***Summary of settings required to lock down a Windows Server
---START----
User Configuration | Policies | Administrative Templates | Control Panel
o Always open All Control Panel Items when opening Control Panel = enabled
o Show only specified Control Panel items = enabled, canonical names =
Microsoft.RegionAndLanguage
Microsoft.NotificationAreaIcons
MLCFG32.CPL
Microsoft.Personalization
Microsoft.Mouse
Microsoft.DevicesAndPrinters
Microsoft.System(letsusersseethecomputername)
User Configuration | Policies | Administrative Templates | Control Panel | Add or Remove Programs
o Remove Add or Remove Programs = enabled
User Configuration | Policies | Administrative Templates | Control Panel | Programs
o Hide the Programs Control Panel = enabled
Desktop GPO Settings
User Configuration | Policies | Administrative Templates | Desktop
o Hide Network Locations icon on desktop = enabled
o Prohibit user from manually redirecting Profile Folders = enabled
o Remove Properties from the Computer icon context menu = enabled
o Remove Properties from the Recycle Bin icon context menu = enabled
Start Menu & Taskbar GPO Settings
User Configuration | Policies | Administrative Templates | Start Menu & Taskbar
o Clear the recent programs list for new users = enabled
o Do not allow pinning Store app to the taskbar = enabled
o Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled
o Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user’s Start Menu/Desktop. Also, enabling this setting might prevent Outlook 2013 desktop alerts. Microsoft 3014833)
o Remove Help menu from Start menu = enabled
o Remove links and access to Windows Update = enabled
o Remove Network Connections from Start menu = enabled
o Remove Network icon from Start menu = enabled
o Remove Run menu from Start menu = enabled
o Remove the Action Center icon = enabled (not in Windows 10)
o Remove the networking icon = enabled
o Remove the Security and Maintenance icon = enabled (Windows 10)
o Remove user folder link from Start menu = enabled
System GPO Settings
User Configuration | Policies | Administrative Templates | System
o Prevent access to registry editing tools = enabled, disable regedit from running silently = No
o Prevent access to the command prompt = enabled, disable command prompt script processing = No
Disabling registry editing tools also disables reg.exe. This is true even if silently is set to No.
Explorer GPO Settings
User Configuration | Policies | Administrative Templates | Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7)
o Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only
o Hides the Manage item on the File Explorer context menu = enabled
o Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can’t use Start Menu’s search to find programs.
o Prevent users from adding files to the root of their Users Files folder = enabled
o Remove “Map Network Drive” and “Disconnect Network Drive” = enabled
2. Choose Action UpdateDrive Letter Existing CHide this drive
3. Common Tab: Run in logged-on users Security
----END----
Searching online I can't locate a powershell script that automates this process and does it for you flawlessly. Instead, it seems you need to start up GPMC.MSC and go and create all these settings by hand. I guess the good news is that once you've done it, you can Backup up the GPO and Restore it to a different domain if you wanted to.
Process:
Source Server...
Start Powershell by right clicking on it in Taskbar and running it as Administrator
import-module GroupPolicy
Backup-Gpo -Name CitrixSecuirty -Path C:\backups
Create ZIP file of c:\backups and transfer it to other domain
*For my example I created it on local hardware and emailed the ZIP file to myself and extracted the contents on an Amazon AWS Domain Controller I'm testing with
#Above command imports GPO originally named CitrixSecurity to destination domain and names it TestGPO
I've attached a file names CitrixSecurity.zip which contains the exported GPO, but it's not for all the settings to do a server lockdown -- just a sample testing one for single sign-on with Storefront and the Citrix Receiver ICA client. This was more to document the process and ask if someone actually has a legit backup of the GPO settings mentioned above and if not, I'll spend an hour and go and create them and post back here with an updated GPO backup file that actually does the server lockdown. I guess you're able to review the backup info before applying it to your domain, but this almost feels like an advanced REGEDIT import of HKLC keys and you have to trust the source.
Question
Tom Swift
CitrixSecurity.zip
Link to comment
1 answer to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now