Enabling Terminal Services | Terminal Services for Microsoft Windows Server 2003: Advanced Technical Design Guide (Advanced Technical Design Guide series)

This book focuses on the advanced technical design of a Terminal Server environment and providing you with the knowledge to design real-world solutions. A walk-through of the service installation that takes you from screenshot to screenshot is therefore not included. (However, a Flash video of that walk-through is available at www.brianmadden.com.)

This section will, however, describe (from a technical standpoint) the process that takes place when you enable Terminal Services.

Unlike Windows 2000 Server, which installed with a dual-mode Terminal Services component, Windows Server 2003 separates the Remote Administration and Terminal Services functionality into separate configurable components. Remote Desktop Administration is installed by default and allows only Administrators to connect. This type of installation can cause confusion, because being able to use a Terminal Services client to connect to a server doesn't necessarily mean that Terminal Services is actually installed. If Windows 2003 is already installed you'll have to add Terminal Services manually. (Control Panel | Add or Remove Programs | Add/Remove Windows Components | Terminal Server) or (Manage Your Server tool | Add or remove a role | Terminal Server)

Let's pause here for a note on when to install Terminal Services. While it's true that you can technically go into the Add or Remove Programs wizard at any time to add this service, this is not recommended.

You really need to have the Terminal Server components installed before any applications are installed. Application installs on a Terminal Server are different from those on a normal server, and some applications do not respond well to being installed in one mode and used in another. While improvements have been made over the last couple of years it's still good practice to configure Terminal Services prior to installing any applications.

Ideally, you'll want to read through this entire book before building your production servers. If you just want to install Terminal Server as fast as possible, then you should be safe by just selecting the default options. Many people use this approach to build a test server. Then they read through this book trying the different options as they go. Finally, they complete their design and rebuild their server for "production" use.

Security Settings Installation Options

During installation of Terminal Services, you'll be asked to configure the default permissions for application compatibility. This is a bit misleading, since what you're really setting are the default permissions for your users when accessing system files and registry keys.

The first (and default) option is "Full Security," the most restrictive and obviously most secure. Choosing this option sets the default permissions on the file system and registry with what Microsoft feels applications and users will require.

In terms of NTFS permissions, the full security option configures most files and directories for Read and Execute access for regular users. The full security option also tightens the security of the registry; making most of the HKEY Local Machine hive read-only for standard users while still granting Read and Write access to most of each user's HKEY Current User hive. (See Chapter 12 for details.)

The drawback to choosing the full security option is that some older applications may not work. Assume you have an application that installs to c:\Program Files\My App. By default, the application directory and files inherit the directory security of settings of the c:\Program Files directory (which is read and execute). However, if your application requires that a temporary file be written to its program location when it's launched, an error will occur since the full security option does not allow Write access to that directory. This same example can be applied to almost any directory or registry key on the system. If the application needs to modify anything on the server, the user must have access permissions to the file or registry location being modified. There is no magic bullet work-around for basic access permissions.

The second option you can choose is "Relaxed Security." This option configures the security on the file system and critical registry keys to allow older applications to run. (This refers mainly to applications that were not designed with Terminal Server in mind.) Don't be fooled into thinking that the relaxed security option gives users full access to everything, because it doesn't. It loosens security in certain locations that older applications are known to use.

The general consensus is to always start out with Full Security. If required, you can return and manually loosen up permissions on the files or registry locations that are required without having a blanket effect on the entire system. Don't worry too much about it at this point. You can use the Terminal Services Configuration snap-in to the MMC to reset a system's security to "full" or "relaxed" at any time, as many times as you want.