Best Practices

Best Practices

• Apply the Notssid.inf security template to terminal servers running Permissions Compatible With Terminal Server 4.0 Users.

  This security template ensures that excess permissions are not granted to Terminal Services clients. This option might not allow some older applications to execute, so we recommend you upgrade to newer applications that follow the Windows 2000 security model.

• Use the AppSec tool to limit which applications can be executed.

  Appsec.exe allows you to designate which applications are available to nonadministrators in a Terminal Services session. Users are limited to executing the programs listed within the Appsec.exe console.

• Do not enable remote control.

  Remote control allows administrators to view tasks performed by Terminal Services clients. If remote control is configured to allow administrators to interact with the desktop, they can actually perform tasks in the security context of the user, allowing for the impersonation of users.

• Do not implement application server mode on domain controllers.

  To connect to a terminal server from the network, users must have the Log On Locally user right assigned. If you implement application server mode on a domain controller, nonadministrators must be assigned the Log On Locally user right at the domain controller. Because this user right is typically assigned in Group Policy, it enables users to log on at the console of any domain controller in the domain, greatly reducing security.

• Implement the strongest available form of encryption between the Terminal Services client and server.

  Ensure that you have installed the High Encryption Pack to allow the implementation of high encryption for Terminal Services.

• Choose the correct mode for your Terminal Services deployment.

  If remote administration is your only requirement, configure Terminal Services to implement remote administration mode, rather than application server mode. Remote administration mode allows only two simultaneous connections by members of the Administrators group. By default, nonadministrators are blocked from connecting to the terminal server.

• Install the latest service pack and security updates.

  Ensure that your terminal server is protected by installing the latest service packs and security updates to protect against any known Terminal Services vulnerabilities.