PCI DSS requires copy/paste be disabled in Microsoft Windows Remote Desktop Sessions and may need to be demonstrated to an onsite auditor. The compliance requirement is that clipboard redirection be disabled for all servers that interact with cardholder data including web, app, and db hosts.
Since many prod web hosts are workgroup machines in a DMZ (not joined to a domain) Group Policy Editor applies to the local machine only and must be applied manually to each. For domain machines, run gpedit.msc from a domain controller in the same forest.
From the in-scope PCI server:
Navigate to: Computer Configuration Administrative Templates Windows Components Remote Desktop Services Remote Desktop Session Hosts Device and Resource Redirection Do not allow clipboard redirection
Enable the Rule
This will not take effect until user sessions have logged off/log back on. Make sure to fully log off, not just disconnect from RDP
It is not a bad idea to update policy before doing this by running gpupdate /force from an administrator command line
To re-enable RDP Copy/Paste:
Disable or leave ‘not configured’ then log off/back on