Security Configuration Layers
Let's take another look at the different layers in which many of the security-related settings can be made. For example, client drive remapping can be enabled or disabled as part of a user's AD account properties, via a GPO, as a setting on the RDP client, or as a property of a server's connection listener port. Beyond that, applications launched via an RDP file can also have the printer mappings configured within the RDP file itself.
When a single parameter is configured in multiple locations with conflicting settings, the most restrictive configuration will always take precedence (unless a GPO is involved, in which case the rules change. See Chapter 6.) Referring to Figure 12.2, if the client device and the GPO were configured to allow drive mapping, but the server connection was set to prohibit it, no session connecting via that connection would be able to access client drives. Although the client is configured differently, users must still traverse the connection configured for the absence of drive mapping. In this example, we can say that the "client layer" was set to allow drive mapping, and the "connection layer" was configured to deny it.
Figure 12.2: The drive mapping security parameter configured at multiple layers
Figure 12.3 shows all of the possible layers where a security parameter can be configured. Not every security parameter can be configured at every layer. It's important to look at the Terminal Server settings and determine the proper layer at which the security parameter should be applied. Do all users require drive mapping or only users connecting to certain servers? Might users only connecting to a server via a specific IP addresses need drive mapping?
 |
| Level | Scope. |
|---|---|
| | |
| GPO | All users logging into servers where the policy is applied. |
| Server | All users connecting to one server. |
| Connection | All users attaching via one defined server connection. Multiple connections can exist on one server. |
| Client | All users connecting from one RDP client device, regardless of the user rights or the server or farm hosting the RDP session. |
| User Account | User profile settings. These settings follow the user, regardless of the server or connection used. |
| RDP File | Settings affect anyone using the RDP file, regardless of settings in other locations. |
|
Figure 12.3: Various configuration scope layers
Throughout this chapter we'll look at dozens more security settings configurable at all layers. Beyond that, the appendix of this book contains a "Terminal Server 2003 Component Configuration" chart detailing every setting within the Terminal Server environment and listing the layer at which it can be configured.
The rest of this chapter is divided into sections that each focus on a different security configuration layer, including:
-
Server security
-
Application security
-
Connection security
-
Network security
-
User Account Security
EAN: 2147483647
Pages: 126