users group from the security page on the RDP connector so that only admins can use RDP. I have floated the idea of simply controlling the Remote Desktop Users group, but they were recommended this "best practice" by a separate company and are intent on implementing it. Short of visiting each RDS server and running tsconfig.msc, is there any way I can remove Remote Desktop Users from the security tab by GPO or Registry setting? I can't find a GPO setting for it, so I am hoping someone knows the Registry key that pertains to this....my Google-fu appears sadly lacking today. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
