Microsoft Small Business Server 2003 Unleashed - page 62


The RRAS in SBS 2003 provides important security features to your network. It also provides remote access capabilities via VPN and dial-up. Configuring these services can be achieved by running the built-in wizards and further modified to add more advanced features.

This chapter focused on detailing the features of the RRAS, configuring it as a NAT/basic firewall and to accept incoming VPN and dial-up connections. Also, the VPN capabilities of SBS were described in depth with special attention on enhancing the security of your network. However, firewalls and VPNs are a vast subject, and only so much can be covered in one chapter. The reader is encouraged to further familiarize himself with other firewall and VPN options not covered in this book.

Best Practice Summary

  • Use ISA 2004 if you have SBS 2003 PremiumIf you already own the SBS 2003 Premium Edition, install and use ISA 2004 instead of relying on RRAS for your firewall.

  • Open ports only as neededOnly open ports that are really necessary; opening ports that are not required can put your network at risk.

  • Regularly test your firewallEvery once in a while get a port scanner and scan the external interface of your server.

  • Enable password policiesWeak or unchanging passwords are a security risk to your network, especially when remote access is enabled.

  • VPNs are not a panaceaThink twice before enabling inbound VPN access to your SBS network and consider all the security risks of doing so.

  • Practice safe VPNNever establish a VPN from a computer that is not under your control.

Chapter 8. Terminal Services


  • Understanding Terminal Services Operating Modes

  • Installing and Configuring the Terminal Server

  • Managing Terminal Servers

  • Troubleshooting Terminal Service Issues

Of all the changes that Microsoft implemented in SBS 2003, the one that met with the largest uproar from the SBS community was the removal of Terminal Services support from the SBS server. Not all of the responses were negative, however. A large portion of the SBS community celebrated the loss of Terminal Services in Application mode because it removed one of the most significant security threats from the server.

Still, small companies that had been using Terminal Services on their SBS 2000 installations need to provide Terminal Services in the SBS 2003 environment. This chapter explains the basics of setting up Terminal Services in an SBS 2003 network and touches on some of the more common issues that network administrators may face.

Understanding Terminal Services Operating Modes

In the 2003 series of server products, Terminal Services features are provided in one of two modes: Remote Administration and Application. Remote Administration provides two remote desktop connections to a server for administration purposes. Application mode allows users to connect to run shared applications. But there are more differences than that, and they are detailed in the following two sections.

Remote Administration Mode

Almost all Windows 2003 servers support Remote Administration mode for remote access to the server console. A maximum of two simultaneous connections is allowed, and only members of the Domain Admins group can make a remote connection to the server when this mode is enabled.

When connecting to a server in Remote Administration mode, the administrator account has full access to the server as if she had logged on to the server console directly. The key thing to remember, however, is that you have not logged on to the server console directly unless you jump through a few hoops first.

Connecting to and Shadowing the Server Console

If you use the Remote Desktop Connection tool (mstsc.exe) or the Connect to Server Computers link from the Remote Web Workplace (RWW), you are connecting to one of the two remote administration sessions allowed in this mode. You can gain control of the actual console session in one of two ways, however.

First, if you are using the RDC tool, you would type mstsc /console to launch the remote connection and tell it to use the Console session instead of one of the two remote sessions.

Second, you could create a remote session and use the shadow command to control the existing console session. There are a few steps that you must take before you will be able to use the shadow 0 command to control the existing console session. This information is documented in Microsoft KB article 278845 (

By default, the SBS server is preconfigured with remote administration access enabled. You do not have to do any manual configuration to allow remote access to the server from inside the network. You need to enable Terminal Services access through the SBS firewall in the Connect to the Internet Wizard (CEICW) if you want to get access to the server desktop from outside the local network.

Application Mode

Terminal Services in Application mode is what most people think of when they think about a terminal server. When in this mode, a number of users can log in to the terminal server, run applications, and save data just as if they were logged in on a "normal" PC. There are a number of licensing restrictions regarding Terminal Services, more than can be appropriately addressed in this book. However, the section "Configuring Terminal Services Licensing Service" later in the chapter covers how to install appropriate Terminal Services licensing so that users can connect to the terminal server.

Before that can happen, however, a server has to become a terminal server first, and that involves installing Terminal Services in Application mode. Before you do this installation, consider a few items:

  • Server PerformanceMake sure that the server you plan to use as a terminal server has enough horsepower to handle the number of users and types of applications you plan to provide. Review the Microsoft whitepaper "Windows 2003 Terminal Server Capacity and Planning" ( for additional hardware guidelines.

  • Domain controllerDo not plan on installing Terminal Services in Application mode on a domain controller. If you can demote the domain controller to a member server without impacting its other functions on the network, this might suffice; otherwise, look to a different server box that can maintain its role as a member server.

  • Server licensingMake sure that you understand your terminal server licensing needs. If you will be converting an existing Windows 2000 server (that's not a domain controller) into a terminal server, you will not need any additional TS CALs to connect Windows workstations. If your terminal server is based on Windows 2003 server, you will need to acquire TS CALs separate from the SBS CALs to provide licensed access to the server. Review Microsoft KB article 823313 ( and the Windows Server 2003 Terminal Server Licensing whitepaper ( for more information.