Avoid installing applications and services from within a Terminal Server session to avoid getting locked out of your Terminal Server sessions.
Filter the security event log for user logon and logoff events and review performance logs.
Configure each of the Terminal Server nodes in a cluster to restrict each user to one Terminal Services session through Group Policy or in the Terminal Services configuration snap-in.
When clustering or load balancing Windows Server 2003 Terminal Servers, use Session Directory server to manage sessions within the Terminal Services cluster.
Enable Remote Desktop for Administration mode on all internal servers to allow for remote administration.
When choosing an antivirus product, be sure to choose one that is certified to run on Windows Server 2003 Terminal Servers.
When a Terminal Server is due for an operating system upgrade, if possible replace the server with a clean build and test all applications, instead of performing in-place upgrades to avoid server or application failures.
Place your Terminal Servers where they can be readily accessed by the clients that will primarily be using them.
Whenever possible, choose applications that have been tested and certified by Microsoft to run on Windows Server 2003 Terminal Servers.
For optimum performance for multitiered applications, install two or more network cards on a Terminal Server and configure the server to use one exclusively for Terminal Server client connectivity and the others for back-end server communication.
Use Group Policy to limit client functionality as needed to enhance server security, and if increased network security is a requirement, consider requiring clients to run sessions in 128-bit high encryption mode.