Securing Windows 2008 Citrix or Terminal Servers

Loopback GPO

This allows you to apply user-level group policy to individual computers (i.e. the terminal servers). This will only apply to the terminal servers and doesn’t apply to the users PCs. Create a GPO and apply it to an OU containing the Citrix servers. Enable the loopback mode as shown below.

Make sure the permissions of the GPO apply to authenticated users and the citrix\terminal servers. I usual set a deny permission against domain admins to make sure they do not have this policy applied.

Preventing access to the command prompt and registry tools are an important setting.


Restrict Access to Folders from the Start Menu

This prevents users from viewing the contents of folders shown on the all users start menu. Edit the permissions of the required folders under C:\Users\All Users\Microsoft\Windows\Start Menu\Programs as shown below.


Remove unwanted items from the Public Desktop

Delete items you do not want all users to see from the below location


Remove Pinned Server Manager and Powershell shortcuts from the taskbar

As the Windows 2003 domain controller doesn’t have this setting I have set it via local group policy on the terminal server. Click start then in the open windows type gpedit.msc. Set as shown below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.