Home arrow Knowledge Center arrow Servers & Data Center arrow Terminal Server arrow Lock down Terminal Server Part 1
Home
Tools
Knowledge Center
Howto's
Latest Jobs
Latest jobs from IT Contractor Jobs
The latest jobs registered on the IT Contractor Jobs web site.
  • Applications Support Specialist

    - Applications Support Specialist (New Zealand, Wellington - Wellington CBD)

    Applications Support Specialist (ERP) Our client a leading utilities company is after someone who can support and maintain an ERP system. JDE system...

  • Business Analyst

    - Business Analyst (New Zealand, Wellington - Wellington CBD)

    Business Analyst - Financial Markets - 3 months   3 month contract Competitive rates Knowledge of financial markets We are looking for a seasoned Business...

  • Infrastructure Suport Engineer

    - Infrastructure Suport Engineer (New Zealand, Wellington - Wellington CBD)

    Infrastructure Suport Engineer - contract   Our client is looking for an experienced Infrastructure Engineer to provide BAU support in a predominantly Microsoft environment....


Lock down Terminal Server Part 1 PDF Print E-mail

In Windows Server 2003, Microsoft has redesigned many aspects of Terminal Services. In the new OS, Remote Desktop supplants Windows 2000 Terminal Services' Remote Administration mode, client server encryption has been increased, and you can use Active Directory (AD) Group Policy to centrally perform most Terminal Services configuration management. However, properly securing Terminal Services remains a tricky process, in which you must balance the level of user access with data security. And each server in a given organization might require a different degree of lockdown. For example, consider the security contrast between a custom application running Terminal Services in a public kiosk and a server in your data center that only administrators remotely access through Remote Desktop. The former requires a high degree of lockdown, whereas the latter requires little Terminal Services­specific lockdown. Let's look at some of the major considerations behind locking down Terminal Services for Windows 2003.

 New and Improved
Terminal Services is installed by default in every Windows 2003 and Windows XP setup. Multiple applications—including Fast User Switching, Remote Assistance, Remote Desktop, and Terminal Server—use this service to enable remote, interactive systems management. What we're concerned with in this article is securing the Windows 2003 server-based Terminal Services applications Remote Desktop and Terminal Server. For the most part, both applications use either local or remote Group Policy Objects (GPOs) to restrict user access. Remote Desktop is intended for systems administration tasks and limits connections to two users, plus a third connection to the console. Terminal Server's connections are designed for many concurrent user sessions, and capacity is generally determined by licensing and hardware constraints.

Terminal Services lets you remotely control a computer by using the Remote Desktop Connection client via the Remote Desktop Protocol (RDP). New to Windows 2003 is the RDP 5.2 protocol. This new version supports new mapping of services from the server to the client—for example, mapping printer ports, COM ports, the clipboard, drives, and even audio functionality. For example, you can connect to a remote computer and copy a snippit of text from Notepad, then paste it into an application on your host computer. Similarly, if you're at home accessing email from your work computer, your home speakers will play your work computer's audio alert when new mail arrives. You'll want to consider restricting these mappings, particularly if users are connecting to the Terminal Server system from an outside computer, such as a home system. For example, with drive mappings enabled, remote users can access their home computer's C drive directly from the Terminal Server session, making it simple to copy company files to the home computer. You should take similar precautions with your printers, COM ports, and even the clipboard. (Of course, you'll also want to restrict other access methods related to Terminal Server.)

By default, Remote Desktop and Terminal Server aren't installed. To discover any systems that are accepting Terminal Services clients, use your favorite port scanner and search your network for TCP port 3389, which is the network port that RDP uses. Positive hits indicate that a Terminal Server computer is listening.

Enabling Remote Desktop
Installation of Remote Desktop and Terminal Server occurs in two separate places in Windows 2003. To install Remote Desktop, go to the Control Panel System applet and click on the Remote tab. Select the Allow users to connect remotely to this computer check box. Next, choose the users that you want to be able to connect to the computer. This process adds users to the local computer's Remote Desktop Users security group. By default, only the members of the local Administrators group and the Remote Desktop Users group will be able to use a Terminal Services client to connect to this computer.

Behind the scenes, the Allow logon through Terminal Services user rights assignment in a domain or local GPO permits this action, but the System applet makes it easy to add users to this role. When you're auditing a computer to determine who can connect to Terminal Services, be sure to check out this GPO setting to ensure that this user rights assignment is correctly configured

Installing Terminal Server
Microsoft has rebranded the long-winded Windows 2000 Terminal Services Application Mode as simply Terminal Server. Before you install Terminal Server, think about how users and administrators of the Terminal Server system should be permitted access to the Internet. By default, Windows 2003 greatly restricts Microsoft Internet Explorer (IE) by way of the Windows component called Internet Explorer Enhanced Security Configuration. Built-in IE security zones (e.g., Internet, Local intranet, Trusted, Restricted sites) enable or disable certain functionality—for example, ActiveX controls and scripting are disabled for the Internet zone. Therefore, users might need to add sites to the Trusted zone so that the sites display properly. Although you can relax this setting for users (who generally operate with lower privileges), you probably don't want to relax it for administrators, who inherently have higher privileges and could put the system at greater risk if their system contracts a virus while visiting a malicious Web site.

Launch the Control Panel Add or Remove Programs applet, click Add/Remove Windows Components, and select Internet Explorer Enhanced Security Configuration. To relax the settings for regular users, clear the Users check box but leave the Administrators check box selected. (In this context, Microsoft defines Administrators as local administrators and power users.) Under this configuration, regular users will be able to browse Web sites as usual, but administrators operating under privileged and higher access will be more restricted in how they use IE.

To install Terminal Server, launch the Add or Remove Programs applet, click Add/Remove Windows Components, and select Terminal Server to launch the installation wizard. Terminal Server requires the presence of a Terminal Server License Server after the 120-day grace period—you'll want to configure such a server because licensing has changed significantly in Windows 2003. Also, remember that if you install Terminal Server, you'll no longer be able to use Remote Desktop, because both applications use the same client and protocol. Effectively, the many-user Terminal Server replaces the user-limited Remote Desktop.

Next, choose whether to install Terminal Server's default permissions for application compatibility as Full Security or Relaxed Security. These two settings define how the registry and specific system files are restricted from Terminal Server users. In the more restricted mode, users don't have write access to specific application registry keys and critical system files—a situation that could hobble some legacy Windows NT 4.0 applications that require local Administrator access. If you have such applications, you can still run in Full Security mode. However, you must find the registry key that the application uses and edit the security access control entry (ACE) to allow your Terminal Server users to write to that registry key. This procedure might not work in all instances, so if you find that the legacy application still isn't working, you can revert back to Relaxed Security by using the Terminal Services Configuration (TSCC) tool, which I describe later. Relaxed Security introduces a security risk to your server because it allows users wider access to critical system files and registry entries that could be exploited by a worm, virus, or malicious user. So, use this mode only as a last resort. As with previous versions of Terminal Services, you might need to reinstall applications so that they work correctly with Terminal Server.

In part two we will look at the actuall locking down, see you then!
 
< Prev
[ Back ]
Powered by IT CONTRACTORS and designed by EZPrinting web hosting