Configuring Terminal Services

Microsoft Windows Server 2003 Terminal Services can be managed and configured using several tools included with the operating system. This gives administrators flexibility and choice on how to manage Terminal Services in the enterprise. Because many of the tools described in the following sections overlap in function, their management and administrative functions will be described in the following sections. After you become familiar with each of these tools, you can decide which tool best fits your administrative needs.

Local Security Policy Settings

The Local Security Policy snap-in, as it applies to Terminal Services, is very limited but also very powerful. Only two settings can be configured for Terminal Services: Allow Logon Through Terminal Services and Deny Logon Through Terminal Services. These settings are located in Security Settings\Local Policies\User Rights Assignment.

By default, only the Local Administrators and Remote Desktop Users groups are allowed the right to log on through Terminal Services.

Using the Computer Management Tool

On a standalone or member server implementation of Terminal Services, user-specific Terminal Server settings can be configured using the Computer Management tool. Under the Local Users and Groups section, Terminal Server settings, including profile location, logon script, and remote control permissions, are configured by editing user property pages. Because these configurations are made on an individual user basis, they make administration tedious and inefficient.

Note

Terminal Server settings configured within the Computer Management tool override client-specified settings.

The User Properties pages for configuring Terminal Server settings are the Sessions, Environment, Remote Control, and Terminal Services Profile tabs, as shown in Figure 27.8. The terminal service profile settings for a user include profile path, home directory, and Terminal Server logon access.

The remaining tabs are covered in the "Terminal Services Configuration (Tscc.msc)" section. To use the Computer Management tool, choose Start, Administrative Tools, Computer Management.

Active Directory Users and Computers (Dsa.msc)

To manage domain user Terminal Server settings, use the Active Directory Users and Computers MMC snap-in available on all domain controllers and computers with the Windows Server 2003 Administration Tools installed. The user-specific settings here are similar to the settings configured using Computer Management, but they are for domain user accounts. See the next section to learn more about configuring user-specific Terminal Server settings.

Terminal Services Configuration (Tscc.msc)

The Terminal Services Configuration MMC snap-in is installed on all servers by default. It can be used only to change local Terminal Server configuration. This tool has two sections, Connections and Server Settings. These settings are set at the server level and override user settings.

Server Settings

This Terminal Services Configuration MMC snap-in section gives seven policies to configure:

• Delete Temporary Folders on Exit This setting will delete user sessionspecific temporary folders when the user logs out of a terminal session. This setting only works if the setting to use temporary folders per-sessions is enabled or set to Yes.

• Use Temporary Folders Per Session Terminal Server creates temporary folders on a per session basis. Disabling this setting makes all Terminal Server sessions use the same temporary folders.

• Licensing Terminal Server supports per-device and per-session licensing mode. Choose the correct mode for your Terminal Servers.

• Active Desktop This setting allows users to have active content in their Terminal Server sessions. Disabling this setting conserves server resources by reducing the amount of server processing and network power required to paint the session screens with active content on the desktop.

• Permission Compatibility This setting offers two choices: Full Security and Relaxed Security. The choice here is made in regard to what resources users will need access to in order to properly run the applications installed on Terminal Server. Relaxed mode was created to support legacy applications.

• Restrict Each User to One Session This setting was created to help support the Session Directory server for use with Terminal Server clusters. This setting allows users to reconnect to the correct node running the disconnected session by allowing only one session to run per cluster. You cannot reconnect to the wrong session if you have only one.

• Session Directory This setting should be enabled if the Terminal Server is part of a cluster; it sends session data to a Session Directory server to manage disconnected terminal sessions.

Connections

In the Connections section of Terminal Services Configuration, the administrator can configure Terminal Server options such as session time limitations, number of maximum sessions, resource redirection policy, remote control permissions, logon settings, encryption settings, application permission levels, and whether the user can run just one application or have a full desktop session.

Within a defined Terminal Server connection object's property page, there are eight tabs to set configuration options:

• General Within this tab, the Terminal Services administrator can configure the required client encryption level. Low encryption runs the Terminal Services sessions at 56-bit encryption; client-compatible encryption allows a client to connect at the highest negotiable encryption to the server; high encryption runs Terminal Services sessions at the highest encryption the Terminal Services server can handle; finally, FIPS Compliant encryption is the standard used by the U.S. government.

  Note

  If the client workstation does not support 128-bit encryption and the high encryption pack must be installed, Terminal Server client software must be reinstalled afterward to make use of the raised encryption level.

  
  

• Logon Settings On this tab, the user logon credentials settings can be set. The Terminal Server can log on sessions using a predefined user account, or client-provided logon information can be used. There is a check box to have the server always prompt for a password; this feature adds a level of security.

• Sessions The configurations set on the Sessions tab, shown in Figure 27.9, allow time limitations to be set for active, disconnected, or idle sessions. Configuring idle and disconnect session time helps to free server resources to keep performance high.

• Environment On this tab, a session can be configured to run only a single application as opposed to a full desktop session.

• Remote Control On this tab, remote control options can be configured so that they do not conflict with an organization's privacy policies, while still providing the desired administrative function.

• Client Settings The Client Settings tab is used to manage which local client resources can be made available within a Terminal Server session to enhance functionality or to secure the environment. For instance, some organizations require that data remain only on local file servers, thus requiring that mapping of local client disk drives and printers be disabled to prevent users from saving data on their remote workstations, or even worse, unknowingly uploading infected files to the Terminal Server network.

• Network Adapter This tab limits the number of connections a Terminal Server can have and also specifies a single network adapter for a particular Terminal Server connection object.

• Permissions This tab specifies who can access and/or administer the particular Terminal Server connection object.

Note

Configurations made in the Terminal Services Configuration snap-in override specified user and client settings.

Group Policy for Terminal Server

Group Policy contains several Terminal Server user and computer settings to configure Terminal Server sessions within Active Directory. A Terminal Server administrator can modify existing group policies or create new group policies to manage Terminal Server configurations on an Active Directory site, domain, or organizational unit level. The individual Terminal Server polices are applied to users individually or based on group membership.

Group Policy is the preferred method of standardizing Terminal Services configurations throughout Active Directory because user and server configurations can be centrally administered. Because so many Terminal Server settings are available in Group Policy, the following list outlines where Terminal Server settings can be found:

• Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

  Allow Logon Through Terminal Services

  Deny Logon Through Terminal Services

• Computer Configuration\Administrative Templates\Windows Components\Terminal Services

  Almost all Terminal Server settings can be configured here. Settings here override user or client configurations and also override settings made in the User Configuration section of Group Policy.

• User Configuration\Administrative Templates\Windows Components\Terminal Services

  User session settings can be configured in this section. Settings here override user or client configurations.

A simple and effective way to manage the GPOs for your Terminal Services servers is to create an OU for your terminal servers and apply GPOs to the OU. Enabling the Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode is very important if you want the user-context GPO settings to take effect. The loopback processing can be set to either merge or replace. Merging allows existing domain-based GPOs to merge with the ones for Terminal Services, while the replace option overrides all other settings and the Terminal Servicesspecific settings are only applied.

Some additional GPO configuration options that might be useful for your environment include, but aren't limited to, the following:

• Automatic Reconnection Allows the client to attempt to reconnect to a broken session every 5 seconds for 20 attempts.

• Restrict Terminal Services users to a single remote session This option improves system performance and can significantly reduce end user confusion by limiting each user to a single session.

• Encryption and Security section There are many useful configuration settings, such as forcing an encryption level and prompting for a password during a connection.