Terminal Services allows users who don't have Windows 2000–based client computers to take advantage of Windows 2000 technology. You can load Terminal Services clients on Windows 3.1, Windows for Workgroups 3.11, Windows 95, Windows 98, and Windows NT-based clients. In addition, you can deploy the Terminal Services Advanced Client to allow any user with a Web browser that support ActiveX controls to connect to the terminal server. You can get the Terminal Services Advanced Client by going to http://www.microsoft.com and searching for "Terminal Services Advanced Client."
After this lesson, you will be able to
Estimated lesson time: 30 minutes
Terminal Services allows clients to run Windows 2000 compatible applications on a terminal server without loading Windows 2000 at the client computer. The terminal server hosts all client data processing, application execution, and data storage. The Terminal Services client sends only keyboard input and mouse movement to the terminal server. The terminal server performs all processing and returns only display information to the Terminal Services client.
Terminal Services gives a network administrator additional advantages. You can limit the Terminal Services sessions to a single application by changing the shell application from the default of Explorer.exe.
When a Terminal Services client connects to a terminal server, it appears as if the client is sitting at the keyboard of the server. Securing Terminal Services may include configuring the terminal server or performing administrative tasks.
In your network design you must include security design for the following Terminal Services issues:
You can install Terminal Services in one of two modes: Remote Administration Mode or Application Server Mode. If you install Terminal Services to provide remote administration of a server, consider configuring the terminal server to use Remote Administration Mode. This mode allows only members of the Admin-istrators group to connect to the terminal server. In addition, Remote Admin-istration Mode restricts Terminal Service connections to a maximum of two simultaneous connections.
Terminal Services clients see the file system on the terminal server as their local file system. To ensure that Terminal Services clients have access only to specific areas of the file system, configure all volumes as NTFS volumes. Also, configure NTFS permissions to restrict access to specific folders on the server.
Not only do the Terminal Service clients share the file system, but they also share any services related to the computer. For example, if one Terminal Service user were to implement a dial-up connection to the Internet, all Terminal Service clients would have access to that connection because the connection is associated with the computer, not the individual user.
To connect to a terminal server, Terminal Service clients require the Log On Locally right. Don't deploy Terminal Services using Application Server Mode on a DC because all users require the Log On Locally right in order to connect to the terminal server. In a default Windows 2000 environment, this circumstance would allow Terminal Services users to log on locally at all DCs, not just the DCs with Terminal Services installed. For best security, install Terminal Services only on member servers so that you don't grant excess rights on DCs.
By default, security for Terminal Services clients is based on membership in the Terminal Server Users group. Any user who is logged on at a terminal server, whether using a remote connection or logged on at the console, is automatically made a member of the Terminal Server Users group.
You can apply the incremental security template Notssid.inf to remove the Terminal Server Users group from all DACLs on the file system. By removing this group, you ensure that users gain access to the file system based on their user accounts and group memberships, not by the fact that they're connecting to a terminal server.
To simplify the deployment of this security template, place all terminal servers in a common OU and import the Notssid.inf security template into the Group Policy object for that OU. This practice ensures the continued application of the security template.
You can encrypt data transferred between the Terminal Services client and the terminal server, as shown in Figure 9.14.
Figure 9.14 Configuring the encryption level for terminal services connections
You can deploy the following levels of encryption:
For information on export regulations for encryption software, see www.microsoft.com/exporting/.
Terminal Services doesn't support the use of two-factor authentication such as smart cards and Kerberos v5 protocol. If a user connects to the network using Terminal Services, you can't restrict the account to require a smart card for logon.
Use the decision matrix shown in Table 9.7 to plan a secure deployment of Terminal Services in your organization.
Table 9.7 Securing Terminal Services Access
|To||Do the Following|
|Limit access to administrators of the network||Configure Terminal Services to run in Remote Administration Mode. You must be a member of the Administrators group to connect with a Terminal Services client.|
|Restrict access to the local file system||Ensure that all volumes are formatted with NTFS and that permissions have been set to restrict access to the file system.|
|Prevent users from being assigned excess user rights||Don't install Terminal Services in Application Server Mode on a DC, because the user must be granted Log On Locally permissions to use the terminal server.|
|Determine if a user is connected to the network using Terminal Services||Inspect the user's environment variables for the %clientname% or %sessionname% environment variables. These environment variables only exist within a Terminal Services session.|
|Restrict access to a single application||Configure Terminal Services to use an alternate shell program. Configure the shell program to be the single application.|
|Protect data transmissions between the Terminal Services client and the terminal server||Implement either medium or high security for the Terminal Services session.|
|Restrict access to Terminal Services||Assign only the permission to use Terminal Services to the individual user accounts that require Terminal Services access.|
The proposed Terminal Services deployment for Lucerne Publishing needs some modification to ensure that security is maintained. Consider the following for the Lucerne Publishing Terminal Services deployment:
Terminal Services enables non-Windows 2000–based clients to operate applications in a full Windows 2000 environment. Your security plan should include strategies to ensure that security is maintained when you deploy Terminal Services. This includes ensuring that data is encrypted between the terminal server and the Terminal Services client and that only approved users can access the terminal server.