If your company relies on Terminal Services for clients to access applications, the network, or resources, you know how important and powerful this technology is. Terminal Services allows a company to provide high-end solutions for legacy operating systems and limited hardware. Without Terminal Services, many companies would be far less productive.
Controlling and limiting Terminal Services sessions can be a full-time job. Terminal server sessions must be protected, along with the servers that run Terminal Services. This is why Microsoft has provided more than 50 Group Policy settings that help control Terminal Services. Many of these settings can be configured to help lock down terminal servers and client sessions.
You can use Group Policy to configure Terminal Services connection settings, set user policies, configure terminal server clusters, and manage Terminal Services sessions. You can enable Group Policy for users of a computer, for individual computers, or for groups of computers belonging to an OU of a domain. To set policies for users of a particular computer, you must be an administrator for that computer. To set policies for an OU in a domain, you must be an administrator for that domain.
Sometimes you might need to control the Terminal Services settings for an individual computer. The computer might be a shared computer for which you want to configure the settings that apply to the computer object. You might also need to configure the Terminal Services settings for the user or users who will use the computer, and in this case you would want to configure the settings that apply to the user object.
You can access Terminal Services settings on a standalone computer by using local Group Policy. The Group Policy Object Editor snap-in allows you to access the Local Group Policy Object (LGPO) on that particular computer. Once you are in the Group Policy Editor, you can view and configure Terminal Services settings under both the Computer Configuration and User Configuration nodes, as shown in Figure 12-3 and Figure 12-4.
In Active Directory environments, you may need to lock down several Terminal servers. The policy settings for locking down terminal servers in a domain are similar to those for standalone terminal servers, as shown above. The significant difference is in how you implement Group Policy for terminal servers in a domain.
To configure Terminal Services for multiple computers using Active Directory, you must organize the user and computer accounts into OUs. Then you can configure GPOs that contain the specific Terminal Services settings for those objects.
It is possible to make Terminal Services configurations at both the local and Active Directory levels using Group Policy. You can also make configurations within different GPOs at various levels within Active Directory. This is an issue because there is an order of precedence in which the Terminal Services configurations apply. The following is a list of highest to lowest precedence of the locations where Terminal Services settings can be set.
Computer-level Group Policies (if set)
User-level Group Policies (if set)
Local computer configuration set with Terminal Services Configuration tool
User-level policies set with Local Users and Groups
Local client settings
When Terminal Services is used in your environment, it is important to configure and control the user environment and properties. If you don’t, the user might have too much access or too much flexibility for the sessions that are created on the Terminal Server. This section focuses on some best practices for the general settings related to user properties associated with Terminal Services. It also discusses the GPO settings that can be configured in this area.
Here are some general best practices for establishing user properties for Terminal Services. Your environment might differ slightly, but these suggestions will point you in the right direction for establishing a secure, stable, and functional Terminal Services environment.
Use Terminal Services–specific groups. Create user groups that are specifically for Terminal Services users. Windows Server 2003 family operating systems contain a default user group called Remote Desktop Users, which is specifically for managing Terminal Services users.
Use Terminal Services–specific profiles. Assign a separate profile for logging on to Terminal Services. Many common options stored in profiles, such as screen savers and animated menu effects, are not needed when users connect through Terminal Services. Assigning a specific profile allows users to get the most out of the system they are working with without requiring additional server resources.
Use mandatory profiles. Use a mandatory Terminal Services profile that was created to suit the needs of all of types of clients and that provides the best server performance. Be aware that 16-bit computers and Windows-based terminals might not support some screen resolutions.
Set time limits. Setting limits on the duration of client connections can improve server performance. You can limit how long a session lasts, how long a disconnected session is allowed to remain active on the server, and how long a session can remain connected yet idle.
Use the Starting Program option. If you have users who need to access only one application on the terminal server, use the Starting Program option. You can do this for all users by using Terminal Services Configuration or you can do it on a per-user basis by using either the Terminal Services Extension to Local Users and Groups or Active Directory Users and Computers.
Create preconfigured connection files for users or groups of users. To make connecting to Terminal Services easier, you can supply users with preconfigured connection files. Collections of connection files can also be made for different departments within your organization or for different job titles. Preconfigured connection files are created using Remote Desktop Connection.
Several GPO settings help you control the terminal server licensing. If you use these settings, you can centrally control and configure license servers and maintain consistency in the environment. You should configure two specific settings to help control the licensing. Both are located under the following path in a default GPO:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesLicensing
This setting is used to control the Terminal Servers that are issued licenses. In a default configuration, the Terminal Services License Server will issue a license to all computers that request one. When this setting is enabled, the license server responds only to requests from terminal servers that are located in the Terminal Services Computers local group. This is an excellent way to prevent rogue terminal servers from requesting licenses. If you have more than one license server, you can add all of the license servers to the group; this allows the license servers to request licenses on behalf of the terminal servers.
A license server attempts to provide the most appropriate client access license (CAL) for a connection. Windows 2000 Terminal Services CAL tokens are provided for Windows 2000 clients. A Windows Server 2003 family Terminal Services CAL is provided when a connection is made to a terminal server running Windows Server 2003. The default behavior is that a Windows 2000 terminal server requests a token, and if the license server does not have any Windows 2000 CALs, it issues a Windows Server 2003 Per-Device token. The Prevent License Upgrade setting can stop this behavior by giving a temporary license to clients connecting to Windows 2000 terminal servers. When the temporary token expires, the connection is refused.
Many aspects of the Terminal Services connection can and should be controlled using Group Policy. If these settings are left to individual settings on the Terminal Server or the client, inconsistencies will be introduced throughout the enterprise that waste time, increase help desk calls, and make troubleshooting Terminal Services connection problems more difficult. The following GPO settings can establish a security baseline for the sessions that are running through Terminal Services:
The Limit Number Of Connections setting specifies whether Terminal Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of remote sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, terminal servers allow an unlimited number of remote sessions, and Remote Desktop for Administration allows two remote sessions. To use this setting, specify the number of connections you want as the maximum for the server, as shown in Figure 12-5. To specify an unlimited number of connections, type 999999.
Figure 12-5. The Terminal Services GPO setting that controls the maximum number of connections for a server
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesLimit number of connections
When this setting is enabled, you can specify the number of connections in the TS Maximum Connections Allowed box.
For Terminal Services connections, using data encryption helps to protect your information on the communications link between the client and the server by preventing unauthorized transmission interception.
The Set Client Connection Encryption Level setting allows you to enforce an encryption level for all data sent between the client and the remote computer during a Terminal Services session, as shown in Figure 12-6.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesEncryption and SecuritySet client connection encryption level
When this setting is enabled, you can set the encryption level to one of four levels, as described in Table 12-1. By default, Terminal Services connections are encrypted at the highest level of security available (128-bit). However, some earlier versions of the Terminal Services client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
Table 12-1. Client Connection Encryption Levels
Level of Encryption | Description |
|---|---|
FIPS Compliant | Encrypts data sent from client to server and from server to client to meet the Federal Information Processing Standard 140-1 (FIPS 140-1), a security implementation designed for certifying cryptographic software. Use this level when Terminal Services connections require the highest degree of encryption. FIPS 140-1–validated software is required by the U.S. government and requested by other prominent institutions. |
Important: If FIPS compliance has already been enabled by the System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, And Signing Group Policy, administrators cannot change the encryption level for Terminal Services connections by changing the Terminal Services Set Client Connection Encryption Level Group Policy setting or by using Terminal Services Configuration. | |
High | Encrypts data sent from client to server and from server to client by using strong 128-bit encryption. Use this level when the remote computer is running in an environment containing only 128-bit clients (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect. |
Encrypts data sent from client to server and from server to client at the maximum key strength supported by the client. Use this level when the remote computer is running in an environment containing mixed or legacy clients. | |
Low | Encrypts data sent from the client to the server using 56-bit encryption. |
Caution: Data sent from the server to the client is not encrypted. |
The Secure Server (Require Security) setting specifies whether a Terminal Server requires secure RPC communication with all clients or allows unsecured communication. When this setting is enabled, all RPC communication with clients is more secure because only authenticated and encrypted requests are allowed. The Terminal Server will allow communication only with secure requests and will deny unsecured communication with untrusted clients.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesEncryption and SecurityRPC Security PolicySecure Server (Require Security)
You can use the Start A Program On Connection setting to specify a program to run automatically when a user logs on to a remote computer. By default, Terminal Services sessions provide access to the full Windows desktop unless otherwise specified with this setting. Enabling this setting overrides the Start Program settings set by the server administrator on the Terminal Server or set by the user from the Terminal Services client. When this setting is configured, the Start menu and Windows desktop are not displayed, and when the user exits the program the session is automatically logged off.
To use this setting, you must provide the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, you can also provide the working directory by typing the fully qualified path to the starting directory for the program.
Note
If the specified program path, file name, or working directory is not the name of a valid directory, the terminal server connection fails with an error message.
Note
The Start A Program On Connection setting appears in both Computer Configuration and User Configuration. If this setting is configured in both places, the Computer Configuration setting takes precedence.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesStart a program on connection
When this setting is enabled, you can configure the Program Path And File Name box as well as the Working Directory box, as shown in Figure 12-7.
You can monitor the actions of a client logged on to a terminal server by remotely controlling the user’s session from another session. Remote control allows you to observe or actively control another session. If you choose to actively control a session, you can input keyboard and mouse actions to the session. A message can be displayed on the client session asking permission to view or take part in the session before the session is remotely controlled. You can use Terminal Services Group Policies to configure remote control settings for a connection and Terminal Services Manager to initiate remote control on a client session.
Tip
Windows Server 2003 family operating systems also support Remote Assistance, which allows greater versatility for controlling another user’s session. Remote Assistance also provides the ability to chat with the other user.
To access the Set Rules For Remote Control To Terminal Services User Sessions GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSet rules for remote control of Terminal Services user sessions
When this GPO setting is enabled, you can configure the Options setting, which sets the desired remote control permissions. Five permission levels are available, as shown in Figure 12-8.
For a Terminal Services connection, you can limit the amount of time that active, disconnected, and idle (without client activity) sessions remain on the server. This is useful because sessions that run indefinitely on the server consume valuable system resources. When a session limit is reached for active or idle sessions, you can opt to disconnect the user from the session or end the session. A user who is disconnected from a session can reconnect to the same session later. When a session ends, it is permanently deleted from the server and any running applications are forced to shut down, which can result in loss of data at the client. When a session limit is reached for a disconnected session, the session ends, which permanently deletes it from the server. Sessions can also be allowed to continue indefinitely.
You can use the Set Time Limit For Disconnected Sessions setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session.
When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
To access the Set Time Limit For Disconnected Sessions setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSessionsSet time limit for disconnected sessions
When this GPO setting is enabled, you can configure the End A Disconnected Session setting, which specifies when a disconnected session will be ended.
Note
The Set Time Limit For Disconnected Sessions setting affects every client that connects to the terminal server. To define Session settings on a per-user basis, use the Sessions policies under User Configuration.
Important
The setting does not apply to console sessions such as Remote Desktop sessions with computers running Windows XP Professional. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
You can use the Set Time Limit For Active Terminal Services Sessions setting to specify the maximum amount of time a Terminal Services session can be active before it is disconnected. By default, Terminal Services allows sessions to remain active for an unlimited time.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSessionsSet time limit for active Terminal Services sessions
When this setting is enabled, you can configure the Active Session Limit setting to set the time limit for any Terminal Services session.
Note
The Set Time Limit For Active Terminal Services Sessions setting affects every client that connects to the terminal server. To define Session settings on a per-user basis, use the Sessions policies under User Configuration.
This setting appears in both Computer Configuration and User Configuration. If it is configured in both places, the Computer Configuration setting has precedence. Active session limits do not apply to the console session. To specify that user sessions terminate at timeout, enable the Terminate Session When Time Limits Are Reached setting.
You can use the Terminate Session When Time Limits Are Reached setting to direct Terminal Services to terminate a session (that is, the user is logged off and his session is disconnected from the server) after time limits for active or idle sessions are reached. By default, Terminal Services disconnects sessions that reach their time limit.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSessionsTerminate session when time limits are reached
When this setting is enabled, Terminal Services terminates any session that reaches its timeout limit. This setting exists under both the Computer Configuration and User Configuration. The policy under the Computer Configuration has precedence.
You can use the Allow Reconnection From Original Client Only setting to configure settings for reconnecting disconnected Citrix ICA sessions. You can prevent Terminal Services users from reconnecting to the disconnected session using a computer other than the client computer from which they originally created the session. By default, Terminal Services allows users to reconnect to disconnected sessions from any client computer.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSessionsAllow reconnection from original client only
When this setting is enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead.
Tip
The Allow Reconnection From Original Client Only setting affects every client that connects to the terminal server. To define Session settings on a per-user basis, use the Sessions policies under User Configuration.
Note
The Allow Reconnection From Original Client Only setting is supported only for Citrix ICA clients that provide a serial number when connecting; it is ignored if the user is connecting with a Windows client. Also note that this setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting has precedence.
Because client sessions can establish multiple data channels between client and server, users can map to local devices, such as drives and printers. By default, drive and printer mappings that a user sets in a client session are temporary and are not available the next time the user logs on to the server. However, using Terminal Services Configuration, you can specify that client mappings be restored when the user logs on. In addition, you can disable specific client devices so that a user cannot map the device. Users can map the following devices:
Drives
Windows printers
LPT ports
COM ports
Smart cards
Clipboard
Audio
Whenever possible, use Terminal Services Group Policies to configure the settings described in the following sections.
The Allow Audio Redirection setting specifies whether users can choose where to play the remote computer’s audio output during a Terminal Services session (audio redirection). Users can use the Remote Computer Sound option on the Local Resources tab of Remote Desktop Connection to specify whether to play the remote audio on the remote computer or on the local computer. Users can also choose to disable the audio.
By default, users cannot apply audio redirection when connecting via Terminal Services to a server running Windows Server 2003. Users connecting to a computer running Windows XP Professional can apply audio redirection by default.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionAllow audio redirection
The Do Not Allow COM Port Redirection setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Terminal Services session. You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Terminal Services session. By default, Terminal Services allows this COM port redirection.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionDo not allow COM port redirection
You can use the Do Not Allow Client Printer Redirection setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Terminal Services allows this client printer mapping.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionDo not allow client printer redirection
When this setting is enabled, users cannot redirect print jobs from the remote computer to a local client printer in Terminal Services sessions.
The Do Not Allow LPT Port Redirection setting specifies whether to prevent the redirection of data to client LPT ports during a Terminal Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Terminal Services allows this LPT port redirection.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionDo not allow LPT port redirection
When this setting is enabled, users in a Terminal Services session cannot redirect server data to the local LPT port.
The Do Not Allow Drive Redirection setting specifies whether to prevent the mapping of client drives in a Terminal Services session (drive redirection). By default, Terminal Services maps client drives automatically upon connection. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the format <driveletter> on <computername>. You can use this setting to override this behavior.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionDo not allow drive redirection
When this setting is enabled, client drive redirection is not allowed in Terminal Services sessions.
The Do Not Set Default Client Printer To Be Default Printer In A Session setting specifies whether the client default printer is automatically set as the default printer in a Terminal Services session. By default, Terminal Services automatically designates the client default printer as the default printer in a Terminal Services session. You can use this setting to override this behavior.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesClient/Server data redirectionDo not set default client printer to be default printer in a session
When this setting is enabled, the default printer is the printer specified on the remote computer.
Each session that is created on a terminal server requires a user profile. As we discussed earlier, you can control this profile if you want it to roam. This option is handy for users who move from computer to computer but want a consistent desktop.
In some cases, you might not want users to download profiles or have profiles stored on certain terminal servers. The following sections offer some suggested settings for controlling these behaviors.
You can use the Set Path For TS Roaming Profiles setting to specify a network share where the profiles are stored, allowing users to access the same profile for sessions on all terminal servers in the same OU. By default, Terminal Services stores all user profiles locally on the terminal server. This setting allows you to override the setting in the user account on a per-server basis. It also provides an excellent method for specifying a different Terminal Server profile server for groups of terminal servers. If you have server farms that are spread over different locations, you can use this setting to allow users to roam between the servers in the server farms seamlessly.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesSet path for TS Roaming Profiles
When this setting is enabled, you type the path to the network share in the form \ComputernameSharename in the Profile Path box, as shown in Figure 12-9.
You can use the TS User Home Directory setting to select the location for the home directory for the Terminal Services session. The options are a network share or a local directory. For a network share path, you must type the path in the form \ComputernameSharename. For local directories, you can type the drive letter, followed by the path to the home directory root, such as C:usershomedir. Like the roaming profiles setting, this setting provides an excellent way to configure users’ home directories for when they roam between Terminal Server farms throughout the organization.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesTS User Home Directory
When this setting is enabled, you use the Location drop-down list to specify whether the path will be local or on the network, as shown in Figure 12-10. You then type the path to the home directory based on the syntax we discussed earlier. Finally, you specify a drive letter for the home directory, which the user will use to access the home directory on her computer.
To control Terminal Services licenses as well as how many Terminal Services sessions a user can start, you can restrict users to a single remote session. The Restrict Terminal Services Users To A Single Remove Session setting restricts users who log on remotely via Terminal Services to a single session on that server. This includes both active and disconnected sessions. This means that if a user disconnects from a session, any attempt to start a new session will fail and will send the user to the disconnected session.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesRestrict Terminal Services users to a single remove session
The Only Allow Local User Profiles setting is not designed for Terminal Services, but it can be used with a Terminal Services session. This setting prevents the roaming user profile from being downloaded, even if the user’s account specifies a roaming profile path. This setting is useful if you have terminal servers at different sites and you don’t want to maintain profile servers at each site.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemUser ProfilesOnly allow local user profiles
Sometimes you will need to free up disk space on terminal servers but also need the users to use their roaming profiles. In this case, you cannot force the user to use a local profile. However, you can use the Delete Cached Copies Of Roaming Profiles setting to configure a different GPO that removes the roaming profile from the server when the user ends the session.
To access this GPO setting, follow this path:
Computer ConfigurationAdministrative TemplatesSystemUser ProfilesDelete cached copies of roaming profiles