< Day Day Up > |
There are two Terminal Services functions within Windows Server 2003: Remote Desktop for Administration and Terminal Services (formerly known as Terminal Services Application Mode). Remote Desktop for Administration mode is installed (but not enabled) by default; Terminal Services must be manually installed and configured. Remote Desktop for AdministrationAs mentioned earlier, Remote Desktop for Administration is included and installed with the Windows Server 2003 operating system and needs only to be enabled. This eases automated and unattended server deployment by enabling an administrator to deploy servers that can be managed remotely after the operating systems have completed installation. This mode can also be used to manage a headless server, which can reduce the amount of space needed in any server rack. More space can be dedicated to servers instead of switch boxes, monitors , keyboards, and mouse devices. Remote Desktop for Administration limits the number of terminal sessions to two, with only one Remote Desktop Protocol (RDP) or Secure Sockets Layer (SSL) for remote administration connection per network interface. Only administrators can connect to these sessions. No additional licenses are needed to run a server in this Terminal Services mode, which enables an administrator to perform almost all the server management duties remotely. Even though Remote Desktop for Administration is installed by default, this mode does not have to be enabled. Some organizations might see Remote Desktop for Administration as an unneeded security risk and choose to keep it disabled. This function can easily be disabled throughout the entire Active Directory (AD) forest by using a Group Policy setting to disable administrators from connecting through Remote Desktop for Administration. Planning for Remote Desktop for Administration ModeUnless Remote Desktop for Administration is viewed as a security risk, you should enable it on all internal servers to allow remote administration. For servers that are on the Internet or for DMZ networks, Remote Desktop for Administration may be used, but access should be even more restricted. For example, consider limiting access to a predefined IP address or set of IP addresses, using firewall ACLs to eliminate unauthorized attempts to log on to the server. Another option is to limit connections to the server based on protocol. NOTE The level of encryption for remote sessions by default is 128-bit (bidirectional). It is also important to note that some older Terminal Services Clients might not support that level of encryption. Enabling Remote Desktop for AdministrationRemote Desktop for Administration mode is installed on all Windows Server 2003 servers by default and needs only to be enabled. To manually enable this feature, follow these steps:
Remote Administration (HTML)Formerly known as the Terminal Services Advanced Client (TSAC) in Windows 2000, the Remote Administration (HTML) tool can also be used to manage Exchange Server 2003. The primary intention of this tool is to provide basic remote administration capabilities for Internet Information Services 6.0 Web servers, as shown in Figure 21.2. However, there are capabilities built in that enable administrators to not only check server status, logs, and IIS functionality, but also to manage server network configurations and email alerts, and use the Exchange System Manager (ESM) through Remote Desktop, as shown in Figure 21.3. Figure 21.2. Remote Administration (HTML) tool options.
Figure 21.3. Remote Desktop access from the Remote Administration tool.
Installing and Enabling Remote Administration (HTML)As hinted at in the last section, Remote Administration (HTML) is a Windows Server 2003 IIS component, and it cannot be used to manage earlier versions of IIS. It is also not enabled by default. This does not mean that using this tool creates unnecessary security risks. Instead it keeps Windows Server 2003 security in a more consistent, locked-down state, and you need to manually install and configure its settings to meet the security requirements of your company. To install Remote Administration (HTML), do the following:
To enable Remote Administration (HTML), perform the following steps:
To remotely administer the Exchange Server 2003 Server from the computer that has been granted access, open Internet Explorer and type https :// servername :8098 where servername is the name of the server. You will be prompted to provide username and password credentials in order to log onto the server. NOTE As mentioned earlier, Remote Administration (HTML) provides the necessary tools for managing essential IIS components and basic Windows Server 2003 features, but it also provides a link for the Remote Desktop. The Remote Desktop is the Web-based equivalent of Remote Desktop for Administration. This link must be used if you are to manage an Exchange Server 2003 server. Therefore, the Remote Administration (HTML) tool is useful on older or non-Windows computers that need access for remote Exchange Server 2003 management purposes. Otherwise, if the computer accessing Exchange Server 2003 remotely via the Remote Administration (HTML) tool also has the Remote Desktop Connection tool (for the client side), it begs the question of why the Remote Desktop for Administration tool is not being used in the first place. Unless a security policy dictates that the RDP port should not be open on the firewall, the Remote Desktop for Administration tool is recommended. Remote Desktop Administration Tips and TricksThere are several key points to consider before using either Remote Desktop for Administration or Remote Administration (HTML), including, but not limited to, the following:
Terminal ServicesTerminal Services mode is available in all editions of Windows Server 2003 (that is, Standard, Enterprise, and DataCenter) except the Web edition. It enables any authorized user to connect to the server and run a single application or a complete desktop session from the client workstation. Because the applications are loaded and running on the Terminal Services server, client desktop resources are barely used; all the application processing is performed by the Terminal Services server. This enables companies to extend the life of old, less-powerful workstations by running applications only from a Terminal Services server session. Terminal Services is generally not considered a viable technology to manage Exchange Server 2003 remotely. Although it is possible to use Terminal Services to manage Exchange Server 2003, there are several planning considerations that must be addressed to determine whether Terminal Services is suitable in your environment. Planning Considerations for Using Terminal ServicesTerminal Services can require a lot of planning, especially when you're considering whether to use it to manage Exchange Server 2003 remotely. Because Terminal Services is intended to make applications available to end-users rather than serve as a remote management service, security, server performance, and licensing are key components to consider before using it in a production environment. Terminal Services SecurityTerminal Services servers should be secured following standard security guidelines defined in company security policies and as recommended by hardware and software vendors . Some basic security configurations include removing all unnecessary services from the Terminal Services nodes and applying security patches for known vulnerabilities on services or applications that are running on the Terminal server. An administrator can use Group Policy to limit client functionality as needed to enhance server security, and if increased network security is a requirement, can consider requiring clients to run sessions in 128-bit high-encryption mode. Windows Server 2003 Terminal Services can be run in either Full Security or Relaxed Security Permission compatibility mode to meet an organization's security policy and application requirements. Permission compatibility mode was created to help lock down the Terminal server environment to reduce the risk of users mistakenly installing software or inadvertently disabling the Terminal Services server by moving directories or deleting Registry keys. This mode can be used for most certified Terminal server applications. Relaxed Security mode was created to support legacy applications that require extended access into the server system directory and System Registry. In addition to all the more common security precautions that are recommended for Terminal Services, you must also consider how running Terminal Services on an Exchange Server 2003 server affects security. Using a server with both Terminal Services and Exchange Server 2003 roles and responsibilities can be a dangerous combination and should be considered only in the smallest of environments with very relaxed security requirements. In any circumstance, the combination is not recommended. Combining the two services and configuring Terminal Services to remotely manage Exchange Server 2003 can result in many security- related hazards, including the following:
Terminal Server LicensingTerminal Services requires the purchase of client access licenses (CALs) for each client device or session. A Terminal Services License Server also must be available on the network to allocate and manage these CALs. When a Terminal Services server is establishing a session with a client, it checks with the Terminal Services License Server to verify whether this client has a license. A license is allocated if the client does not already have one. NOTE Using Terminal Services to connect to and remotely manage an Exchange Server 2003 server does not exempt you from needing a Terminal Services CAL. This adds to the overall cost of supporting Exchange Server 2003. To install licenses on the TS License server, the Terminal Services License server must first be installed and then activated online. The TS License server requires Internet access or dial-up modem access to activate the client access licenses added to the server. When a Terminal Services server cannot locate a Terminal Services License Server on the network, it still allows unlicensed clients to connect. This can go on for 120 days without contacting a license server, and then the server stops serving Terminal Services sessions. It is imperative to get a license server installed on the network as soon as possiblebefore Terminal Services servers are deployed to production. |
< Day Day Up > |