By ImpLosioNOn

PCI DSS requires copy/paste be disabled in Microsoft Windows Remote Desktop Sessions and may need to be demonstrated to an onsite auditor.  The compliance requirement is that clipboard redirection be disabled for all servers that interact with cardholder data including web, app, and db hosts.

Since many prod web hosts are workgroup machines in a DMZ (not joined to a domain) Group Policy Editor applies to the local machine only and must be applied manually to each.  For domain machines, run gpedit.msc from a domain controller in the same forest.

 

From the in-scope PCI server:

Run GPEdit.msc

Run GPEdit.msc

Navigate to: Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Hosts \ Device and Resource Redirection \ Do not allow clipboard redirection

Group Policy Copy Paste Path

Group Policy Disable Remote Desktop Copy Paste Path

 

Enable the Rule

Group Policy Disable Remote Desktop Copy Paste Policy

This will not take effect until user sessions have logged off/log back on.  Make sure to fully log off, not just disconnect from RDP

It is not a bad idea to update policy before doing this by running gpupdate /force from an administrator command line

 

 

To re-enable RDP Copy/Paste:

Disable or leave ‘not configured’ then log off/back on