Details
This policy setting allows you to restrict users to a single Remote Desktop Services session.
The recommended state for this setting is: Enabled.
Rationale:
This setting ensures that users & administrators who Remote Desktop to a server will continue to use the same session – if they disconnect and reconnect, they will go back to the same session they were using before, preventing the creation of a second simultaneous session. This both prevents unnecessary resource usage by having the server host unnecessary additional sessions (which would put extra load on the server) and also ensures a consistency of experience for the user.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsRestrict Remote Desktop Services users to a single Remote Desktop Services session
Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates.
Impact:
None – this is the default behavior.
Default Value:
Enabled. (Users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon.)
References:
CCE-37708-5
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system Windows.