Once an authorized user has logged on to the Terminal Server, the security focus shifts from
one of complete access prevention to one of access restriction. A user’s ability to interact with
objects in the system is managed through user rights, system security restrictions, administrative
templates, and file and registry restrictions. The task of configuring these settings is
further complicated by the need to ensure that adequate session security exists while still
providing the functionality required by the users to perform their job.
As I discussed in the "Administrative Delegation" section of this chapter, whenever possible
system privileges and restrictions should be managed using local user groups as opposed
to individual user accounts or domain security groups. The idea is to then assign the desired
domain group or user to the corresponding local group that is appropriate for their access
level. Assignment of access rights on a Terminal Server should be kept as simple as possible.
When the security requirements become too complex, this increases the likelihood that some
setting may be missed. In most implementations this means dividing the users into two categories
when delegating access rights. Either the user is a member of the Administrators
group, with full rights to the entire server, or the user is a member of the Users group, with
only limited access to the server’s resources.
NOTE:
With such a simplified division of access rights (Administrators group or Users
group), care must be taken when the default Users permissions are not sufficient to let a
user perform a particular job function. In most circumstances this occurs when an application
does not operate properly under the limited privileges granted the Users group.
A common reaction to this type of problem, particularly under pressure from the user
community to come up with a quick solution, is to assign regular users full administrative
access. While this certainly resolves the application issue, it is critical that
this never be allowed on a production Terminal Server. Such privilege elevation immediately
brings the integrity of the Terminal Server into question since any mistake by a
user can render the server completely unusable.
Assignment of privileges when pertaining to application integration is discussed in the
"Application Privileges and Restrictions" section of this chapter.
While the Local Security Settings snap-in is used to review the current settings on a Terminal
Server, if you wish to make changes to the User Rights Assignment policies, I recommend
that they be performed within the Terminal Server Machine Policy defined in Active
Directory and not within the Local Security Settings snap-in. This ensures consistency across
all Terminal Servers in your domain, since all necessary policy settings are automatically
applied once the policy has been added to the Terminal Servers organizational unit. Policies
defined at the domain level always take precedence over those options set locally when a conflict
occurs.
User Rights Assignment
User rights are a special set of privileges that define which basic operating system functions
a user or group of users can perform. While I recommend that you review the User Rights
configuration on your server to ensure that the appropriate groups have been defined, under
most circumstances you will not have to modify the default settings. Figure 16.15 shows the
default User Rights Assignment policies for a Windows 2003 Terminal Server as viewed from
within the Local Security Settings MMC snap-in. This utility is found under Administrative
Tools on the Start menu for both Windows 2000 and 2003 and is used to view the settings
currently in effect on the server.
While the Local Security Settings snap-in is used to review the current settings on a Terminal Server, if you wish to make changes to the User Rights Assignment policies, I recommend that they be performed within the Terminal Server Machine Policy defined in Active Directory and not within the Local Security Settings snap-in. This ensures consistency across all Terminal Servers in your domain, since all necessary policy settings are automatically applied once the policy has been added to the Terminal Servers organizational unit. Policies defined at the domain level always take precedence over those options set locally when a conflict occurs.
When assigning user rights within a GPO, make certain that you include all the groups
that require access to that user right. Rights defined within a GPO override the local settings;
they do not merge with them. Also be aware that because the GPO affects all servers within
the organizational unit, you need to assign permissions based on the domain groups and not
the local groups of a specific server. As I discussed in Chapter 15, this is an exception to the
general rule of assigning permissions based on local groups. Because GPOs are defined at the
domain level, domain-level groups must be used. Figure 16.16 shows an example of User
Rights Assignment policies defined within a Terminal Server Machine Policy for the
Terminal Servers OU in a Windows 2003 domain.
Table 16.4 lists the user rights for both Windows 2000 and 2003 that most directly pertain to
a Terminal Server. A complete explanation of each of the Windows 2000 user rights can
be found in the Group Policy Reference included in the Windows 2000 Resource Kit
documentation. An explanation of the Windows 2003 user rights can be found simply by
right-clicking the desired user right and selecting Help.
Table 16.4: Terminal Server–related User Rights Assignment Policies for Windows 2000 and 2003
Windows Server 2003
Windows 2000
Explanation
Access this computer from the network.
Access this computer from the network.
This right is not required for a
user to be able to establish a
Terminal Server session. This
right is required only if you will
be sharing folders or printers off
the Terminal Server.
The default group assignments
can be limited to only Administrators
if no file or print sharing
is required.
Deny access to this computer from
the network.
Deny access to this computer from
the network.
Members of this group are explicitly denied access to network
resources on this server. The Deny
property overrides any other permissions
that might be assigned.
Allow log on locally.
Log on locally.
This right is required for a user to
be able to interactively log on to
the server. On a Windows 2000
server this right is required to be
able to log on to a Terminal Server
session. On a Windows 2003 Terminal
Server this right is required
only when logging on directly from
the server console. Omitting or
denying this user right does not
prevent a user from being able to
establish a Windows 2003 Terminal
Server session as long as they possess
the "Allow log on through
Terminal Services" privilege.
Allow log on through Terminal Services.
Log on locally.
To establish a Terminal Server
session a user must have this user
right. Without it a user receives
the message "The local policy of
this system does not permit you to
logon interactively" immediately
after providing their logon credentials.
WARNING: Use caution when modifying the default User Rights Assignment policy for
a Terminal Server. Incorrectly restricting the rights can adversely affect server operability.
Local Security Options
Windows local Security Options policies allow an administrator to configure additional
machine-specific security settings. As with local User Rights Assignment policies, it is recommended
that changes to the local Security Options policies be performed within the
Terminal Server Machine Policy and not directly on the individual Terminal Servers. Table
16.5 lists the changes I suggest making to local Security Options policies for your production
Terminal Servers.
Table 16.5: Suggested Local Security Options Policies Changes for a Windows Terminal Server Environment
Windows Server 2003
Windows 2000 Server
Explanation
Accounts: Guest account status.
N/A
(W2K3 only.) Controls whether
the local Guest account is enabled
or disabled. While it is disabled by
default, enforcing the disabled status
for the Guest account is always
a good security practice.
Accounts: Rename administrator account.
Rename administrator account.
Lets you define an alternate name
for the local Administrators
account. This simple change makes
it more difficult for someone to
guess the administrator’s password,
since they won’t even know what
the local administrator’s account
name is. Be sure to select an alternate
name you can remember but
is not immediately obvious to a
would-be hacker. This option is
disabled by default.
Accounts: Rename guest account.
Rename guest account.
Even though it’s disabled,
renaming the Guest account to
something more obscure is a good
security practice.
Devices: Prevent users from installing printer drivers.
Prevent users from installing printer drivers.
Enabled by default on all Windows
servers. On a Terminal Server in
particular you do not want users to
have the ability to arbitrarily install
printer drivers when connecting to
a network printer. While most
Windows 2000/2003 printer drivers
work without issue on a Terminal
Server, it is still best if an administrator
monitors what drivers are
and are not available to the users.
A single ill-behaved printer driver
can easily cause a Terminal Server
to crash with a STOP error (blue
screen of death).
Interactive logon: Do not display last user user name.
Do not display last user name in logon screen.
When an RDP session is initiated
to a Terminal Server, the logon
screen automatically displays the
name of the last user to log on to
that server from that particular
client machine. Enabling this security
option eliminates this behavior.
The ICA client never displays the
name of the last user to log on, and
as such this option has no effect on
the ICA client’s behavior.
Administrative Templates
In Chapter 15, I discussed use of administrative templates and how they provide a centralized
mechanism for applying behavioral changes and restrictions to both the target computers
in the organizational unit and the users who log on to those computers. Both Windows 2000
and 2003 provide a set of standard administrative templates that include a number of security-
related options. Windows Server 2003 includes new template options as well as updated
naming for many of the options found in Windows 2000 Server. Because of this, I divide my
policy suggestions into two separate tables. Table 16.6 lists suggested security settings for
Windows 2000, while Table 16.7 lists my equivalent settings for Windows 2003. These suggestions
have been subdivided based on the group policy object they should be applied in.
The categories used are Terminal Server All Users Policy, Terminal Server Regular Users
Policy, and Terminal Server Machine Policy. These tables list only Windows system-specific
changes and no application-related settings that may pertain to a Terminal Server environment.
These types of changes are discussed in the later section "Application Privileges and
Restrictions."
TIP: As I discussed in Chapter 15, customized or third-party administrative templates
can be added to the active directory, allowing for the centralized management of
applications or additional Windows components. Applications such as Microsoft Office
support extensive configuration via administrative templates. You can also create your
own custom .ADM files. General information on creation of custom administrative
templates can be found in Microsoft knowledgebase article 323639.
Table 16.6: Windows 2000 Administrative Template Security Suggestions
Administrative Templates Policy
GPO Affected
Explanation
Start Menu & Taskbar
Add Logoff to the Start Menu.
Disable and remove the shutdown command.
Terminal Server
All Users
This ensures that all users have the Logoff
<UserName> option on the Start menu.
This option makes it more difficult for even
an administrator to accidentally shutdown a
Terminal Server. On more than one occasion
I’ve witnessed an administrator accidentally
select Shutdown instead of logoff and
acknowledge the action before they even
know they’ve done so. An administrator
can still shutdown a server by using the
TSSHUTDN command from a command
prompt.
Windows Components\Windows Explorer
Only allow approved Shell extensions.
Terminal Server All Users
This setting ensures that only those
Shell extensions approved by an administrator
are allowed to load when Explorer starts.
Windows Components\Windows Explorer
Hide the Manage item on the Windows Explorer context menu.
Hide Hardware tab.
Disable DFS tab.
Terminal Server Regular Users
Removes the Manage item from Explorer
and My Computer. If the MMC snap-in
access has been prohibited (see Microsoft
Management Console later in this table), this
menu item has no effect on regular users,
but I like to completely remove it as part of
my standard configuration.
This setting removes the Hardware tab from
all local drives on the server, preventing
users from being able to see what hardware
is being used for hard drives, CD-ROM
drives, and so on.
When a user has a drive mapping to a distributed
file system (DFS) share, the DFS
tab is available on the Properties dialog box.
This option disables access to this tab, preventing
users from seeing the available
physical locations for the particular DFS
share point.
Windows Components\Microsoft Management Console\
Restrict users to the explicitly permitted list of snap-ins.
Terminal Server
Regular Users
Enabling this policy prohibits all regular
users from accessing any MMC snap-in.
Start Menu & Taskbar
Disable and remove links to Windows Update.
Remove Network & Dial-up Connections from Start Menu.
Remove Run menu from Start Menu.
Disable user tracking.
Terminal Server
Regular Users
Removes the link to Windows Update from
the Start menu and prevents the users from
accessing the Windows Update Web site.
Removes the link to Windows Update from
the Start menu and prevents the users from
accessing the Windows Update Web site.
Completely removes access to the Network
& Dial-up Connections folder, preventing
users from finding out specific details about
the server’s network configuration.
Eliminating this option from the Start menu
prevents users from quickly launching an
application by name. This policy does not
prevent users from starting applications
present on the Start menu or double-clicking
them through Windows Explorer.
Windows enhances the user’s work experience
by tracking user-specific information
such as what applications they commonly
run, the documents they open, and so on.
Disabling this option turns off this tracking
feature.
Desktop
Remove Properties from the My Computer context menu.
Prohibit users from changing My Documents path.
Terminal Server
Regular Users
Disables access to the System Properties
dialog box for the My Computer icon. This
dialog box provides general access to information
such as available memory, CPU type,
and operating system version.
If you redirected the My Documents folder
for your users, you must implement this polpath.
icy. Normally users have the ability to
change their My Documents path, and
allowing such access could result in users
storing sensitive documents in a location
where they may be easily accessible by others
or omitted from the regular backup
process. Enabling this policy does not affect
use of the folder redirection policy.
Desktop\Active Desktop
Disable Active Desktop.
Terminal Server
Regular Users
In addition to providing a performance
improvement, this policy increases security
by preventing Web-based content from
being enabled directly on the user’s desktop.
Control Panel
Show only specified control panel applets.
Terminal Server
Regular Users
If users require access to one or more
control panel applets, only those specific
options should be made available and all
other entries suppressed. Usually I provide
users with access to only the Display applet
so they have access to make minor changes
to their visual desktop experience. The specific
applet file name is DESK.CPL.
Control Panel\Add/Remove Programs
Disable Add/Remove Programs.
Terminal Server
Regular Users
This option completely eliminates access for
all regular users to the Add/Remove
Program option.
Control Panel\Display
Hide Screen Saver tab.
Terminal Server
Regular Users
Very often, users try to run custom screen
savers without realizing they not only consume
available system resources but also can
pose a security risk. Removing access to the
Screen Saver tab prevents users from easily
configuring and activating screen savers. It
does not prevent a user from directly executing
a screensaver file (*.scr) that he or she
may have acquired through email or a Web
site.
Network\Offline Files
Disable user configuration of Offline Files.
Disable ‘Make Available Offline’.
Terminal Server
Regular Users
Completely removes the user’s ability to
modify the Offline Files menu option.
Offline files in general can pose a security
risk by making files available in a location
that may not be secure.
Turns off the ability to make files or folders
available offline.
Network\Network and Dial-up Connections.
Prohibit access to properties of a LAN connection.
Prohibit viewing of status statistics for an active
connection.
Terminal Server
Regular Users
While users typically do not have access to
modify the properties for a LAN connection,
by default they can still view network configuration
options. Enforcing this policy
prevents access to this information.
Users do not require access to the statistics
for a LAN connection. These statistics provide information such as link speed and
connection uptime. The properties for the
LAN connection are also directly accessible
from here.
System
Disable the command prompt.
Disable registry editing tools.
Terminal Server
Regular Users
Enabling this policy prevents users from
directly launching a command prompt while
still allowing scripts (logon, startup, and so
on) to be processed.
When enabled, this policy prevents users
from being able to run the registry tools
REGEDIT and REGEDT32. Users can still
update the registry by directly running valid
.REG files, but interactive traversal of the
registry through either tool is not permitted.
To effectively limit what applications a user
can run on a Terminal Server, the policy
"Run only allowed Windows applications"
should be enabled and configured. I discuss
configuration steps for this policy in the later
section "Application Privileges and
Restrictions."
System\Logon/Logoff
Disable Task Manager
Terminal Server
Regular Users
Prevents users from viewing their running
processes as well as seeing the current performance
statistics for the server.
TIP: Windows Server 2003 administrative templates provide extensive support for
many of the Terminal Services options normally configured through the Terminal
Services Configuration utility. Unless otherwise stated, any Terminal Server client-related
settings defined in a Windows 2003 administrative template apply to only RDP
connections. Citrix ICA (MetaFrame) connections are not affected by most of these
group policies.
This policy is intended to prevent an
administrator from installing IIS or any
applications that require IIS.
Windows Components\Terminal Services
Restrict Terminal Services users to a single remote session.
Limit number of connections.
Sets rules for remote control of
Terminal Services user sessions.
Terminal Server
Machine Policy
This policy limits a user to a single active
Terminal Server session and is enabled by
default on all Windows 2003 Terminal
Servers. Note that it is applied on a
perserver basis and does not restrict a
user from having active simultaneous sessions
on different Terminal Servers.
This sets the maximum number of concurrent
connections supported on the
server. Enabling this policy in conjunction
with the previous policy helps protect
a Terminal Server against a crude denialof-
service attack performed by logging on
to the server with the same user continuously
until all server resources are exhausted.
The maximum number of connections
should be set to match the maximum
number of users supported by your servers-izing
estimate.
As I discussed in Chapter 8, remote control allows an administrator (or other
authorized user) to connect into a user’s
session and interact with the environment.
This policy lets you configure the
rules for remote control on each Terminal
Server. There are four choices available:
No remote control allowed at all.This
feature is completely disabled. In highly
secure environments where even an
administrator should not be able to
view a user’s session, this option may
be selected.
Full control with user’s permission. I
recommend this option for most implementations.
A user must explicitly grant
an administrator access before they can
control the user’s session. This ensures
an administrator cannot remotely control
a user’s session without the user’s
knowledge.
Full control without user’s permission.
This option can introduce a security
risk as an authorized user could shadow
another user, manipulate their session,
and then exit without the user even
knowing. One way to counteract this
would be to proactively monitor audit
logs for shadowing. I do not recommend
selecting this option for the
remote control configuration.
View session with/without user’s permission.
Similar to the previous two
entries except that the administrator
shadowing the user cannot interact
with the user’s session in any way but
can only view what the user is doing.
Windows Components\Terminal Services\Client/Server data redirection
Terminal Server Machine Policy
These policies control the behavior of
various data redirection options supported
by Windows 2003 Terminal Services. The
requirements of your implementation will
dictate what redirection options will be
used. It is good practice to disallow all
options not required. For example, if
client drive redirection is not required,
the associated policy "Do not allow drive
redirection" should be explicitly enabled
to prevent this client drive mapping for
any remote user.
Windows Components\Terminal Services\Encryption and Security
Always prompt client for password upon connection.
Set client connection encryption level.
Terminal Server
Machine Policy
The RDP client supports entry and
caching of a user’s password so it can be
automatically passed to the server to log
the user on. Enabling this policy causes
the Terminal Server to ignore any password
passed by the client and instead
always prompts the user to provide their
password.
The minimum encryption level required
by an RDP client connecting to a
Windows 2003 Terminal Server is set to
High by default, but you can ensure this
option isn’t changed by enabling this policy
and selecting High Level.
Windows Components\Windows Explorer
Allow only per user or approved shell extensions.
Terminal Server
All Users
This setting ensures that only those shell
extensions that have been approved by an
administrator or run only for a single user
are allowed to load when Explorer starts.
Start Menu & Taskbar
Add Logoff to the Start Menu.
Remove and prevent access to the Shut Down command.
Terminal Server
All Users
This ensures that all users have the
Logoff <UserName> option on the Start
menu.
This option makes it more difficult for
even an administrator to accidentally shut
down a Terminal Server. On more than
one occasion I’ve witnessed an administrator
accidentally select Shutdown
instead of Logoff and acknowledge the
action before they even know they’ve
done so. An administrator can still shut
down a server by using the TSSHUTDN
command from a command prompt.
Windows Components\Windows Explorer
Hide the Manage item on the Windows Explorer context menu.
Remove Hardware tab.
Remove DFS tab.
Terminal Server
Regular Users
Removes the Manage item from Explorer
and My Computer. If the MMC snap-in
access has been prohibited (see Microsoft
Management Console later in this table),
this menu item has no effect on regular
users, but I like to completely remove it
as part of my standard configuration.
This setting removes the Hardware tab
from all local drives on the server, preventing
users from being able to see what
hardware is being used for hard drives,
CD-ROM drives, and so on.
When a user has a drive mapping to a
DFS share, the DFS tab is available on
the Properties dialog box. This option disables
access to this tab, preventing users
from seeing the available physical locations
for the particular DFS share point.
Windows Components\Microsoft Management Console\
Restrict users to the explicitly permitted list of snap-ins.
Terminal Server
Regular Users
Enabling this policy prohibits all regular
users from accessing any MMC snap-in.
Be aware that you may need to add specific
snap-ins to the permitted list within
Terminal Server User Support Policy.
Start Menu & Taskbar
Disable links and access to Windows Update.
Remove Network Connections from Start Menu.
Remove Run menu from Start Menu.
Turn off user tracking.
Terminal Server
Regular Users
Removes the link to Windows Update
from the Start menu and prevents the
users from accessing the Windows
Update Web site.
Completely removes access to the
Network Connections folder, preventing
users from finding out specific details
about the server’s network configuration.
Eliminating this option from the Start
menu prevents users from quickly launching
an application by name. This policy
does not prevent users from starting
applications present on the Start menu or
double-clicking them through Windows
Explorer. The ability to launch programs
or navigate folders through the Internet
Explorer address bar is blocked.
Windows enhances the user’s work experience
by tracking user-specific information
such as what applications they commonly
run, the documents they open, and so on.
Disabling this option turns off this tracking
feature.
Desktop
Remove Properties from the My Computer context menu.
Prohibit user from changing My Documents path.
Terminal Server
Regular Users
Disables access to the System Properties
dialog box for the My Computer icon.
This dialog box provides general access to
information such as available memory,
CPU type, and operating system version.
If you redirected the My Documents
folder for your users, you must implement
this policy. Normally users have the ability
to change their My Documents path, and
allowing such access could result in users
storing sensitive documents in a location
where they may be easily accessible by
others or omitted from the regular backup
process. Enabling this policy does not
affect use of the folder redirection policy.
Desktop\Active Desktop
Disable Active Desktop.
Terminal Server
Regular Users
In addition to providing a performance improvement,
this option increases security by
preventing Web-based content from being
enabled directly on the user’s desktop.
Control Panel
Show only specified control panel applets.
Terminal Server
Regular Users
If users require access to one or more
control panel applets, only those specific
options should be made available and all
other entries suppressed. Usually I provide
users with access to only the Display
applet so they have access to make minor
changes to their visual desktop experience.
The specific applet file name is
DESK.CPL.
Control Panel\Add/Remove Programs
Remove Add or Remove Programs.
Terminal Server
Regular Users
This option completely eliminates access
for all regular users to the Add/Remove
Program option.
Control Panel\Display
Hide Screen Saver tab.
Terminal Server
Regular Users
Very often, users try to run custom screen
savers without realizing they not only consume
available system resources but also
can pose a security risk. Removing access
to the Screen Saver tab prevents users
from easily configuring and activating
screen savers.
Control Panel\Display\Desktop Themes
Remove Theme option.
Terminal Server
Regular Users
Completely removes the Themes tab
from the Display dialog box.
Network\Offline Files
Prohibit user configuration of Offline Files.
Remove ‘Make Available Offline’.
Terminal Server
Regular Users
Completely removes the user’s ability to
modify the Offline Files menu option.
Offline files in general can pose a security
risk by making files available in a location
that may not be secure.
Turns off the ability to make files or folders
available offline.
Network\Network Connections
Prohibit access to properties of a LAN connection.
Prohibit viewing of status statistics for an active connection.
Terminal Server
Regular Users
While users typically do not have access
to modify the properties for a LAN connection,
by default they can still view
network configuration options. Enforcing
this policy prevents access to this information.
Users do not require access to the
statistics for a LAN connection. These
statistics provide information such as link
speed and connection uptime. The properties
for the LAN connection are also
directly accessible from here.
System
Prevent access to the command prompt.
Prevent access to registry editing tools.
Terminal Server
Regular Users
Enabling this policy prevents users from
directly launching a command prompt
while still allowing scripts (logon, startup,
and so on) to be processed. While the stability
of this option has improved over
earlier versions of Windows Terminal
Services, anomalies with certain applications
that rely on access to a command
prompt may exist. Proper testing is very
important when this policy has been
enabled.
When enabled, this policy prevents users
from being able to run the registry tools
REGEDIT and REGEDT32. Users can
still update the registry by directly running
valid .REG files, but interactive traversal
of the registry through either tool is
not permitted.
To effectively limit what applications a
user can run on a Terminal Server, the
policy "Run only allowed Windows applications"
should be enabled and configured.
I discuss configuration steps for this policy
in the later section "Application Privileges
and Restrictions."
System\Ctrl+Alt+Del Options
Remove Task Manager.
Terminal Server
Regular Users
Prevents users from viewing their running
processes as well as seeing the current
performance statistics for the server.
File and Registry Restrictions
Chapter 8 discussed the file and registry security configuration on a Windows 2000/2003
Terminal Server and how they are both more secure when the Permission Compatibility
option is set to Full Security on a Windows 2003 Terminal Server and set to Permissions
Compatible with Windows 2000 Users on a Windows 2000 Terminal Server. Figure 16.17
shows the Permission Compatibility dialog box from within the Windows 2003 Terminal
Services Configuration utility.
File Security Permissions
In Chapter 8 I talked about the following four general rules for file server security:
Divide the server’s storage into at least two logical drives. For my discussions in
this chapter I assume that the server drives are X: for the system drive and Y: for
the application drive.
When assigning permissions, restrict access to read-only and then grant or revoke
permissions as required. When Permission Compatibility has been set to Full
Security, as just discussed, the file system for the most part is already secure. There
is one major change required on a Windows 2000 Terminal Server, which is discussed
later in this section.
Script security changes so they’re reproducible. File permission changes can be
easily scripted using the CACLS command line file security utility that is included
with both Windows 2000 and 2003.
Be certain to implement all file security prior to installing any applications onto the
Terminal Server. I discuss suggested default security settings for the application
drive immediately after the system drive discussion. Security-related issues with
application installation and execution are discussed in more detail in Chapter 21,
"Application Integration."
On a Windows 2003 Terminal Server the default file system permissions provided with the
Full Security option provide a suitable security configuration for the system drive. No custom
changes are necessary unless you want to be very restrictive in folders and executables accessible
by your Terminal Server users. A Windows 2000 Terminal Server, even with the
Permissions Compatible with Windows 2000 Users option set, requires one rather significant
change to the permissions on the root of the system drive in order to properly secure the volume.
During installation of Windows 2000, the Everyone group is assigned Full Control access
to the root of the system drive by default. On a Terminal Server this configuration is unacceptable
because it lets a regular user add files or folders to the root of the system drive,
which in turn can potentially cause stability- or security-related issues. This can be corrected
by assigning the following permissions to the root of the system drive only:
Administrators (Full Control)
SYSTEM (Full Control)
Users (Read)
These permissions should not be propagated to all subfolders but instead should be applied
to only the root of the drive. The following simple CACLS script demonstrates how this type
of configuration can be scripted for reuse on all Windows 2000 Terminal Servers in the environment.
@ECHO OFF
ECHO Setting security permissions on system volume. Please wait...
REM ** Grant local Administrators and SYSTEM Full Control
REM ** Grant local Users READ access to the root of the system
volume.
CACLS X:\ /c /g Administrators:F SYSTEM:F Users:R
Configuring the initial application-volume security permissions is the same for both Windows
2000 and 2003 Terminal Server. I always set the initial application volume permissions as follows:
Administrators (Full Control)
SYSTEM (Full Control)
Users (Read)
As I mentioned, you need to treat this as the starting point when installing the applications
into your Terminal Server. In some situations, you may be required to grant permissions
other than Read to certain files or folders for an application to function properly. I always recommend
that you start out as restrictively as possible and then loosen up only when required.
Make sure that you clearly document these exceptions and place them into a script so the
changes can be reapplied if necessary. The following script can be used to assign the default
permissions on the application volume.
@ECHO OFF
ECHO Setting security permissions on application volume. Please
wait...
REM ** Grant local Administrators and SYSTEM Full Control
REM ** Grant local Users READ access to the entire volume.
REM ** Permissions should be adjusted on specific applications if
necessary.
CACLS Y:\ /T /c /g Administrators:F SYSTEM:F Users:R
ECHO y|CACLS Y:\* /T /c /g Administrators:F SYSTEM:F Users:R
REM ** Application-specific changes should be appended below.
NOTE: If you have implemented a separate pagefile drive on your server, you should
assign the same default permissions to this volume as you’ve assigned your application
volume, otherwise users will have unrestricted access to write data to this drive,
which in turn can cause security or stability issues.
Registry Security Permissions
While the registry’s security requirements are similar to those of the file system, the process
of assigning security in the registry can be much more difficult. The problem is that in certain
situations an application can have a legitimate reason for writing to the registry.
Fortunately, most applications available today are adhering to the standard of writing
machine-specific information to the HKEY_LOCAL_MACHINE key (normally done during
installation) while maintaining user-specific information in the user’s personal profile
(HKEY_CURRENT_USER). By default, users have write access to their personal registry
but not to HKEY_LOCAL_MACHINE.
If the Full Security option is not enabled, users gain additional write privileges within
the registry that they normally do not have. These permissions have been granted to the special
Terminal Server Users group, which is automatically assigned to Terminal Server users
when legacy application support has been enabled by reducing the Terminal Server security
configuration. As long as the Windows 2000 or 2003 Terminal Server is using full security, the
default registry permissions do not need to be modified to support the multiuser environment.
Another part of proper registry security is restricting access to the Registry Editor tools
(REGEDIT and REGEDT32). The group policy change that should be made to restrict
access to these tools was discussed in the "Administrative Templates" section, earlier in this
chapter. When this change is implemented, if a user attempts to launch a Windows registry
tool a message similar to the one shown in Figure 16.18 appears.
APPLICATION PRIVILEGES AND RESTRICTIONS
Application security can be broken down into two categories. The first deals with managing
user access to only those applications they are required to use, and the second deals with controlling
what options and functionality within an application are available to different users.
The extent to which you need to manage both categories depends on the requirements of
your implementation. If you run a large number of applications on your servers, it is likely
you will need to limit access to one or more of these applications (or functionality within
these applications) based on security, licensing, or performance requirements.
NOTE:
For one administrator this came as no surprise and had been left as such simply because
all Terminal Server users accessed the same group of applications, and highly
sensitive data was not accessed through their Terminal Server implementation.
For the other administrator it was a completely different story. Application segregation
was supposed to have been implemented prior to this team’s inheriting the Terminal
Server environment, and the lack of any proper controls was a major concern because
sensitive sales and customer information was easily accessible to any user interested
and determined enough to search for it.
Application Access Restrictions
In a Terminal Server environment, application access is usually managed in one of two ways:
Restricting application access — The most common method of access management
is to assume that all Terminal Server users have access to all applications
on the server, and only those applications that require limited access are restricted
through special application security groups.
This implementation is commonly used simply because this is the default
behavior of Windows. When an application is installed on a Windows Terminal
Server, by default it is accessible to all users unless access restrictions are
defined at the file system level, the application level, or both. For example, an
inventory management system may be installed on a Terminal Server and all
users can launch the application and reach the logon prompt, but only those
users authorized to actually access the application have a valid user ID and
password.
Granting application access — The alternate application access method
assumes that users have no access to any of the applications on the server unless
such access has been explicitly granted. Not only is this management method
the more restrictive of the two, but it also takes much more work up front to
configure properly and can quickly become cumbersome, particularly when a
large number of applications are involved. One benefit to being so restrictive is
that users are not automatically able to run new applications introduced onto
the server; this as a result helps guard against rogue applications being introduced
via e-mail or download.
While the second option is certainly more appealing from a security perspective, trying to
manage multiple application access lists for different groups of users can quickly become
overwhelming. The best approach to restricting application access is to implement a combination
of the two access methods. By combining the two, you still enjoy the additional security
benefits of explicitly defining what executables a user can run while minimizing the time
required to manage such an implementation.
When combining the two, the first task is to establish a list of all applications users are
authorized to run. Specific items on the list are then restricted further, accessible only to the
subset of users authorized to run those specific applications. For example, a typical application
access list for a Terminal Server user might look like the one shown in Table 16.8. A single
application access list is created, but then only users belonging to the appropriate groups can
access the Inventory Management or Customer Billing programs.
Table 16.8: A Windows Terminal Server Application Access List Example
Application
Notes
Microsoft Word Microsoft Excel Microsoft Outlook Custom Time-Tracking App
These applications are available to all users and not restricted based on group membership.
Inventory Management
This application is available only to members of the
APP_Inventory_Mgr group.
Customer Billing
This application is available only to members of the
APP_Cust_Billing group.
How you approach the restriction of application access will depend on the version of
Windows that you are running and how tightly you wish to enforce these restrictions. The
three different methods of locking down application access that I will discuss are:
The "Run only allowed Windows Applications" group policy object. This
GPO allows you to manage a list of allowed Windows applications that can be
executed by users affected by the policy. Usually the policy is applied to all nonadministrative
users logged on to a Terminal Server. The one limitation of this
policy is that it does not track applications based on their full path, only their
application name. This creates the situation where a user could execute any
desired application, simply by changing the application’s name to be the same
as an application that is authorized to run.
The APPSEC security utility. This tool, available as part of the Windows 2000
Server Resource Kit allows you to define a list of allowed applications, much
like the "Run only allowed Windows Applications" group policy. The three
main differences between this utility and the GPO are:
All non-administrator users are affected by this application’s restrictions.
There is no way to limit the access based on a particular security group.
Only application executables that reside on a server’s physical drive can
be executed. Any attempt to launch a network-based executable will fail.
The listed applications must reside with the specific path specified for
that application. Attempting to run a listed application from any other
location will fail.
These differences greatly increase the effectiveness of the APPSEC utility to
more tightly secure an environment when compared to the "Run only allowed
Windows Applications" GPO.
Windows Server 2003 does not support the APPSEC security utility. Instead it
has introduced the "Software restriction policies," a much more robust version
of the "Run only allowed Windows Applications" GPO. This GPO allows for the
following:
Determine whether the default behavior of the GPO is to allow applications
to execute based on the access rights of the user, or to restrict
access to all executables regardless of access rights.
Applications to be allowed or restricted can be identified by a binary hash
that is calculated, a certificate or a file system path or Internet security
zone. These choices allowing for the clear identification of the authorized
executable while still allow flexibility in how it is located and run.
Entire folders can also be managed, allowing all applications within those
folders to be assigned restricted or unrestricted application execution
access.
I will now take a brief look at each of these three choices.
Run Only Allowed Windows Applications Group Policy Object
Through use of a group policy object, Windows provides the ability to limit a user’s
access to only those applications explicitly defined for that user. The specific GPO is located
under
User Configuration\Administrative Templates\System
and is called "Run only allowed Windows applications." Typically this particular policy can
be defined as part of the Terminal Server Regular Users GPO, so it is applied to all nonadministrative
users logged on to a Terminal Server. Figure 16.19 shows the dialog box for
this policy in a Windows 2003 domain. The applications are added by clicking the Show button
and entering the corresponding executable name.
For a user to be able to properly work within a Terminal Server session, you must be certain
that you include all the necessary executables the user will need to run. When a user attempts
to run an application not included in the list, they receive an error message similar to the one
in Figure 16.20.
Contrary to what you might think, you are not required to list any of the core Windows components
required for a user to be able to log on, such as winlogon.exe, wfshell.exe, or explorer.
exe. This is because the application list applies only to launching programs through
Windows Explorer. Applications launched directly from the system or through a command
prompt are not controlled by this policy. If you restricted the user’s ability to access the command
prompt, they cannot circumvent Explorer to launch applications directly. If you enable
this policy but include no applications in the list, the user still can log on to the server but
once logged on cannot launch any applications.
Table 16.9 shows an actual executable list taken from a Terminal Server implementation
where users were restricted to running only the listed applications. Note that this list also
includes a batch script. If you provide users with an application shortcut that launches a batch
script that in turn launches an executable, you must include the batch script name in the
authorized application list or it will fail to launch. The name of the executable itself is not
required because it is launched from within the batch script.
Table 16.9: Sample Listing of Allowed Application Executable Names Taken from an
Actual Terminal Server Implementation
Executable Name
Application Name
Notes
Excel.exe
Microsoft Excel
Iexplore.exe
Internet Explorer
Notes.cmd
Custom batch script to
launch Lotus Notes
This batch script performs some configuration prior to starting Lotus Notes.
Note that the script name is included in
the executable list but not the actual
Notes executable. This is because the
executable is launched from within the
CMD session initiated by the batch
script and is not controlled by this application
access list.
Osa.exe
Microsoft Office Startup Assistant
This is provided with Office XP and
initializes a number of shared Office
components for use. It is normally found
in the Startup folder.
Outlook.exe
Microsoft Outlook
PN.exe
Citrix Program Neighborhood
If you’re going to allow users to access
published applications available on different
servers through a Terminal Server
session, then PN.exe must be made
available. This is required only when
using the ICA passthrough client. If users
are launching published applications
directly from their local PC desktop, this
executable does not need to be included
in the list.
Powerpnt.exe
Microsoft PowerPoint
Winword.exe
Microsoft Word
Once the list of all allowable applications has been defined and implemented, access to these
applications can be further restricted using security groups if necessary. For example, if
access to Microsoft PowerPoint was to be limited to only a few individuals, then a group
could be created (for example, APP_TS_PowerPoint_Users) and used to define security on
the PowerPoint executable. Any users not belonging to this group who attempted to run
PowerPoint would receive an access-denied message.
TIP: Whenever a Terminal Server implementation calls for restriction of access to one
or more applications, it can be less confusing to the user if the Start menu has been
organized in such a way that applications they cannot access are segregated and, ideally,
not even visible. Common applications accessible by all users are usually located
under the main portion of the Start menu, while restricted applications available to
only a limited number of users are located in subfolders with labels such as
"Customer Service Managers" and "Order Desk Sales Reps." The permissions on
these subfolders are set to grant read access to only those users authorized to run
the applications they contain, so when other users click the subfolder it appears
empty, as shown in Figure 16.21.
The APPSEC Security Utility
Before running the APPSEC utility you must download the appropriate installation files from
the Microsoft Web site and install APPSEC on your Terminal Server. The version of
APPSEC that ships with the Windows 2000 Server Resource Kit will not function properly
as it is missing some necessary system files. The APPSEC.ZIP file can be downloaded from
the Microsoft FTP site at: ftp://ftp.microsoft.com/reskit/win2000/
Once downloaded, extract the contents into a temporary folder and then run InstAppSec
to install the tool.
The APPSEC security utility is launched by running APPSEC from a command prompt
or using the Run command on the start menu. Once started, the main APPSEC application
window will appear as shown in Figure 16.22. The application automatically includes a set of
applications required for a user to be able to log onto the server. By default the APPSEC utility
will be disabled until explicitly enabled by an administrator.
Once APPSEC has been enabled, the settings will immediately be applied to any new user
session logons. Users currently logged onto the server will not pickup these changes until they
have logged out and back into the server. APPSEC settings apply only to regular users and
will never restrict anyone with administrative privileges. When a user attempts to run an
application not in the list they will receive an error message stating that "Access to the specified
device, path or file is denied."
Adding and removing applications from the list are very straightforward and performed
by selecting the desired option. When adding new applications to the list, there is an option
available to "track" the results of running a particular application (Figure 16.23). Tracking
allows an administrator to run an application while APPSEC monitors and adds any associated
executables to the list. This helps to ensure that a particular program has all of the necessary
components in order to work properly.
While APPSEC provides a very rudimentary interface, it can be a very powerful tool for
securing a Windows 2000 Terminal Server environment.
Windows Server 2003 Software Restriction Policies
Windows Server 2003 provides the specific GPO for Software Restriction Policies, which can
be found under
Windows Settings\Security Settings\Software Restriction Policies
By default this policy is not enabled and must be created by right-clicking Software
Restriction Policies and selecting New Software Restriction Policies (SRP). Once selected
the appropriate settings for the policy are created and available to be set as shown in
Figure 16.24.
The basic layout of the Software Restriction Policies is as follows:
Only one SRP is created for each GPO. After selecting New Software Restriction
Policies, that option will no longer be available unless the existing SRP is deleted.
Under the Software Restriction Policies folder, there are three attributes,
which are
Enforcement — This setting dictates the general enforcement criteria for the
policy. By default, it will restrict only executables (not executable libraries
such as DLLs) and will apply to all users affected by the policy, including
administrators./li>
Designated File Types — In addition to the standard executables files with
the suffix EXE all of the file types listed here are assumed to represent executables
and will be included in the software restrictions. File types can be
added and removed on this screen./li>
Trusted Publishers — Defines whether or not the user has any control over
what publishers will be trusted when presented with certificates that verify
the authenticity of an application.
The Security Levels folder has two items, Disallowed and Unrestricted. Only
one of these items can be set as the default at any given time. When Disallowed
is chosen, the policy enforces that no users will be able to run software, unless
the software has been designed as an additional rule, which is discussed next. If
the Unrestricted option is chosen, then all applications are accessible unless
explicitly denied in the Additional Rules section.
The Additional Rules folder is where the majority of the items will be managed.
The purpose of this folder is to store either specific entries that are unrestricted
or disallowed. Entries are added here simply by right-clicking and choosing the
rule to define the entry. The four choices are Certificate Rule, Hash Rule, Internet
Zone Rule and Path Rule. The most common select is Path Rule, allowing an
administrator to provide an explicit path to a folder, executable file, or registry
location. The security level for the rule dictates if the entry is unrestricted or
disallowed.
In a Terminal Server deployment, the Software Restriction Policies are usually created within
the Terminal Server Regular Users policy so that the changes are picked up by the nonadministrative
users in the environment.
Application Functionality Restrictions
In addition to allotting the desired application access to your various user groups, quite often
you will want to control what options and functionality in an application are available to different
users. The exact method by which these changes are performed (if they’re even supported)
will vary from application to application. Many provide their own integrated security based
on a logon ID and password managed from within the program, while others such as
Microsoft Office leverage functionality of group policy objects to allow customization based
on group membership. When an application supports configuration changes using a GPO,
the functionality is added into the active directory through what are know as administrative
template files. Figure 16.25 shows the Add/Remove Templates submenu along with some of
the Office XP templates already loaded into the Administrative Templates folder. Custom
template files are usually stored in the WINNT\INF folder and have the extension ADM.
More details on general installation and use of template files are provided in Chapter 15.
As part of a complete security implementation, I recommend that whenever you have the
opportunity to customize and/or lock down any of the applications you are implementing, you
should do so. By pre-configuring options such as target data directories, turning off Webbased
integration, or disabling automatic update features, you are simplifying the user’s environment
and reducing the exposed areas where potential security issues could develop. The
fewer the number of customization options available to the end user, the less likely you are
to have application-related issues in the environment. In Chapter 20, I look more closely at
some of the configuration options available for Microsoft Office through administrative
templates.
SYSTEM AUDITING
As I mentioned in Chapter 8, a secure environment not only consists of properly configured
servers but also requires effective auditing to detect anomalies in application or user behavior.
Auditing alone is of little value unless you also have a means of effectively monitoring these
logs and flagging suspicious activity when it occurs. Unfortunately, most organizations are
quick to implement the logging portion but rarely establish any effective method of monitoring
these logs. As a result, the environment typically logs huge amounts of security information
that is rarely ever even examined. The log files themselves are usually so small that information
is quickly overwritten, eliminating any possibility of examining the security information
even if a problem is detected.
Windows provides support for auditing in a number of different areas of the system; in
this section I review these areas and provide suggestions on specific event auditing that can
be useful to audit. Even if you do not plan to implement any real form of auditing in your
environment (although I advise against this), understanding how auditing works can be an
important tool when performing application integration (see Chapter 21 for more information
on this) because it can help you to determine files or directories that may require modified
security permissions in order to allow an application to function properly.
If you will implement security auditing, you need to consider carefully what events you
actually want to audit. Although it is easy to simply configure your environment to audit all
events, the resulting logs are difficult to review and manage, defeating the purpose of auditing
in the first place. Finding the proper level of auditing for your environment requires a bit
of work but is an exercise I highly recommend. My simple rule is if you are not planning on
proactively monitoring an event, don’t waste your time auditing it. People may disagree with
this, but in most situations, by the time you discover there is a security problem, the pertinent
log information very likely is gone.
System Auditing
Before you can begin to track audited events, you must enable auditing on the system itself.
As with the other security options configured in this chapter, Terminal Server auditing should
be enabled through a group policy object in the active directory. Alternatively you can configure
the audit settings directly from the Local Security Settings application, but any options
configured in the domain will override this. Figure 16.26 shows the Audit Policy folder containing
the available policy properties, which are located in
The auditable events listed in the Audit Policy folder are described in the following list.
Unless otherwise stated, these policies are not enabled for either Windows 2000 or Windows
2003 Terminal Server.
Audit Account Logon Events — This audit policy should not be confused with
the Audit Logon Events policy described later in this list. The purpose of this
policy is to log an event whenever an account on the computer being configured
is used to authenticate on this or any other computer. This option is typically
enabled only on a domain controller and is not normally required on a Terminal
Server. Windows Server 2003 has this option set to SUCCESS by default on all
member servers.
Audit Account Management — The result of a creation, deletion, or modification
of a local user account or group is logged when this audit event is selected.
I recommend tracking both success and failure.
Audit Directory Service Access — Access to an active directory object that has
its own system access control list (SACL) is audited using this policy. This audit
policy is valid on only a domain controller and so does not need to be set on a
Terminal Server. A group policy object is an example of an object in an active
directory that has its own SACL.
Audit Logon Events — Whenever a user attempts to log on or log off the Terminal
Server, an event is written to the log. This differs from the Audit Account
Logon Events policy, which generates a log entry on the server where the user
account resides. The Audit Logon Events policy generates a log entry on the
server where the logon was attempted. I recommend that you audit both success
and failure. Successful logons let you audit the logon activities for users, and
failures may indicate an attempt by someone to access a restricted resource.
MetaFrame includes a command line tool called AUDITLOG, which generates
output from the security event log based on the logon/logoff information in the
security log. See Appendix B, "MetaFrame Presentation Server Command
Reference," for more information on this. This event is enabled and set to track
SUCCESS events on Windows 2003. It is not defined for Windows 2000.
Audit Object Access — Access to standard objects that have their own SACL
defined, such as files, folders, printers, or the registry, are audited using this
policy. I recommend auditing failures since this will indicate users with insufficient
privileges attempting to access a resource. Mapping successes offers little
value except in isolated situations, because users can successfully access a large
number of objects during a single Terminal Server session.
Audit Policy Change — This setting covers any changes made to the security
policies, which are composed of the user rights policies and the audit policies
on a Terminal Server. Because of the sensitive nature of this security information
and the fact that it should rarely change, both success and failure should
always be audited.
Audit Privilege Use — This audits use of a user right on the Terminal Server,
such as taking ownership of an object or changing the system time. Failure
should be tracked for this policy.
Audit Process Tracking — This policy tracks actions such as process (including
program) starting and stopping. Indirect object access would include tracking a
process or thread from an application that manipulated an object in some way.
Failures should normally be audited for this policy.
Audit System Events — When a user attempts to restart or shut down a system,
this policy is triggered. Any event that affects the system security or the
security log is also tracked with this event. I recommend auditing both success
and failure.
Auditing introduces additional performance overhead, so unless you are willing to actively
monitor your audit logs and feel their use is necessary, you can provide a performance gain
by not implementing auditing. Of course, the performance gains must be worth not having
the auditing information available for review if necessary. I suggested some events to audit,
but the ones you implement will depend on the information you’re interested in tracking and
what you feel is necessary. You should monitor your security logs carefully to see if there is
extraneous information that can be eliminated.
NOTE: If the Shutdown command has not been removed from the Start menu using a
group policy, do not be too surprised if you see restart and shutdown attempt failures
made on your Terminal Servers shortly after you implement the new infrastructure. If
your users have had previous experience with Windows, they may be accustomed to
shutting down their computers when they finish working for the day. This will be common
among users who use the Alt+F4 key combination to terminate Windows. Even
on a Terminal Server, using Alt+F4 presents the user with the Windows Security dialog
box where he or she has the option to shut down. Although regular users will have
insufficient privileges to successfully complete this operation, the shutdown or restart
attempt still will be logged.
File System Auditing
After enabling object access auditing, you can set up the desired file system auditing. If
object access is not being audited (see the preceding section regarding system auditing), any
file auditing you configure will simply be ignored. File auditing is enabled by following these
steps:
Right-click a file object (drive, folder, or file) and select Properties.
Click the Security tab and then the Advanced button.
Here you find the Auditing tab. By clicking the Add button, you can add groups or
users that will be audited based on the options you select. Figure 16.27 shows the
auditing options available for both Windows 2000 and 2003, which correspond to
the file system security attributes. More information on these specific attributes
can be found in Appendix E, "File System and Registry Security Primer."
Table 16.10 lists my suggested auditing settings for the system and application volumes on a
Windows 2000/2003 Terminal Server. On the system volume, you may want to create separate
audit settings for the profile directory (%SystemDrive%\Documents and Settings"),
since users will continuously be writing, editing, and deleting information from that location.
Table 16.10: Suggested Windows 2000/2003 Terminal Server System and
Application Volume Auditing Settings
Volume
Permission
Audit Setting
System/Application
Create Files/Write Data Create Folders/Append Data Delete Subfolders and Files Delete Change Permissions Take Ownership
Registry Auditing
Typically, registry auditing is enabled only on the HKEY_LOCAL_MACHINE hive and all
subkeys. The auditable events are set similar to those shown in Figure 16.28.
Registry auditing is enabled through the registry-editing tool (REGEDT32 on Windows
2000, REGEDIT on Windows 2003). Depending on the operating system, the Auditing dialog
box is accessed as follows:
Windows 2000: Open REGEDT32, select the Permissions menu, click the
Advanced button, and select the Auditing tab.
Windows 2003: Open REGEDIT, choose Permissions from the Edit menu,
click the Advanced button, and select the Auditing tab.
Click the Add button to add the users or groups and then select the events to audit. You will
need to select the Reset Auditing Entries check box to configure all child objects and enable
propagation of inheritable audit entries.
You may receive a message indicating that all subkeys could not be updated. This is okay,
as the update process will fail to update subkeys for which you don’t have access, such as the
HKLM\SECURITY or the HKLM\SAM\SAM key. Auditing on the relevant keys will be
updated properly.
You shouldn’t monitor success of either the Query event or the Enumerate Subkeys
event, because both generate a large number of event entries very quickly and should be
enabled only when attempting to troubleshoot or resolve a specific issue.
Connection Auditing
Both versions of Windows support connection auditing, which monitors actions that one user
session performs against another or performs directly on the connection configuration.
Actions such as modifying connection properties or remotely controlling a user’s session can
be monitored when connection auditing has been enabled. Figure 16.29 shows the Auditing
dialog box for an RDP-TCP connection entry. The selected entries also represent my
recommendations for the events to audit. Connection auditing simply tracks the success or
failure of performing a particular connection action.
Connection auditing is enabled as follows:
Open the Terminal Services Configuration tool located under Administrative Tools
on the Start menu.
Right-click desired connection protocol (RDP or ICA) and select Properties.
From the Permissions tab, click the Advanced button and then select the Auditing
tab, where you are presented with the familiar Audit dialog box.
SECURITY PATCH MANAGEMENT
Even if an administrator has been completely diligent in all aspects of securing their Terminal
Server environment, failing to employ proper security patch management can still leave them
vulnerable to attacks. In fact, even a cursory configuration of traditional security measures on
a Terminal Server coupled with a diligent security patch implementation strategy can leave a
server much more secure than one without proper patching.
Today, administrators have little choice but to ensure that their servers remain up-todate
with the latest patches. Because of this I’ve dedicated a complete chapter to this subject.
Chapter 9 provides a thorough discussion on properly managing deployment of security
patches in your Terminal Server environment.
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Windows IT Pro
Register
