By default the security rights on the C: disk of a RDSH server are set to:
And:
These rights allow your users to create folders and documents in de C: disk, which are readable by every user on the system. Some old applications also like to have their save preferences set to C:\something, so im seeing all kinds of data on the C: disk on the RDSH server with these default settings. On a Windows 7 system this makes sense, but on a RDSH they do not.
You can remove these settings manually (ignore all the warnings you get) but as sysops we want to automate this. We did it with icalcs.exe:
icacls C:\ /remove:g BUILTIN\users
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)(IO)(WD,AD)
You can put this in a startup script and put it in gpo.
DON’T remove the Read settings;
these read rights are set through:
icacls C:\ /grant:r BUILTIN\users:(OI)(CI)RX
which is the second line in the script.
DON’T remove these read/execute settings as this would remove the execution bit on the RDSH server and denies executing any application on the system. That would defeat the purpose of a RDSH won’t it?😉
