How to Lock Down a VDI-in-a-Box Desktop to Prevent Shutdown

Description

This article describes how to lock down the VDI-in-a-Box desktop to prevent shutdown.

Requirements

The methods described in this article use Group Policies to apply these settings, but you can apply similar settings through local security policies and through scripting for those in workgroup mode.

Any version of VDI-in-a-Box
Tested using Windows 7 Golden Image, but similar or same policies apply to Windows XP, Windows 8, and Windows 2008R2 desktops
Active Directory role on a Windows 2008/R2 Server
Ability to create Group Policies for the OU where VDI-in-a-Box desktops are available

Background

In many cases, VDI-in-a-Box is deployed using pooled desktops with little to no personalization. This is typical for many schools, libraries, or other places that might have public kiosk-type deployments. In these cases, the desktops are used and refreshed regularly as the administrator does not want the users to tamper with the settings.

The primary goal of this article is to guide VDI-in-a-Box administrators about how to lock down the virtual desktops so the users cannot shut them down.

There have been production deployments in which students have been able to shut down pooled virtual desktops that were set to refresh on a scheduled basis This would cause the desktops that were shut down to remain in that state until the refresh cycle occurred. VDI-in-a-Box sees these desktops as assigned to users, thus, using licenses until the next refresh cycle. If this is done to numerous desktops in the pool, it could potentially cause only a few desktops to be available until the next refresh cycle or until the VDI-in-a-Box administrator destroys the sessions linked to the desktop in a shutdown state.

Note: This article is a framework and is not a fit-all type of solution.

Desktops can be locked down significantly more (or less), but there are many settings that can prevent desktops from being usable. If time permits, VDI-in-a-Box administrators can apply all the settings discussed in this article and run some tests as users to ensure everything works as expected within the VDI-in-a-Box desktops.

If you follow each step in this article, users will not be able to browse the C:\ drive, use the Search or Run commands, right-click within the desktop or Explorer, execute the Command Prompt, execute PowerShell, execute the Shutdown executable, amongst many other tasks. Testing verified that applications installed such as Office, web browsers, and sample-testing software all functioned correctly after these policies were applied.

Instructions

General Group Policy Information

Active Directory Group Policies are applied to VDI-in-a-Box virtual desktops and users just as they are applied to any other computer object in the directory. There are many reasons why a group policy is not applied correctly to a user or computer, so refer the Additional Resources section for some troubleshooting articles and external links.

Creating a Locked-Down Group Policy

Log on to a Windows Domain Controller.
Right-click the OU where VDI-in-a-Box desktops are created and select Create a GPO in this domain, and Link it here…and give the policy a name.
Optionally, right-click the new policy and select Enforced.
Right-click the policy and select Edit…

In many cases, you must apply the User Group Policy loopback processing mode because desktops reside in a different OU than user accounts. Refer to Additional Resources section for details.

Complete the following proceduer to apply this policy:

Drill down to Computer Configuration > Policies > Administrative Templates > Group Policy.
Enable the User Group Policy loopback processing mode and select appropriate Mode: Replace or Merge.

Group Policy Settings

This section provides a list of all group policies items that have been tested to lock down a Windows 7 virtual desktop to prevent shutdown through most known avenues of approach. This can be accomplished through multiple GPOs or through a single GPO that is linked to the OU where the VDI-in-a-Box desktop resides. The article has broken up Computer and User Configuration into two tables for easier reference.

A report of the applied group polices can be found as the SecureDesktopsPolicy.htm attachment in this article. Use the file as reference to the policies discussed in the following table:

Computer Configuration

Policy Location	Policy Name	Policy Setting	Additional Settings
Windows Settings/Security Settings	File System	Add c:\windows\system32\ shutdown.exe	Remove Users group and Add user groups that will you wish to restrict, change permissions to Deny Read and Execute
Policies/Administrative Templates/Group Policy	User Group Policy loopback processing mode	Enabled	Mode: Replace or Merge
Policies/Windows Settings/Security Settings/Software Restriction Policies	Software Restriction Policies	Enforcement set to All users except local administrators	Security Levels: Set Basic User to Default
Policies/Windows Settings/Security Settings/Application Control Policies	AppLocker	Create New Rule: Deny select users ability to launch Command Prompt C:\Windows\system32\ cmd.exe	Select Yes if prompted to create default rules
		Create New Rule: Deny select users ability to launch Shutdown C:\Windows\system32\ shutdown.exe
		Create New Rule: Deny select users ability to launch PowerShell C:\Windows\system32\ WindowsPowerShell\v1.0\ powershell.exe
Policies/Windows Settings/Security Settings/Local Policies/Security Options	Set User Account Control	Behavior of the elevation prompt for standard users to Automatically deny elevation requests
	Shutdown: Allow system to be shut down without having to log on	Disabled
Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment	Shut down the system	Remove all users from this group that are not allowed to shut down the system. Optionally, add users that can such as domain admins.

User Configuration

Policy Location	Policy Name	Policy Setting	Additional Settings
Policies/Administrative Templates/Control Panel	Prohibit access to the Control Panel	Enabled
Policies/Administrative Templates/Start Menu and Taskbar	Change Start Menu power button	Enabled	Log Off
	Do not search for files	Enabled
	Do not search programs and Control Panel items	Enabled
	Lock all the taskbar settings	Enabled
	Lock the Taskbar	Enabled
	Prevent changes to Taskbar and Start Menu Settings	Enabled
	Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands	Enabled
	Remove Network Connections from Start menu	Enabled
	Remove programs on Settings menu	Enabled
	Remove Run menu from the Start Menu	Enabled
	Remove Search Computer link	Enabled
	Remove Search link from Start Menu	Enabled
	Remove the Network Icon from Start Menu	Enabled
Policies/Administrative Templates/System	Prevent Access to the command prompt	Enabled	Optional: set Disable the command prompt script processing to Yes
	Prevent access to registry editing tools	Enabled	Set Disable regedit from running silently to Yes
	Restrict these programs from being launched from Help	Cmd.exe,regedit.exe,shutdown.exe
Policies/Administrative Templates/System/Ctrl +Alt +Del Options	Remove Task Manager	Enabled
Policies/Administrative Templates/Windows Components/Task Scheduler	Prohibit New Task Creation	Enabled
Policies/Administrative Templates/Windows Components/Windows Explorer	Hide these specified drives in My Computer	Enabled	Restrict C drive only
	Prevent access to drives from My Computer	Enabled	Restrict C drive
	Remove Windows Explorer’s default context menu	Enabled

Environment

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

Issue/Introduction

This article describes how to lock down the VDI-in-a-Box desktop to prevent shutdown.

Additional Information

The most common problem when applying a GPO is that either some, or all, of the settings are not applied to the virtual desktops. This can happen for any number of reasons, but we have found these to be the most common:

The user accounts and computer accounts reside in different OU’s, so the group policy is not applied. Loopback processing mode must be enabled. More information can be found through the following Microsoft links:
- http://support.microsoft.com/kb/231287
- http://social.technet.microsoft.com/wiki/contents/articles/windows-server-understand-user-group-policy-loopback-processing-mode.aspx
A security filter is applied to the GPO so it only applies to a specific user, group, or computer object. Some additional Microsoft links:
- http://technet.microsoft.com/en-us/library/cc759506(v=ws.10).aspx
- http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/bfdcf328-e7f9-4aba-b89d-455578bc82eb/
The virtual desktops were spun up before the GPO has been applied. A GPO can be forced to update on the domain controller through the gpupdate /force command, and then can be run on the virtual desktops. Some policies can only be applied after the user logs out so it might require desktops to be restarted or refreshed.

It is always important to test group policy results before rolling them into a production environment to ensure nothing breaks and that permissions are applied as you want them to. A nice tool to use is the Group Policy Modeling Wizard in Group Policy Management Editor console. This lets an administrator simulate the results of group polices without needing to guess-and-check on the actual desktops. More information about the GPMW can be found using the following links:

Welcome to "KB Articles"