A new feature in Windows 2003 lets you make the majority of Terminal Server security configurations directly through a GPO. From the Group Policy Object Editor, navigate to Computer Configuration, Administrative Tools, Windows Components, Terminal Services to find the Terminal Server­specific settings. You can also find a small subset of these settings under a similar structure in the Group Policy Object Editor's User Configuration node.

Fine-tuning security configuration through TSCC. You can also configure most Terminal Server security settings directly on a Terminal Server computer by using the TSCC tool. (However, if you've set a GPO, the GPO will have priority and the equivalent setting in TSCC will be unavailable.) Launch TSCC from Administrative Tools, Terminal Services Configuration. In the left pane of the resulting dialog box, you can choose to configure Connections or Server Settings. First, click Server Settings. In the right pane, you'll find two important security settings: You can change the aforementioned Permission Compatibility mode (Full Security or Relaxed Security), and you can choose to restrict each user to one session. Limiting users to one session decreases the possibility of programs in abandoned (or spawned) sessions affecting other users of the Terminal Server system.

The remaining TSCC security configuration occurs in the Connections node. Expand the node, right-click the RDP-Tcp connection, and click Properties to access the RDP-Tcp Properties dialog box. This dialog box contains many of the settings that you can also configure through a GPO. On the General tab, you can specify the encryption you want to use. By default, Terminal Services uses Client Compatible encryption, which first attempts 128-bit encryption but will ratchet down to find a level that's usable by the client. The High encryption level forces 128-bit encryption, and the Low encryption level uses 56-bit encryption only from the client to the server. (The other levels provide encryption in both directions.) The FIPS Compliant level meets the Federal Information Processing Standard (FIPS) 140-1 government standards for encryption and is the highest setting that Terminal Services offers. If you're using a strictly Win2K or later network, specify an encryption setting of High to ensure an adequate level of encryption between server and client. You can also require that the Terminal Server computer use standard Windows authentication to authenticate users instead of an alternative authentication system that you might have installed.

Also in the RDP-Tcp Properties dialog box, you'll find a Permissions tab that lists the Terminal Server computer's security descriptors. These descriptors list the users and groups that can perform functions (e.g., log on, take remote control, query or set information, send messages to other sessions, connect or disconnect sessions) on the Terminal Server machine. By default, the local Administrators group and the SYSTEM account have Full Control over these functions, and the Remote Desktop Users group has User Access, which permits the group to log on, connect, and query information. Additionally, the LOCAL SERVICE and NETWORK SERVICE accounts have access to query information and send messages to users. If you don't use Group Policy, be sure to visit the RDP-Tcp Properties dialog box's Client Settings tab and consider disabling Drive mapping, Windows printer mapping, LPT port mapping, COM port mapping, and Clipboard mapping. If computers outside your company access this Terminal Server computer, you should disable these mappings because they provide easy methods to transport data from the Terminal Server computer to another computer.

Beyond Terminal Server
In addition to configuring the security of the Terminal Server computer, you should also consider locking down specific computer features that aren't necessarily appropriate for a shared-access computer. For example, you might want to prevent users from shutting down the computer, restrict access to search functions, prevent browsing the hard disks, and redirect base folders.

Redirecting base folders such as Application Data, Desktop, My Documents, and Start Menu moves these folders to a common location other than the Terminal Server machine. In the Group Policy Object Editor, navigate to User Configuration, Windows Settings, Folder Redirection, and specify the preferred locations for these files.

You can also limit accessibility to security options (e.g., shutting down and locking down the computer), Windows Explorer, Task Manager, Start Menu, and the Task Bar to remove tempting server options such as managing the computer, easily browsing the C drive, and exploring the system's hardware.

Before implementing any GPO policies, be sure to try them in a test environment that reflects your normal business processes. For example, some patch-management programs distribute patches by means of creating tasks, so if you've locked down tasks for your Terminal Server system, these applications might fail.

You can find many other GPO lockdown settings by editing the GPO linked to your users or Terminal Server computer (when in loopback processing mode). In the Group Policy Object Editor, navigate to User Configuration, Administrative Templates, Windows Components. These templates let you further restrict what users can do. For example, you can lock down IE, NetMeeting, and other applications. Additionally, under User Configuration, Administrative Templates, Control Panel, you can restrict many Control Panel applications (e.g., Add or Remove Programs, Printers and Faxes, Display, Regional and Language Options). Similarly, under User Configuration, Administrative Templates, Network, you can configure whether the system permits users to manipulate offline files and network connections.

A Multifaceted Approach
To lock down Terminal Services, you need to set appropriate user roles—for example, a regular user shouldn't be able to change the time or install programs. You can further restrict access to applications or data either by using software-restriction policies or by setting NTFS ACLs. You can dissuade users from casually poking around on your Terminal Server machine by turning off many of Windows Explorer's search and navigation features. And granular GPO settings can prevent even privileged groups such as Power Users and Administrators from changing the Terminal Server system's configuration or accessing inappropriate data. In Windows 2003's new version of Terminal Server, you'll find granular settings to satisfy any installation.