email article printer friendly more resources

Your Terminal Services Setup Guide
Learn the best way to batten down the hatches on your servers without going too far.
by Kenton Gardinier

September 22, 2004

Windows Server 2003 Terminal Services is a client/server system that enables people using fat- or thin-client hardware and Terminal Services software to run their applications on a remote server. Most ordinary computer users don't know or care if their applications are running on their desktop or a server down the hall or on a satellite orbiting the moon if their apps work responsively enough.

Terminal Services can be a boon for system administrators as well, who can use it to manage servers remotely. The terminal server performs all the processing with its hardware resources, and shuttles video, keyboard, and mouse signals to and from the client and remote server.

However, keep in mind that when planning, designing, or implementing Windows Server 2003 Terminal Services, you are granting users access to a server. Because users are logging in to the server and using its applications and services, it is important to strike a balance between a user's productive capability and what the user can do, either intentionally or accidentally, to the server. Unchecked, a single session can harm other user sessions as well as the entire server. In this article, you will learn the best way to configure a Terminal Services server to give users the best experience possible while placing enough safeguards to protect your server from common misfortunes.

Building Secure Terminal Servers
Terminal Services is only as secure as the underlying operating system. Windows Server 2003 should be secured using standard security guidelines and policies defined by the organization. In addition to the organization's security standards and guidelines, it is prudent to use the best practices compiled by Microsoft, the National Institute of Standards and Technologies (NIST), and the National Security Agency (NSA). Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their Web sites (see Resources).

Windows Server 2003 Terminal Services in terminal server mode can be run in either the Full Security or Relaxed Security compatibility mode, as shown in Figure 1, to meet your organization's security policy and application requirements. Full Security mode was created to help lock down the terminal server environment to reduce the risk of users mistakenly installing software or inadvertently disabling the terminal server by moving directories or deleting Registry Keys. This mode can be used for most certified terminal server applications.

Relaxed Security mode supports legacy applications that require extended access into the server system directory and the System Registry. As the name implies, security is lenient and does not protect against intentional or accidental unauthorized access. This setting can be changed later by using the Terminal Server Configuration MMC snap-in.

For most organizations, the best course of action is to select the Full Security option. Doing so restricts permissions for terminal server users to the Users group. Use the Relaxed Security mode only when there are compatibility issues with legacy applications that must be run from a Terminal Services session (see Figure 1).

Remember the server's other roles and physical security. For many organizations, terminal servers should be member servers providing only Terminal Services functions. For instance, installing Terminal Services on a domain controller will weaken Active Directory domain security. Also, these servers should be located in a locked room or datacenter to protect from unauthorized users gaining physical access to the server.

Terminal server resources should be segmented in such a way that users can only modify specific settings. While this sounds obvious and easy to do, it requires careful planning. For instance, partitioning the server's disk subsystem can keep the operating system, logs, applications, and profiles separated. Each of these partitions should also be formatted with NTFS so that the proper permissions can be applied. This also makes it easier for administrators to manage and lock down specific resources.