This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: 'Enabled'. Rationale: In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.
Solution
To establish the recommended configuration via GP, set the following UI path to 'Enabled': Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow COM port redirection Note: This Group Policy path is provided by the Group Policy template 'TerminalServer.admx/adml' that is included with all versions of the Microsoft Windows Administrative Templates. Impact: Users in a Remote Desktop Services session will not be able to redirect server data to local (client) COM ports.