The Terminal Services Configuration tool is found in the Administrative Tools program group on the Start menu. Click Start, Programs or All Programs, Administrative Tools, and Terminal Service Configuration, or else type tssc.msc at a command prompt. As shown in Figure 31-15, you can configure connections and server settings using the Terminal Services Configuration tool. Each terminal server must be configured separately.
With Terminal Services and Remote Desktop for Administration, data transmission between the server and the client uses Remote Desktop Protocol (RDP), which is encapsulated and encrypted within TCP. RDP version 5.2 is the default version of the protocol used with Windows Server 2003. In the Terminal Services Configuration tool, you can configure the settings for RDP. RDP settings are used to set global defaults and to override the local and default settings used by clients.
To modify the RDP settings for the server you are currently working with, in the Details pane right-click on RDP-Tcp, and then select Properties. This displays the RDP-Tcp Properties dialog box as shown in Figure 31-16. If any of these settings are unavailable, they have probably been configured using Group Policy.
The RDP-Tcp Properties dialog box has the following tabs:
General Sets the encryption level for the server. Use Client Compatible if you are using a mixed environment that may include computers running Windows 2000. You can also require High (128-bit) or FIPS-compliant encryption.
Logon Settings Configures specific logons to use. In most cases, however, you'll want to use the default setting Use Client-Provided Logon Information. If you want clients always to be prompted for a password regardless of their client settings, choose Always Prompt For Password.
Sessions Configures session reconnection and timeout. Any settings used here override the user settings. You can configure whether and when Terminal Services ends disconnected sessions, limits active sessions, or limits idle sessions.
Environment Sets an initial program to run. This setting overrides client settings for Remote Desktop clients.
Remote Control Determines whether remote control of user sessions is enabled, and sets remote control options. Remote control can allow an administrator to view a user's Terminal Services sessions, interact with a user's Terminal Services sessions, or both. These remote control options set the global defaults used by all users.
Client Settings Determines how the client screen resolution and redirection features are managed. By default, the connection settings from the Remote Desktop clients are used, and clients are limited to a maximum color depth of 16-bits. Additionally, audio mapping is disabled by default.
Network Adapter Determines the network adapters on the server to which Terminals Services connections can be made. The All Network Adapters option is selected by default.
Permissions Lets you view or modify security permissions for the server. Rather than configuring permissions per server, it is much easier to add users to the Remote Desktop Users group in Active Directory Users And Computers if they should have access to Terminal Services. It should be noted that this group has limited permissions. By default, members of the Remote Desktop Users group have User Access and Guest Access permission. This means users can log on to a session on the server, query information about a session, connect to other user sessions, and connect to another session.
As shown in Figure 31-17, the Server Settings folder contains options for all connections on a terminal server.
The settings available depend on the Terminal Services configuration and include the following:
Delete Temporary Folders On Exit Determines whether temporary folders created by clients are deleted automatically when a user logs off. By default, this setting is enabled, so temporary folders are deleted when a user logs off the terminal server. To change this setting, right-click it and select Yes or No as appropriate.
Use Temporary Folders Per Session Determines whether temporary folders are used on a per-session basis. By default, this setting is enabled, so each session has its own set of temporary folders. To change this setting, right-click it and select Yes or No as appropriate.
Licensing Determines whether the licensing mode for clients is set Per Device or Per User. To change this setting, right-click it, select Properties, and then select Per Device or Per User as appropriate. Click OK.
Active Desktop Determines whether users are permitted to use Active Desktop. By default, this setting is enabled, so users are able to use Active Desktop. To reduce the amount of overhead for processing and network bandwidth, you might want to disable this option. To change this setting, right-click it and select Enable or Disable as appropriate.
Permission Compatibility Determines the default permissions for compatibility with applications. Full Security restricts user access to areas of the Registry and to system files, and is designed to safeguard the terminal server so that remote users running a virtual session cannot arbitrarily modify system files or the Registry. Relaxed Security doesn't restrict user access to the Registry or system files, and is designed for maximum compatibility with applications, particularly those designed for Windows 2000 or earlier versions of Windows. To change this setting, right-click it, select Properties, and then select Full Security or Relaxed Security as appropriate. Click OK.
Restrict Each User To One Session Determines whether users are limited to a single session on the terminal server. By default, this is enabled to conserve resources on the terminal server. To change this setting, right-click it and select Yes or No as appropriate.
Join Session Directory Determines whether the server uses a Session Directory, and sets the Session Directory properties. To change this setting, right-click it, select Properties, and then configure it as discussed in the section entitled "Configure Each Server to Join the Session Directory" earlier in this chapter. Click OK.
Terminal Services permissions set the maximum allowed permissions for a Terminal Services connection. These permissions are applied whenever a client connects to a terminal server. The basic permissions for Terminal Services are the following:
Full Control Users have full control over their own sessions as well as the sessions of other users. In addition to setting user access permissions, they can set information, take control of or view other user sessions, disconnect sessions, or establish virtual channels.
User Access Users have limited control over their own sessions. This means users can log on to a session on the server, query information about a session, or connect to another session.
Guest Access Users can log on to a terminal server. They do not have other permissions.
If users have a basic permission, they also have special permissions built into the basic permission, as shown in Table 31-2. Note that the Logon permission implicitly gives users the right to log off their own session and the Connect permission implicitly gives users the right to disconnect their own session.
Table 31-2. Special Permissions for Terminal Services
Special Permission | Description | Included In |
|---|---|---|
Query Information | Allows a user to gather information about users connected to the terminal server, processes running on the server, etc. | Full Control, User Access |
Set Information | Allows a user to configure connection properties. | Full Control |
Remote Control | Allows a user to view or remotely control another user's session. | Full Control |
Logon | Allows a user to log on to a session on the server. | Full Control, User Access, Guest Access |
Logoff | Allows a user to log off another user from a session. This is different from being able to log off your own session. | Full Control |
Message | Allows a user to send a message to another user's session. | Full Control |
Connect | Allows a user to connect to another session. | Full Control |
Disconnect | Allows a user to disconnect another user from a session. | Full Control |
Virtual Channels | Allows a user to use virtual channels. | Full Control |
With Windows Server 2003, you must use the Remote Desktop Users group to control access to Terminal Services. In addition, to have default security permission, this group is given default user rights, which allow members of the group to log on to a terminal server.
To view or manage the permissions of a terminal server, start the Terminal Services Configuration tool on the server. In the left pane select Connections, and then, in the details pane, right-click the connection you want to work with and select Properties. In the Properties dialog box, select the Permissions tab, shown in Figure 31-18. You can now view the users and groups that have Terminal Services permissions and their permissions.
You can grant or deny Terminal Services permissions. In the Terminal Services Configuration tool, select Connections, and then, in the details pane, right-click the connection you want to work with and select Properties. In the Properties dialog box, select the Permissions tab.
In the Permissions tab, configure access permissions for each user and group added by selecting an account name, and then allowing or denying access permissions. To grant a user or group access permissions, select the permission in the Allow column. To deny a user or group access permissions, select the permission in the Deny column.
You can set special permissions for Terminal Services using the Terminal Services Configuration tool as well. Right-click the connection you want to work with and select Properties. In the Properties dialog box, select the Permissions tab, and then click Advanced. This displays the dialog box shown in Figure 31-19.
Figure 31-19. The Advanced Security Settings dialog box shows the special permissions assigned to each user or group.
You now have the following options:
Add Adds a user or group. Click Add to display the Select User, Computer, Or Group dialog box. Type the name of a user or group and click Check Names. If multiple names match the value you entered, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you. When you click OK, the Permission Entry For dialog box shown in Figure 31-20 appears.
Edit Edits an existing user or group entry. Select the user or group whose permissions you want to modify, and then click Edit. The Permission Entry For dialog box appears.
Remove Removes an existing user or group entry. Select the user or group whose permissions you want to remove, and then click Remove.
If you are adding or editing entries for users or groups, you use the Permission Entry For dialog box to grant or deny special permissions. Select Allow or Deny for each permission as appropriate.
Auditing Terminal Services access can help you track who is accessing Terminal Services and what they are doing. You configure auditing policies per server. Click the Terminal Services Configuration tool, select Connections, and then, in the details pane, right-click the connection you want to work with and select Properties. In the Properties dialog box, select the Permissions tab, and then click Advanced. In the Advanced Security Settings dialog box, select the Auditing tab, shown in Figure 31-21.
Use the Auditing Entries list to select the users, groups, or computers whose actions you want to audit. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. If you want to audit actions for all Terminal Services users, use the Remote Desktop Users group. Otherwise, select the specific user groups or users, or both, that you want to audit. When you click OK, you'll see the Auditing Entry For … dialog box, shown in Figure 31-22.
After you make a selection, under Access, select the Successful or Failed check boxes, or both, for each event you want to audit. The events you can audit are the same as those for which you control Terminal Services permissions, as discussed previously. Choose OK when you're finished. Repeat this process to audit other users, groups, or computers. Any time permissions that you've configured for auditing are used, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event Viewer.