Browsers developer mode allows unrestricted changing of any setting that is served inside */html5/settings.js therefore restrictions on settings.js won't give you full protection against malicious attacker. For this reason to get deeper level of protection some specific settings in settings.js have alternative on server side that can't be affected from browser side. As example restricting of file access, clipboard access, file extensions etc.

The wished server side settings are located inside *\Clients\webserver\settings.bin


1. open with Notepad *\Clients\webserver\settings.bin and add one or few of following settings in bold font.

map_clip_board=false

>this setting will disable clipboard access for HTML5 clients


disable_file_access=true

>this setting will completely disable file access for HTML5 clients


no_file_listing=true

>instead complete disabling of file access this settings will stop files to be listed inside \\tsclient\WebFile but still enable file transfer


disable_shared_folder=true

>this will disable ability to access shared folder by HTML5 clients


allow_remote_app=false

>this setting will completely disable RemoteApp style calls of remote programs, however since HTML5 6.34 this setting is permanently disabled and must be enabled by allow_remote_app=true in order to be reused again.


disable_cgi=true

>this setting will completely disable CGI scripts execution for internal webserver but will have bad impact on functionality


disable_channel_eval=true

>this setting will completely disable JavaScript command execution sent from RDP session to browser, disabling it will have bad impact on functionality


upload_allow_extensions="|*.pdf|*.txt|"

max_upload_size="10mb"

>these setting set limits for files on server side, so that checks will be still effective even if attacker adapts settings on browser side


disable_xhr=true

disable_non_native_clients=true

>these settings will disable all clients running in compatibility mode, also not Websockets based, like XHR or Flashsocket


2. save the file and restart HTML5 client to take changes effect.