Securing Terminal Services | Microsoft Windows Server 2003 Unleashed (R2 Edition)

Terminal Servers should be secured using standard security guidelines and policies defined by the organization. In addition to the organization's security standards and guidelines, it is advisable that organizations use recommended best practices compiled by Microsoft, as well as the National Institute of Standards and Technologies (NIST) and the National Security Agency (NSA). Both NIST and NSA provide security lockdown configuration standards and guidelines that can be downloaded from their Web sites (http://www.nist.gov and http://www.nsa.gov, respectively).

Windows Server 2003 Terminal Services in Terminal Server mode can be run in either the Full Security compatibility mode or Relaxed Security Permission compatibility mode to meet an organization's security policy and application requirements. Permission compatibility mode was created to help lock down the Terminal Server environment to reduce the risk of users mistakenly installing software or inadvertently disabling the Terminal Server by moving directories or deleting Registry keys. This mode can be used for most certified Terminal Server applications. Relaxed Security mode was created to support legacy applications that require extended access into the server system directory and the system Registry.

Changing the RDP Port

As mentioned earlier, Terminal Services securely communicates over TCP port 3389 using RDP. Organizations requiring even greater security can change the default port by modifying the following Registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ WinStations\RDP-Tcp\PortNumber

Note

Only clients using RDP version 5.1 or greater can connect to the nonstandard port. Also, after the port is changed, the Terminal Server must be restarted.

Perimeter Protection Considerations

If Terminal Services is being accessed through a firewall, there are a few considerations to take into account. Many firewalls are configured to close connections after a specified period of inactivity. This feature, although a good one to employ, may affect Terminal Services by prematurely disconnecting user sessions. In addition, this may unnecessarily use server resources, or worse, it can prevent users from connecting back into the same session.

To mitigate this problem, you can increase the Terminal Services keepalive values or reconfigure the firewall. The keepalive values are located in the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

The DWORD "KeepAliveEnable" value should be set to 1
The DWORD "KeepAliveInterval" value should be set to 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The DWORD "KeepAliveInterval" value in milliseconds
The DWORD "KeepAliveTime" value in milliseconds
The DWORD "TcpMaxDataRetransmissions" numeric value

Next, use the Terminal Services Configuration snap-in and under Sessions, check the Override Users Settings box and choose Disconnect from Session.

Securely Building Terminal Servers

When building security into Terminal Servers, keep in mind that you are giving users certain levels of access to a server. Essentially the users are logging in to the server and using the applications and services installed on that server. With this in mind, it is important to strike a balance between a user's productive capability and what the user can do (intentionally or accidentally) to the server. Otherwise, a single session can significantly affect other user sessions, as well as the entire Terminal Services server.

Segmenting Resources

Terminal Server resources should be segmented in such a way that users can only modify specific settings. This sounds simple, but requires careful planning. For instance, partitioning the server's disk subsystem can keep the operating system, logs, applications, and profiles separated. Each of these partitions should also be formatted with NTFS so that the proper permissions can be applied. This also makes it easier for administrators to manage and lock down specific resources.

The profile partition should be given particular attention because of the nature of the content it stores. For smaller installations, profiles can be stored on the local server on a separate partition. For larger installations, profiles should be kept on a separate server just to hold those profiles. This not only improves security, it can significantly improve performance.

Typically, these temporary Terminal Services profiles are stored under %SystemDrive%\ Documents and Settings\%Username%, even if roaming profiles are used in the network environment. To change the location to another partition, do the following:

1.	Create a Documents and Settings folder on the partition.
2.	Modify `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ ProfileList\ProfilesDirectory Reg_Sz` to the new location.
3.	Restart the server.
4.	Copy over the Default and All Users profiles to the new location.

Securing Terminal Services with GPOs

As mentioned earlier in the "Group Policy for Terminal Server" section, GPOs can and should be used to secure the Terminal Services environment. For instance, if an application or department working with sensitive information uses Terminal Services, the Remote Control setting can be disabled to ensure that only authorized users can view these sessions. GPOs can also be used to set disconnect timeout values and allow reconnections from only the original client.