Windows Server with Terminal Services

Introduction

Here's an article on how to set up a Windows Server host to allow remote user to log in through the Terminal Services add-on. As an add-on, an article on Active Directory.

Installing a stand-alone server from scratch

"2X SecureRDP for Windows Terminal Services dramatically increases the security of your terminal servers by accepting or denying incoming RDP connections by IP, Mac address, computer name, client version or based on time of day" (Freeware)

Checklists: Setting up Terminal Server

How does TS locate the TS Licensing Server?

What's the difference between Per User and Per Device?

Is Active Directory needed?

What's wrong with adding TS to the only server on the LAN, acting as Domain Controller?


from Que's MS Windows Server 2003 Delta Guide

No matter how you purchase Windows Server 2003, or how much you pay, you'll still be buying licenses for the operating system. Microsoft server operating systems actually require two licenses: A server license allows you to actually run the operating system on a single server computer; a client access license (CAL) allows a single user to connect to the server and utilize its services.

Windows Server 2003—and indeed, pretty much every preceding version of Windows—recognizes two types of client licensing. The first is per-seat licensing, in which you buy one CAL for each client computer in your organization. The second is per-client licensing, in which you buy one CAL for each connection that will be made between a particular server and a client. This is the same type of licensing that both Windows 2000 Server and Windows NT Server 4.0 use.

Microsoft's three programs are each targeted at different sizes of businesses with different needs and different budgets. Two basic programs apply to Windows Server 2003: Open License and Select License. Other custom licensing programs can be negotiated by larger companies that deal directly with Microsoft.

When you install Windows Server 2003 from retail media—the CD-ROM you buy in a store or from another retailer—you type in a unique product ID during the setup process. This product ID is generally printed on the back of the CD jewel case. After the installation is complete, Windows Server 2003 contacts Microsoft over the Internet (there's a phone-in option if you're not connected) and registers your product ID. From that point, your product ID is permanently tied to your server's hardware configuration. You can reinstall and reactivate Windows as many times as you want on that particular hardware; if you try to use the same product ID to install Windows on a different server, the activation process will fail.

per server or per seat?

Other new features introduced by Windows XP that are now incorporated in Windows Server 2003 include two features for remotely controlling users' workstations: Remote Desktop and Remote Assistance. Both Remote Desktop and Remote Assistance use the Remote Desktop Protocol (RDP) for communicating between local and remote systems.

The term Remote Desktop is somewhat deceptive and can be confusing. There are actually two components to Remote Desktop—the client-side component (Remote Desktop Connection) and the server-side component (Remote Desktop for Administration). These two pieces are just a rename of the previous Terminal Services client and Terminal Services server from previous versions of Windows.

Intruders can insert new records into DDNS, however, and potentially use those records in an attack against your network. In fact, when you create a new zone Windows Server 2003's DNS service warns you that allowing just any old dynamic updates is a significant security vulnerability. The DNS service does offer an option for secure updates that accepts updates only from computers that have successfully authenticated to the domain. However, the secure option is available only when the DNS service is running on an Active Directory domain controller, thereby providing DNS with access to authentication information. For that reason alone, we always recommend that your DNS servers also be Active Directory domain controllers and that you enable DNS to use secure DDNS updates.

Probably the single greatest enhancement to the DNS service brought by 2003 is a new feature of Active Directory (AD) integrated zones. Windows 2000 introduced Active Directory integrated zones, which store DNS records in the Active Directory database instead of in flat .dns files on the DNS server (like primary and secondary zones). The major benefit of an Active Directory-integrated zone is that your DNS records are replicated to all domain controllers, so in the event of a DNS server failure, you simply install DNS on a domain controller and the zone appears, as if by magic. In effect, any domain controller has the capability to become a DNS server, and your zone records are protected by Active Directory's replication.

Group Policy is a mechanism for administration of computers in Active Directory domains, to specify settings for everything from user environment configuration to software distribution to password policies. The terminal services client component has been renamed and is now called Remote Desktop Connection, just like in Windows XP. The biggest change that makes terminal services look different is the server-side component. The former remote administration mode is now called Remote Desktop for Administration and is treated separately from the Terminal Server application mode component. Although Remote Desktop for Administration and Terminal Server appear to be two separate things, they are in reality two facets of the same technology, like in Windows 2000. The difference is in the way they appear and how they are installed.

Remote Desktop for Administration is the former Terminal Services Remote Administration Mode, with a few improvements, of course. With Windows 2000, Terminal Services is integrated into the operating system as an optional service. It can be installed using Add/Remove Programs, Add/Remove Windows Components, and when installed, the administrator is prompted for the terminal server mode. The two choices are Remote Administration Mode and Application Server Mode. Application Server Mode is designed for installing the server to be used in the role of a traditional terminal server or Winframe/Metaframe server. In this role, applications are to be installed on the box for use by remote users; making these applications available to remote users is the primary purpose of the box.

Remote Administration Mode was something new for terminal services introduced in Windows 2000. Installing Terminal Services in Remote Administration Mode allows up to two (free) concurrent connections. Plus, when using terminal server in this mode, you don't have to worry about keeping track of licenses, as you do in Application Server Mode and previous versions of terminal server.

Window Server 2003 no longer has a Terminal Services Remote Administration Mode. The so-called Remote Administration Mode and Application Server Mode are now treated as two separate entities and are installed differently.

Windows 2003 Server comes preinstalled with Remote Desktop for Administration (although it is disabled). There is still an optional Windows component for installing terminal services, but it is now called Terminal Server. Installation of this service converts the Remote Desktop for Administration installation into a full-blown Terminal Server (Application Server Mode) installation; uninstalling Terminal Server returns the system to the Remote Desktop for Administration mode.

In addition to selecting the check box to enable Remote Desktop, you must also designate who is permitted to use Remote Desktop for Administration. By default, the Administrator account is the only one that has access. To grant additional users (domain or local) permissions to be allowed to connect to the server via Remote Desktop for Administration, click the Select Remote Users button and then simply add the user or group accounts as appropriate. This adds the users on this list to a local group called Remote Desktop Users, which has permissions to log on to the terminal server.


From "Configuring Windows 2000 WITHOUT Active Directory"

Admittedly, the Intellimirror features of centrally controlling users and computers are one of the biggest advantages in favor of Active Directory because they offer an easy-to-control facility not found with Windows NT 4.0 domains. For example, you can redirect key user folders, such as My Documents or My Pictures, to ensure that users save personal work to a central server.

Independently from Active Directory, you can still use home directories and mapped drives so that user data can be saved centrally, and roaming profiles are still supported so that users can log on to any desktop and retrieve their own familiar desktop profile.

Kerberos offers both a more secure password authentication (for example, it offers mutual authentication) and a quicker one over NTLM (it uses delegation). So is NTLM such a bad authentication protocol? Actually, NTLM authentication supports three different methods of challenge/response authentication with varying levels of security to suit your environment and client technology.The weakest form of security is LAN Manager (or LM), which is used in workgroups to provide downward compatibility for Windows for Workgroups,Windows 95, and Windows 98 for file sharing.The next level is NTLM v1, and it is used when you have a Windows NT 4.0 domain with a domain controller running SP3+. The highest level is NTLM v2, which is used on Windows 2000 clients in a Windows NT 4.0 domain if all domain controllers are running SP4+. By default, all three authentication mechanisms are enabled, but you can strengthen your authentication policy by disabling the weaker levels you don’t need.

Group Policy is big news with Windows 2000. It offers a way of centrally controlling settings at a computer and user level throughout an enterprise at many different levels. They are vastly more extensive and superior in design because they no longer permanently affect the registry, can be reapplied at regular intervals (not just logon or startup), can be applied at different levels (local, site, domain, organizational unit), and can be filtered. Filtering means that you can determine which groups or users will be affected by the settings and which users can read and/or modify them (that is, not just administrators).

By concentrating initially on local group policies—settings that affect only one Windows 2000 computer—managers and implementers can start to feel their way with this new configuration feature. If you can plan and configure group policy on the simplest level, it is then easier to scale up and plan on an enterprise level. For environments that never migrate to Active Directory, managers and implementers can still make the most of this technology by exploiting the local configuration options to their fullest potential—which is what this particular topic is all about.

Note: Do not confuse policies with user preferences, and profiles. Policies are set and enforced by administrators. User preferences are desktop settings that users can set (if allowed), for example, their choice of screensaver, folder options, and so on. Profiles contain user-specific configurations such as desktop shortcuts, program settings unique to the user, and so on. Policies have a higher precedence than the other two and, as such, are more powerful.

The actual configuration settings are stored in what is termed a Group Policy Object, which is frequently abbreviated to just GPO. Physically these reside in subfolders off %systemroot%System32\GroupPolicy, and logically they are split between computer settings and user settings. Computer settings are options that always apply to the local computer, irrespective of who (if anybody) is logged on to the computer (for example, computer startup/shutdown scripts). User settings are options that apply for the duration of a user's session on the computer (for example, logon/logoff scripts).

To set and configure the full set of local Group Policy settings—both the Computer Configuration settings and the User Configuration settings—you must run gpedit.msc (for example, from the command line, or Start | Run).

Unfortunately, local Group Policy by definition is local to each Windows 2000 computer and as such there is no Microsoft central configuration tool to help you define a standard LGPO you want to deploy onto each machine.You can’t, as you might think, simply copy a configured computer’s GPO folder onto another computer. However, you can export and import the security policy within the local GPO together with additional security settings such as registry settings, service configurations, and ACLs.This is done using Microsoft’s Security Configuration and Analysis, which is covered next.

Windows File Protection (WFP) in Windows 2000 protects key system files at all times, and should one of them be deleted or replaced with an alternative version,WFP automatically reinstalls the original. It uses file signatures, a file catalog, and a Dllcache folder working in conjunction with another Windows 2000 feature called the System File Checker (SFC).Together these features protect the integrity of critical files that are integral to the computer’s reliability.

Improvements in NTFS v5 in Windows 2000 means that you can now mount a new drive and assign it a path on an existing drive.This means fewer drives for a user to navigate and allows you to more logically group file locations in a hierarchical manner on the same server.

236

Classic Errors

  1. Installing 3rd party drivers
  2. Ignore the licensing splash, when activating terminal Services.
  3. Use the same roaming profiles on the TS, as for the normal workstations.
  4. Make users power user, or local admins, just to get an application running.
  5. Do not have a testserver; just slap on apps and drivers at will on the production server.
  6. Leave MS autoupdate active, so it reboots at will, to make sure users get their daily coffee.
  7. Do not run a full backup before updating a server.
  8. Listen to your boss who demands you to admin the server without proper training.
  9. Allow users to save data on the TS server disks.
  10. Installing Terminal Services on a Domain Controller
  11. Installing Terminal Services in "Relaxed Security mode"
  12. First installing a lot of applications, and then installing Terminal Services

Restricting usage of Remote Desktop for Administration

Windows 2003 Server allows up to two administrative accounts to connect to it through RDP. To restrict what they can do... "Terminal services settings can be configured with the usual Terminal Services Configuration MMC snap-in and administered with the Terminal Services Manager MMC snap-in. Plus, these settings have now been exposed so they can be configured with Windows Management Instrumentation (WMI) through scripts, the WMIC command line, or Active Directory Services Interface (ADSI). Probably the most useful enhancement is the addition of a number of group policy settings for configuring these terminal services settings. A lot of the new terminal services group policy settings are available simply for centrally managing settings previously available in Windows 2000. These settings can still be managed via Terminal Services Configuration (for per-server settings) or Active Directory Users and Computers (for per-users settings).

In addition to being able to centrally manage terminal server settings with group policy, Windows Server 2003 server provides interfaces for configuration with WMI and ADSI. By querying and manipulating the appropriate objects, the previously listed settings can be configured in batch files or scripts.

Another new security feature for terminal server is the ability to use Software Restriction Policies. Although not specifically a terminal server enhancement, the new Software Restriction Policies section of group policy can be used to protect the terminal server environment. Software Restriction Policies can be used to specify whether certain file types are allowed to run, as well as to specify certain levels of permissions for various Registry keys."

"To remove the right of users to shut down the computer, change the relevant "right". Rights are managed using security policy editors "secpol.msc" in a workgroup or the group policy editor in a domain env."

Locking down a server

If you want to create a bare-bone, locked-down interface, things to check:

How to change the idle time-out?

Q&A

I'd like to create different profiles even without running Active Directory

It's not possible. If you installed a server as a stand-alone host in a workgroup, local group policies apply to every user as explained here: "What people want to know is, can you use either of these tools to configure one set of policy settings for one local user account, and a different set of policy settings for a second local user account. Unfortunately the answer is no--local Group Policy is machine-wide in scope and can't be configured on a per-user basis. You need Active Directory to do that."

Have TS listen on a custom port

What is Install Mode?

"Before installing applications on a Terminal Server, you must put the server into "install mode". In this mode, all changes made to the registry and to ini-files will be monitored and copied to the shadow area in the registry. This process ensures that all users will receive their personal copy of those registry keys and ini-files. You can put a Terminal Server in Install mode by using the Add/Remove Programs tool in Control Panel, but this method does not work when you install applications directly from the web." (from http://ts.veranoest.net/)

Resources

Sites

Tools

To read