Best Practices
This security template ensures that excess permissions are not granted to Terminal Services clients. This option might not allow some older applications to execute, so we recommend you upgrade to newer applications that follow the Windows 2000 security model.
Appsec.exe allows you to designate which applications are available to nonadministrators in a Terminal Services session. Users are limited to executing the programs listed within the Appsec.exe console.
Remote control allows administrators to view tasks performed by Terminal Services clients. If remote control is configured to allow administrators to interact with the desktop, they can actually perform tasks in the security context of the user, allowing for the impersonation of users.
To connect to a terminal server from the network, users must have the Log On Locally user right assigned. If you implement application server mode on a domain controller, nonadministrators must be assigned the Log On Locally user right at the domain controller. Because this user right is typically assigned in Group Policy, it enables users to log on at the console of any domain controller in the domain, greatly reducing security.
Ensure that you have installed the High Encryption Pack to allow the implementation of high encryption for Terminal Services.
If remote administration is your only requirement, configure Terminal Services to implement remote administration mode, rather than application server mode. Remote administration mode allows only two simultaneous connections by members of the Administrators group. By default, nonadministrators are blocked from connecting to the terminal server.
Ensure that your terminal server is protected by installing the latest service packs and security updates to protect against any known Terminal Services vulnerabilities.