The client can use snipping tool, even in full-screen. Even if you find a way to disable the print screen key on clients (You can if you have control of their registry, but that requires completely disabling the key and rebooting the client system. If people are remoting in with their own systems, that isn't going to happen), there are hundreds of screen-capturing utilities that can screenshot and record the RDP window as it is visible on their machine.
And, they can always take a picture with their smartphone. It sounds like you're trying to find a technical solution to a social problem - these almost never work out well.
Unless you're talking about a kiosk system where you have 100% full control of the client, and you have the resources to write a utility that prevents RDP from losing focus, then an RDP client can screenshot and record anything on the RDP session that they want.
Your requirement is not technically feasible. As a client user, I'm either authorized to view the data, or I'm not. If you can't trust what someone will do with the data, don't authorize them to view it at all.
If you have full physical security, then
- Remove the snipping tool from the client machines
- Disable the local clipboard in Remote Desktop
- Use SharpKeys or something similar to set up a custom keymap that disables PrintScrn (remap it to keycode
00) - Firewall the machines so that the ONLY server they can see on the network is the RDP server (and possibly the domain controller). The client machines should not be able to access the Internet in any way, shape, or form at any time.
- Make sure no I/O ports (DVD burner, eSata, USB, etc.) can be physically accessed on the client machines. Keep the machine in a locked cabinet at all times, or I've even heard of companies putting glue into the USB ports.
The idea here is that:
- They should have no way to download or install any 3rd party screen capture tools
- If they manage to capture the screen, there is no way for them to get the image off of the machine.
This all breaks apart if the user can connect the machine to a different network or if they can physically touch the client machine itself (other than the mouse/keyboard).