Lesson 5: Designing Terminal Services Security | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Terminal Services allows users who don't have Windows 2000–based client computers to take advantage of Windows 2000 technology. You can load Terminal Services clients on Windows 3.1, Windows for Workgroups 3.11, Windows 95, Windows 98, and Windows NT-based clients. In addition, you can deploy the Terminal Services Advanced Client to allow any user with a Web browser that support ActiveX controls to connect to the terminal server. You can get the Terminal Services Advanced Client by going to http://www.microsoft.com and searching for "Terminal Services Advanced Client."

After this lesson, you will be able to

Design security for a Terminal Services deployment

Estimated lesson time: 30 minutes

Designing Terminal Services Security

Terminal Services allows clients to run Windows 2000 compatible applications on a terminal server without loading Windows 2000 at the client computer. The terminal server hosts all client data processing, application execution, and data storage. The Terminal Services client sends only keyboard input and mouse movement to the terminal server. The terminal server performs all processing and returns only display information to the Terminal Services client.

Terminal Services gives a network administrator additional advantages. You can limit the Terminal Services sessions to a single application by changing the shell application from the default of Explorer.exe.

Assessing Security Risks of Terminal Services

When a Terminal Services client connects to a terminal server, it appears as if the client is sitting at the keyboard of the server. Securing Terminal Services may include configuring the terminal server or performing administrative tasks.

In your network design you must include security design for the following Terminal Services issues:

The potential for remote administration of a terminal server.
All Terminal Service clients require access to the local file system.
To use Terminal Services, the Terminal Services client must have Log On Locally rights to the terminal server.
By default, security is assigned to the terminal server Users group and isn't based on the individual group memberships of the Terminal Service clients.
Data sent between the terminal server and the Terminal Service client could be intercepted.
Two-factor authentication methods, such as smart card logon, aren't supported within Terminal Services.

Restricting Remote Administration

You can install Terminal Services in one of two modes: Remote Administration Mode or Application Server Mode. If you install Terminal Services to provide remote administration of a server, consider configuring the terminal server to use Remote Administration Mode. This mode allows only members of the Admin-istrators group to connect to the terminal server. In addition, Remote Admin-istration Mode restricts Terminal Service connections to a maximum of two simultaneous connections.

Restricting Access to the Local File System

Terminal Services clients see the file system on the terminal server as their local file system. To ensure that Terminal Services clients have access only to specific areas of the file system, configure all volumes as NTFS volumes. Also, configure NTFS permissions to restrict access to specific folders on the server.

WARNING
Not only do the Terminal Service clients share the file system, but they also share any services related to the computer. For example, if one Terminal Service user were to implement a dial-up connection to the Internet, all Terminal Service clients would have access to that connection because the connection is associated with the computer, not the individual user.

Determining Where to Deploy Terminal Services

To connect to a terminal server, Terminal Service clients require the Log On Locally right. Don't deploy Terminal Services using Application Server Mode on a DC because all users require the Log On Locally right in order to connect to the terminal server. In a default Windows 2000 environment, this circumstance would allow Terminal Services users to log on locally at all DCs, not just the DCs with Terminal Services installed. For best security, install Terminal Services only on member servers so that you don't grant excess rights on DCs.

Implementing Individual User Security

By default, security for Terminal Services clients is based on membership in the Terminal Server Users group. Any user who is logged on at a terminal server, whether using a remote connection or logged on at the console, is automatically made a member of the Terminal Server Users group.

You can apply the incremental security template Notssid.inf to remove the Terminal Server Users group from all DACLs on the file system. By removing this group, you ensure that users gain access to the file system based on their user accounts and group memberships, not by the fact that they're connecting to a terminal server.

TIP
To simplify the deployment of this security template, place all terminal servers in a common OU and import the Notssid.inf security template into the Group Policy object for that OU. This practice ensures the continued application of the security template.

Securing Transmissions Between Terminal Services Clients and the Terminal Server

You can encrypt data transferred between the Terminal Services client and the terminal server, as shown in Figure 9.14.

Figure 9.14 Configuring the encryption level for terminal services connections

You can deploy the following levels of encryption:

Low Encryption. Low encryption encrypts only traffic sent from the client to the server. The data is encrypted using the RC4 algorithm and either a 56-bit or 40-bit key (Remote Desktop Protocol [RDP] 4.0 clients can only use 40-bit encryption). Low encryption provides protection for passwords and any data inputted by the user but doesn't encrypt the screen data sent from the server to the client.
Medium Encryption. Medium encryption encrypts all data transmitted between the client and the server. The data is encrypted using the RC4 algorithm and either a 56-bit or 40-bit key (RDP 4.0 clients can only use 40-bit encryption). Medium encryption provides protection for passwords and any data inputted by the user and encrypts the screen data sent from the server to the client.
High Encryption. High encryption encrypts all data transmitted between the client and the server. The data is encrypted using the RC4 algorithm and a 128-bit key. High encryption requires installation of the Windows 2000 High Encryption Pack. If the high encryption pack isn't installed at either the terminal server or the client computer running the Terminal Services client software, security will fall back to the medium encryption level.

NOTE
For information on export regulations for encryption software, see www.microsoft.com/exporting/.

Planning for Loss of Strong Authentication Methods

Terminal Services doesn't support the use of two-factor authentication such as smart cards and Kerberos v5 protocol. If a user connects to the network using Terminal Services, you can't restrict the account to require a smart card for logon.

Making the Decision

Use the decision matrix shown in Table 9.7 to plan a secure deployment of Terminal Services in your organization.

Table 9.7 Securing Terminal Services Access

To	Do the Following
Limit access to administrators of the network	Configure Terminal Services to run in Remote Administration Mode. You must be a member of the Administrators group to connect with a Terminal Services client.
Restrict access to the local file system	Ensure that all volumes are formatted with NTFS and that permissions have been set to restrict access to the file system.
Prevent users from being assigned excess user rights	Don't install Terminal Services in Application Server Mode on a DC, because the user must be granted Log On Locally permissions to use the terminal server.
Determine if a user is connected to the network using Terminal Services	Inspect the user's environment variables for the %clientname% or %sessionname% environment variables. These environment variables only exist within a Terminal Services session.
Restrict access to a single application	Configure Terminal Services to use an alternate shell program. Configure the shell program to be the single application.
Protect data transmissions between the Terminal Services client and the terminal server	Implement either medium or high security for the Terminal Services session.
Restrict access to Terminal Services	Assign only the permission to use Terminal Services to the individual user accounts that require Terminal Services access.

Applying the Decision

The proposed Terminal Services deployment for Lucerne Publishing needs some modification to ensure that security is maintained. Consider the following for the Lucerne Publishing Terminal Services deployment:

Terminal Services mode. Since Terminal Services must be configured to support network users, configure Terminal Services to use Application Server Mode to allow normal users to connect to the terminal server.
Excess rights assignments. Move Terminal Services in Caracas and Casablanca to Windows 2000 member servers, rather than continuing to host the services on DCs. The users in Caracas and Casablanca require Log On Locally permissions, which would grant Log On Locally rights to all DCs in either the americas.lucernepublishing.tld or africa.lucernepublishing.tld domain.
Terminal server encryption. Configure Terminal Services to use either medium or high encryption to ensure that Terminal Services traffic is encrypted in both directions between the terminal server and the Terminal Services client.
Additional configuration. Configure each terminal server so that all file volumes use the NTFS file system to ensure local security of all files.

Lesson Summary

Terminal Services enables non-Windows 2000–based clients to operate applications in a full Windows 2000 environment. Your security plan should include strategies to ensure that security is maintained when you deploy Terminal Services. This includes ensuring that data is encrypted between the terminal server and the Terminal Services client and that only approved users can access the terminal server.