Windows Server 2016 – Disabling the redirection of local resources

How to Change the server name on Windows Server 2019

One of the neat things about users connecting to virtual sessions within an RDS environment, especially when connecting remotely, is local resource redirection. This feature enables the users to have access to things that are local to where they are sitting, from inside their virtual session, such as the clipboard, so that copy and paste functions will work between local computer and RDS session and drive redirection so that you can save documents back and forth between the local hard drive and the RDS session. One of the most common uses of resource redirection is printers so that users can print from inside their RDS session, which is sitting on a server in the corporate network, directly to a printer on the local network where they are connected. An example could be someone needing to print a work document on a home printer.

This redirection technology can be very helpful but is often not desirable from a security and policies standpoint. Many organizations have a written security policy, which dictates that corporate data must remain within the corporate network and cannot move outside. Most often I see this in medical environments, where strict standards are in place to make sure data stays private and secure. This means that data cannot be copied and pasted to the local computer, documents cannot be saved outside the RDS session, and printing documents is also often not allowed.

While it may be disappointing that you cannot use these functions if your security policy dictates it, thankfully disabling redirection is an easy thing to accomplish. Follow along to learn where these settings reside.

Getting ready

We are logged into our Server 2016 RDSH server. This server is hosting some sensitive information and we want to make sure that users cannot save documents to their local computers, cannot print documents to local printers, and cannot copy/paste within the clipboard in order to move data from the RDS session to their local computers.

How to do it…

Follow along to disable these redirection features on our RDSH collection:

  1. Open up Server Manager and click on Remote Desktop Services to open up the management of your RDS environment.
  2. We currently only have one RDSH collection listed, which contains both of our RDSH servers. This is the collection that all of our users connect to when they have to access this sensitive information. Click on the name of that collection. For our example, this one is called MDomain RDSH Servers.
  3. Near the top of the screen, look for the section called Properties. Drop down the Tasks box and click on Edit Properties:
  1. Click on Client Settings.
  2. Here is your list of the items that are currently capable of being redirected. Go ahead and deselect each of the redirections that you want to disable. For our example, we are unchecking Drives, Clipboard, and Allow client printer redirection:
  1. Click OK and those redirected resources are no longer available to client computers connecting to this RDSH collection.

How it works…

Providing users with the capability of moving data back and forth between their local computers and RDS sessions sounds like a great feature, but is often less than desirable. With some simple checkboxes, we can disable these capabilities wholesale so that you can adhere to security policies and make sure sensitive data remains protected. Once you are familiar with the location of these settings, the enablement or disablement of them is intuitive and easy to accomplish. What is even better is that these settings can be changed at any time; it doesn’t have to be a decision made while the RDS environment is being built. If you make the decision down the road to turn some of these options on or off, you can make these changes at any time to a production RDS.

Comments are closed.