TERMINAL SERVICES

So you want to do Terminal Services on your SBS 2003 box do you?

 

First realize that we can ONLY do TS in admin mode for remote administration.

TS in application mode is no longer allowed

Why?

Let's examine why, shall we?

Here is the listing of recommended steps to lock down a TS box
1. Apply the Notssid.inf security template to TS running permissions
compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.
3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.
To connect to a terminal server from the network, users must have the
Log On Locally user right assigned. If you implement application server
mode on a domain controller, nonadministrators must be assigned the Log
On Locally user right at the domain controller. Because this user right
is typically assigned in Group Policy, it enables users to log on at the
console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS
client and server
6. Choose the correct mode for your TS deployment [if you only need
remote administration, the only deploy that]
7. Install the latest service pack and security updates.

Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.

Page 393-394 Security Resource Kit.

Read this doc and see how much is done to lock down a TS server..... we
can't do this stuff in SBS land.
http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf

 

Okay first and foremost, would you agree that allowing your employees to sit at your server and use it as a workstation is a good idea?  Probably not right?  Well that's what you are doing when you do TS in application mode.  You are allowing people to log onto that server, use possibly “leaky“ applications that may require you to reboot the server, and in general, expanding greatly the threat vectors on that server.

Take for example - Internet Explorer.  You have to remove the Enhanced IE security [go into add/remove programs to remove this on a normal server].  Michael Howard [MS Security dude] talks about the threat modeling that they did on Windows 2003 server.  Near the end of the project they did a “threat model“ brainstorm and asked themselves what was a potential issue....and the threat that came back was surfing on that domain controller.  So the Security folks pushed through that Enhanced IE [you know that box that prompts you the web site you are wanting to go to is not in a trusted zone?].  Andrew Duthie talks about the settings on his blog.

Right now my security issues are the spybots and gunk that are going after Internet Explorer.  Just last night in talking “geek“ with my friends from LA that were up for a visit, Pierre talked about having to track down a browser hijack program [He wanted  to do it manually, but he could have used the CWshredder tool].  Now ask yourself, do you want to do that on your one and only domain controller?  Think of what you do to clean up your separate desktops. 

So the next time someone says “But it's dumb, I want my TS in application mode back!“ remember that we can't do things the way we used to.  That was then, this is now. 

Now, there is one way that this can be better.  Documentation and information. 

In one of the listserves I'm on we were chatting about the lack of documentation on this issue [and I'd add the lack of documentation of WHY we shouldn't do it]  Now granted, we women would argue that guys don't read, but I do agree with my fellow listmates that the information about the lack of TS in application mode should be WAY more obvious.  The information of how it is no longer supported or included and why it's not safe and secure to have it there in the first place needs to be way way more obvious.  In fact it should be part of the sales and marketing stuff because to me, it shows better than anything else that Microsoft is indeed “walking the walk, talking the talk“.  We asked them to make the products more secure.  They responded.  This should be a selling point that they are making it more secure, not a “What happened to TS?“ question in the newsgroup.

Documents that discuss TS in application mode removed .....

This KB   and read Page 44 in this document

Bottom line:

Do you really want SBS 2k3 to be the platform of "INsecurity"?

Microsoft chose Security.  Be glad they have your client's best interests at heart.

http://msmvps.com/bradley/archive/2004/05/31/7401.aspx