Terminal Services Modes of Operation

There are two Terminal Services functions within Windows Server 2003: Remote Desktop for Administration and Terminal Services (formerly known as Terminal Services Application Mode). Remote Desktop for Administration mode is installed (but not enabled) by default; Terminal Services must be manually installed and configured.

Remote Desktop for Administration

As mentioned earlier, Remote Desktop for Administration is included and installed with the Windows Server 2003 operating system and needs only to be enabled. This eases automated and unattended server deployment by enabling an administrator to deploy servers that can be managed remotely after the operating systems have completed installation. This mode can also be used to manage a headless server, which can reduce the amount of space needed in any server rack. More space can be dedicated to servers instead of switch boxes, monitors , keyboards, and mouse devices.

Remote Desktop for Administration limits the number of terminal sessions to two, with only one Remote Desktop Protocol (RDP) or Secure Sockets Layer (SSL) for remote administration connection per network interface. Only administrators can connect to these sessions. No additional licenses are needed to run a server in this Terminal Services mode, which enables an administrator to perform almost all the server management duties remotely.

Even though Remote Desktop for Administration is installed by default, this mode does not have to be enabled. Some organizations might see Remote Desktop for Administration as an unneeded security risk and choose to keep it disabled. This function can easily be disabled throughout the entire Active Directory (AD) forest by using a Group Policy setting to disable administrators from connecting through Remote Desktop for Administration.

Planning for Remote Desktop for Administration Mode

Unless Remote Desktop for Administration is viewed as a security risk, you should enable it on all internal servers to allow remote administration. For servers that are on the Internet or for DMZ networks, Remote Desktop for Administration may be used, but access should be even more restricted. For example, consider limiting access to a predefined IP address or set of IP addresses, using firewall ACLs to eliminate unauthorized attempts to log on to the server. Another option is to limit connections to the server based on protocol.

Enabling Remote Desktop for Administration

Remote Desktop for Administration mode is installed on all Windows Server 2003 servers by default and needs only to be enabled. To manually enable this feature, follow these steps:

1. Log on to the desired server with Administrator privileges.

2. Click Start, right-click the My Computer shortcut, and then click Properties.

3. Select the Remote tab, and under the Remote Desktop section, check the Allow users to connect remotely to your computer box, as shown in Figure 21.1.

   Figure 21.1. Enabling users to connect to the system remotely.

   

4. Click OK in the Systems Properties page to complete this process.

Remote Administration (HTML)

Formerly known as the Terminal Services Advanced Client (TSAC) in Windows 2000, the Remote Administration (HTML) tool can also be used to manage Exchange Server 2003. The primary intention of this tool is to provide basic remote administration capabilities for Internet Information Services 6.0 Web servers, as shown in Figure 21.2. However, there are capabilities built in that enable administrators to not only check server status, logs, and IIS functionality, but also to manage server network configurations and email alerts, and use the Exchange System Manager (ESM) through Remote Desktop, as shown in Figure 21.3.

Installing and Enabling Remote Administration (HTML)

As hinted at in the last section, Remote Administration (HTML) is a Windows Server 2003 IIS component, and it cannot be used to manage earlier versions of IIS. It is also not enabled by default. This does not mean that using this tool creates unnecessary security risks. Instead it keeps Windows Server 2003 security in a more consistent, locked-down state, and you need to manually install and configure its settings to meet the security requirements of your company.

To install Remote Administration (HTML), do the following:

1. Select Add or Remove Programs from the Start, Control Panel menu.

2. Choose Add/Remove Windows Components and then highlight Application Server in the Windows Components Wizard window.

3. Click Details and then highlight Internet Information Services (IIS) in the Application Server window.

4. Click Details again and highlight World Wide Web Services. Click Details one more time in order to view the Remote Administration (HTML) option, as shown in Figure 21.4.

   Figure 21.4. Installing the Remote Administration (HTML) tool.

   

5. Click OK three times to return to the Windows Components Wizard window and then click Next.

6. When installation completes, click Finish.

To enable Remote Administration (HTML), perform the following steps:

1. Select the Internet Information Services Manager from the Start, Administrative Tools menu.

2. Expand the server and also the Web Site folder to display a list of Web sites hosted on the Exchange Server 2003 server.

3. Right-click the Administration Web site and then select Properties.

4. Within the Web site identification section, record the port numbers that are displayed for the TCP and SSL ports. The defaults are 8099 and 8098.

5. Select the Directory Security tab and then click the Edit button under IP address and domain name restrictions section. You can select restrictions either by IP address, a group of IP addresses, or by domain name .

   CAUTION

   Although you can grant access to all computers, all computers in an IP address subnet, or all computers in a domain, you should limit the number of computers that may have access using Remote Administration (HTML) to Exchange Server 2003. Otherwise, unnecessary security vulnerabilities can be introduced on the Exchange Server 2003 server.

6. In the IP Address and Domain Name Restrictions window select Denied Access, and then click the Add button. Note that you can optionally click DNS Lookup to verify the name of the server to which you are granting access.

7. In the Grant Access window, click Single computer and then enter in the IP address of the computer to which you want to grant access.

8. Click OK twice and then close the IIS Manager.

To remotely administer the Exchange Server 2003 Server from the computer that has been granted access, open Internet Explorer and type https :// servername :8098 where servername is the name of the server. You will be prompted to provide username and password credentials in order to log onto the server.

Remote Desktop Administration Tips and Tricks

There are several key points to consider before using either Remote Desktop for Administration or Remote Administration (HTML), including, but not limited to, the following:

• Make sure resources are available . What IT personnel resources, if any, are available at the remote location or at the Exchange Server 2003 server's location? If a problem arises with the connection to the remote Exchange Server 2003 server or the server itself (for example, a disconnection) there should be contingency plans available to recover and continue to remotely manage the system. Generally speaking it is a good idea to have someone in the vicinity that can assist the administrator in some form or fashion.

• Use care when modifying network configurations . With any remote administration tool, you are dependent upon the connectivity between the client computer and the Exchange Server 2003 server that is being remotely managed. If network configuration settings must be modified remotely, consider having alternative methods of access. For instance, dial-up or a separate network connection might minimize downtime or other issues stemming from loss of connectivity.

• Use disconnect and reset timeout values . Anytime a connection is accidentally broken or an administrator disconnects, the remote session is placed into a disconnected state that can later be reconnected and used to manage a server remotely. Disconnect and reset timeouts are not configured by default for remote desktop administration tools. These values can be used to ensure that administrators are not unintentionally locked out (for example, when there are two remote sessions that are active but in a disconnected state). Generally speaking, using 1020-minute timeout values allows enough time for administrators to reconnect if they were accidentally disconnected. Moreover, it helps minimize the number of sessions that are disconnected and not being used.

• Coordinate remote administration efforts . The number of remote administration connections is limited to a precious two. Therefore, plan and coordinate efforts to reduce the number of attempts to access Exchange Server 2003 servers remotely. This also helps ensure that remote administration activities do not conflict with other administrators and sessionsor, in the worst of cases, corrupt information or data on the server.

Terminal Services

Terminal Services mode is available in all editions of Windows Server 2003 (that is, Standard, Enterprise, and DataCenter) except the Web edition. It enables any authorized user to connect to the server and run a single application or a complete desktop session from the client workstation. Because the applications are loaded and running on the Terminal Services server, client desktop resources are barely used; all the application processing is performed by the Terminal Services server. This enables companies to extend the life of old, less-powerful workstations by running applications only from a Terminal Services server session.

Terminal Services is generally not considered a viable technology to manage Exchange Server 2003 remotely. Although it is possible to use Terminal Services to manage Exchange Server 2003, there are several planning considerations that must be addressed to determine whether Terminal Services is suitable in your environment.

Planning Considerations for Using Terminal Services

Terminal Services can require a lot of planning, especially when you're considering whether to use it to manage Exchange Server 2003 remotely. Because Terminal Services is intended to make applications available to end-users rather than serve as a remote management service, security, server performance, and licensing are key components to consider before using it in a production environment.

Terminal Services Security

Terminal Services servers should be secured following standard security guidelines defined in company security policies and as recommended by hardware and software vendors . Some basic security configurations include removing all unnecessary services from the Terminal Services nodes and applying security patches for known vulnerabilities on services or applications that are running on the Terminal server.

An administrator can use Group Policy to limit client functionality as needed to enhance server security, and if increased network security is a requirement, can consider requiring clients to run sessions in 128-bit high-encryption mode.

Windows Server 2003 Terminal Services can be run in either Full Security or Relaxed Security Permission compatibility mode to meet an organization's security policy and application requirements. Permission compatibility mode was created to help lock down the Terminal server environment to reduce the risk of users mistakenly installing software or inadvertently disabling the Terminal Services server by moving directories or deleting Registry keys. This mode can be used for most certified Terminal server applications. Relaxed Security mode was created to support legacy applications that require extended access into the server system directory and System Registry.

In addition to all the more common security precautions that are recommended for Terminal Services, you must also consider how running Terminal Services on an Exchange Server 2003 server affects security. Using a server with both Terminal Services and Exchange Server 2003 roles and responsibilities can be a dangerous combination and should be considered only in the smallest of environments with very relaxed security requirements. In any circumstance, the combination is not recommended.

Combining the two services and configuring Terminal Services to remotely manage Exchange Server 2003 can result in many security- related hazards, including the following:

• A single misconfiguration or setting can enable users to change specific Exchange Server 2003 settings or parameters.

• Users authorized to shut down or restart the system might inadvertently do so, causing messaging downtime.

• Application-specific security might conflict or in some cases unintentionally allow or restrict access to messaging components on the server.

Terminal Server Licensing

Terminal Services requires the purchase of client access licenses (CALs) for each client device or session. A Terminal Services License Server also must be available on the network to allocate and manage these CALs. When a Terminal Services server is establishing a session with a client, it checks with the Terminal Services License Server to verify whether this client has a license. A license is allocated if the client does not already have one.

To install licenses on the TS License server, the Terminal Services License server must first be installed and then activated online. The TS License server requires Internet access or dial-up modem access to activate the client access licenses added to the server.

When a Terminal Services server cannot locate a Terminal Services License Server on the network, it still allows unlicensed clients to connect. This can go on for 120 days without contacting a license server, and then the server stops serving Terminal Services sessions. It is imperative to get a license server installed on the network as soon as possiblebefore Terminal Services servers are deployed to production.