This was written a couple of years ago.  I'm amazed at how relevant this still is.  There are many people who are simply unaware of some of these settings or do not know Group Policy at all.  This is a good primer for them and explains the basics.

As Terminal Services becomes more widely deployed, many people are asking how to secure their environments.  The answer to this question can be as simple or as complex as people want.  A commonality among many people who ask this question is their unfamiliarity with Group Policy.  Group Policy is a powerful tool in helping secure terminal services deployments.  This paper shall cover the basics of implementing a Group Policy Object (GPO) in a terminal services environment.

What is Group Policy?

First let's take a look at what Group Policy is.  Group Policy is a component of Active Directory that allows an administrator to centrally control hundreds of settings on windows operating systems.  As an administrator, you can set company wide policies such as wallpaper, screen savers, even control panel access.  While you can do this with simple registry entries and other tools, the advantage of Group Policy is in its centralized nature.  You can set or change a policy in one place and that setting will be automatically pushed down to the computers and/or users at logon or the next GPO refresh.

A Group Policy is linked to Sites, Domains, and Organizational Units and applied in that order.  This means that a GPO linked to an OU will trump the other policies if there are any conflicting settings in the policy set.  For example, if the screen saver setting is set at the domain level but disabled at the OU level, the disabled setting will take affect.  Keep in mind that having an excessive amount of GPO's can slow down the boot-up and login processes.

Group Policy is split into two categories:  Computer Configuration and User Configuration.  Computer settings apply to, surprise, computers and User settings apply to users.  Computer settings are initially applied when a computer boots up and user settings are applied when a user logs onto a computer.  Both are also periodically refreshed, every three hours by default.  When creating GPO's, you have the ability to disable the computer or user portion of the GPO.  This allows you separate the GPO's and streamlines the time it takes to process the GPO's.  

By default, User settings are applied to the Authenticated Users security group.  This means any user in the OU that logs in and is authenticated will apply the settings of the GPO.  The User Configuration portion of a GPO can be filtered by security group and/or user account.  Likewise, the Computer Configuration portion can be filtered as well by computer account.  This means you can have multiple GPO's linked to the same OU but only apply them to certain users, groups and/or computers based on filtering, or permissions.  You can also have multiple GPO's linked to the same OU and apply them based on priority.  The highest priority GPO settings replace any other settings that may conflict.

Group Policy is also extensible.  The Administrative Templates section of the Computer and User Configuration portions are actually made up of text files called ADM's.  By default the ADM's are located in c:\windows\inf.  An administrator can create their own ADM or modify the default ADM's; however it is highly recommended mever to modify the default Microsoft-supplied ADM files.  This also brings up the important concept of Policy vs. Preference.  Policies are settings that, when applied to the computer or user, are applied in HKLM\HKCU-Software\Policies registry keys and are reversible by simply configuring a setting to ‘Not Configured'.  Preferences are settings that are applied directly to the original registry area, commonly referred to as "tattooing the registry".  Since Preferences are not "managed", they would have to be reversed first, and then set to ‘Not Configured' to remove them.  Additionally, software must be programmed to look in the Policy area in the registry.  For example, Microsoft Office is designed to look for registry settings in the Policy area first before it uses the settings in the original area.  Many pieces of software are not designed this way and ADM's must be written to modify the original area of the registry directly.

Brief Overview of Tools

There are two ways Microsoft provides for configuring Group Policy.  The default method is using the Group Policy editor, which is a component of Windows in the form of an MMC snap-in.  This is a very basic editor and allows you to configure the settings you want: nothing more, nothing less.

The second method is a free tool available from Microsoft called the Group Policy Management Console.  This tool makes administering Group Policy much easier.  It allows an administrator to report on which settings are enabled and save this as a report in HTML and XML.  The interface also shows the OU hierarchy and the GPO's linked to the OU's.  Administrators have the ability to backup and restore your GPO's in Active Directory, with the ability to import GPO's  into another forest/domain.  Resultant Set of Policies can be run from the console as well and provides much more detailed information than the default RSoP snap-in.  There are many, many advantages to this tool and it is highly recommended that this be installed and used.

Loopback Processing

In regards to terminal servers, the problem with Group Policy in its default configuration is that users who log into both a workstation and a terminal session will have the same policies applies.  Workstation policies are typically looser than what administrators want on a terminal server.  Administrators want strict control of the user's session because of the multi-user nature of the terminal server.  So the administrator is left with a dilemma - do they lock down the user policy and have that affect the workstation as well as the terminal session or keep the GPO as it is and run the risk of the user taking down the server.  The answer is use loopback processing.

Loopback processing is a GPO setting located in Computer Settings\Administrative templates\System\Group Policy and was originally put in Group Policy to handle kiosk type computers.  No matter who logs into this particular computer, they will get these users settings.

Loopback processing is simply an option that allows the administrator to tell Group Policy to apply the User settings associated with this OU.  When enabling Loopback processing, the administrator has a choice of either Replace or Merge.  Enabling the Replace option tells Group Policy to ignore any other user settings that would typically be part of that user's policy set and only apply the settings from this OU.  The merge option allows the other user settings to apply but the settings on this OU are applied last and are merged with the user's policy set.  This means they override the other settings in case of a conflict.  For terminal services, loopback processing is usually applied as Replace.

The Initial Setup

The first thing that should be done when implementing Group Policy is to create a new Organizational Unit (OU) for the terminal servers.  Terminal servers should be in their own separate OU so that policy settings from other servers's OU's won't be applied to them and so that the settings you apply to terminal servers won't be applied to your other servers.  Terminal Servers are typically not treated the same as other servers because, in this case, you're going to have users actually on the system.  Once have the OU created, move a test server into the OU.  Do not move all of your servers into the OU until you have created an environment that you are happy with and that has been tested thoroughly.

The next step is to create and link two Group Policy Objects to the new OU.  The first GPO will be for the machine configuration and the second will be for the user configuration.  Open the Group Policy Management Console (GPMC) and drill down to you come to the OU created above.  Right click on the OU and select ‘Create and Link a GPO Here...'.  Enter a name for the GPO and select OK.  Do the same for the second GPO.  Next, select the machine policy you just created, click the Details tab, set the drop down box to ‘User configuration settings disabled'.  Do the same for the user policy except make it ‘Computer configuration settings disabled'.

The next step is to edit the computer policy.  Right click on the computer policy and choose edit.  This will bring up a new windows call the Group Policy Object Editor.  In the computer configuration drill down through Administrative templates, System, Group Policy and double click on ‘User Group Policy loopback processing mode'.  Click the radio button next to ‘enabled' and then change the drop down box to ‘Replace'.

The basic Group Policy structure for Terminal Services is now setup.  At this point, the administrator can now safely lockdown the users without fear of affecting the users normal logins to their workstations.  The administrator is now one step closer to securing their Terminal Services environment.