18.10.57.3.3.8 (L2) Ensure 'Restrict clipboard transfer from server to client' is set to 'Enabled: Disable clipboard transfers from server to client'

Information

This policy setting controls whether the clipboard can be used to transfer data from the Remote Desktop session to the client.

The recommended state for this setting is: Enabled: Disable clipboard transfers from server to client

In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for the clipboard to transfer data from a Remote Desktop session to a client is rare, so it makes sense to reduce the number of unexpected avenues for malicious activity to occur.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Disable clipboard transfers from server to client :

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Restrict clipboard transfer from server to client

Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with the Microsoft Windows 11 Release 23H2 v2.0 Administrative Templates (or newer).

Impact:

Users will not be able to transfer clipboard data from the Remote Desktop session to the client.

See Also

https://workbench.cisecurity.org/benchmarks/21318

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7

Plugin: Windows

Control ID: 05583ccd86c9e7f68553756344c1b4c48c9a2ccadddaa7757bebbf6063506125