How to configure specific services with GPO


If you want to configure specific services for a lot of computers you can do this with GPO.

In the GPMC go to Computer Configuration\Preferences\Control Panel Settings\Services. There you can configure all services that you want.



ALso, If you want to configure standard services, go to Computer Configuration\Policies\Windows Settings\Security Settings\System Services




GPO Settings to improve performance, security and connections on a RDS Server


A few months ago, I have audited a Remote Desktop Service Infrastructure with RDS Host and RemoteApp.

These are the settings I have configured via GPO:

  • Settings for recovery RD and RemoteApp disconnected sessions:



  • Settings to improve bandwidth and mapping for RD Clients:



  • To improve the security of the RD Clients and Remoteapp experience I did the following:

This setting remove a prompt to connect with RemoteApp to a WebApp. I put the certificate thumbprint.


And with these configs I hide the Server Drives.notmapdrives

This is in the Remote Desktop console in the server configuration, not in GPO and is used to improve the security of the user credential validations.



How to create a security template for hardening


To create and apply a customized security template I did the following:

Use a template based in Security Compliance Manager

Deploy a temporal standalone WS 2012 R2 to do tests

Import the .inf file exported from GPO Backup (folder) option in SCM to a Security Template mmc and then modify all options you want.

Add Security Configuration and Analysis snapin, import your template .inf and then execute the analyze option, remember to use a new database.

Save configurations as inf file and it will be your security template for hardening.


Disable install certificates on a desktop computer for users


Below I put how to block that a user cannot install certificates on a desktop.


In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:


The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System


There we add the following exe´s:







And add a new user group denying permissions.


When user will do double click will appear the following message.



Configure Outlook Anywhere with GPO for Outlook 2003


In Outlook 2003 adm you can´t unfortunately configure Outlook Anywhere settings and I done it with old school procedure:

Open GPMC and make a new GPO, go to GPP and execute wizard, go to fins a a desktop computer with Outlook well configured, and import from  HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a the following entries:

“00036623”= Enable Exchange Proxy settings and control various check boxes.
“001f6622″=  For specifying Exchange proxy server name
“001f6625″=  For specifying Exchange proxy server name according to principal cert name.
“00036627”= For Authentication – Basic or NTLM

Take care that is posible that users has various Outlook profiles. Then you need to add the same but changing the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a in subfolder Outlook by other name profile.

Also, you can configure targeting in every configuration path for only apply to users that has an existent profile.

Ah, this gpo is only for user!

Regards and best practices!