Security

Security

This page is about securing a Terminal Server. For general security information (Security Bulletins, encryption, virus and spyware prevention, etc), choose the appropriate items in the menu on the left.

The basic steps to create a locked down Terminal Server:

• use NTFS and Registry permissions to keep users out of sensitive areas of the file system and the registry.
  A standard installation of Windows 2003 doesn't need any modification. On Windows 2000 Server, modify the NTFS permissions as follows:

     %SystemDrive%, %SystemRoot%, %ProgramFiles%
       and %SystemRoot%\system32 :      
    System - Full Control
    Administrators - Full Control
    Authenticated Users - Read & Execute
  

  Also make sure that users have only Read permissions on these keys:

    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  

• do not install Terminal Services (in Application Server mode - W2K) on a Domain Controller
• during the installation of Terminal Services, choose "Full Security" compatibility mode (on 2003) or "Permissions compatible with Windows 2000 Users" (on W2K)
• create a restrictive GPO (see KB 278295), using loopback processing (see KB 231287)
• grant users access to the Terminal Server by making them members of the Remote Desktop Users group (2003 only)
• choose the highest encryption level possible
• do not give users elevated user rights when an application doesn't work for normal users.
  Instead, download Process Monitor (former FileMon and Regmon combined). Run these programs as Administrator on the console of the Terminal Server (when no user is connected), start a TS session as a normal user and try to run the application. Process Monitor will show you all "access denied" errors that occur, so that you can give your users the necessary permissions on a file-to file or Registry subkey basis.
• do not assume that configuring an "Initial application" (rdp) or publishing an application (ica) prevents users from accessing the full desktop of the server (see CTX991230)
  
  If you need more granular control on an application basis, consider a 3rd party utility to enhance security.

More info + guidelines

• 278295 - How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session
• 243554 - Explanation of RDP-TCP Permissions in Windows 2000
• 231289 - Using Group Policy Objects to hide specified drives
• 816594 - HOW TO: Secure Communication Between a Client and Server with Terminal Services
• 823659 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
• Understanding and Using NTFS Permissions on Citrix and Terminal Servers - by Jeff Pitsch
• Understanding Terminal Server's Permissions Compatibility Options - by Jeff Pitsch
• CTX991230 - Terminal Server Desktop, Explorer.exe, Launches from a Published Application - applies to RDP connections as well

Windows 2008 specific

• WS2008: Network Level Authentication and Encryption
• Changes to Terminal Service Security Related Group Policy Settings in Windows Vista and Longhorn Server - by Brien M. Posey

Windows 2003 specific

• Download the Windows Server 2003 Terminal Server Security White Paper
• 298372 - Permissions Mode Behavior Under Terminal Services
• 837954 - Difference in the user right "Deny log on locally" between Windows 2000 and Windows 2003
• 278433 - Accessing Terminal Services Using New User Rights Options
• Locking Down Windows Server 2003 Terminal Server Sessions
• 324036 - HOW TO: Use Software Restriction Policies in Windows Server 2003
• Using Software Restriction Policies to Protect Against Unauthorized Software
• 895433 - How to configure a Windows Server 2003 terminal server to use TLS for server authentication - requires SP1
• 942841 - A Windows Server 2003-based computer cannot make an SSL connection or a TLS connection to the out-of-band interface on an Intel Active Management Technology (AMT)-enabled computer
• How to secure remote desktop connections using TLS/SSL based authentication - by Martin Kiaer
• 816521 - HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003
• 815141 - Internet Explorer Enhanced Security Configuration Changes the Browsing Experience
• How can I prevent my users from redirecting their local disk drives?

XP specific

• 944939 - The first logon to a Windows XP-based computer through terminal services is not denied even though the user is not a member of the Remote Desktop Users group

Windows 2000 specific

• 315055 - How To Use IPSec Policy to Secure Terminal Services Communications in Windows 2000
• Guide to Securing Microsoft Windows 2000 Terminal Services - PDF file, by NSA
• 320181 - HOW TO: Use the Application Security Tool to Restrict Access to Programs in Windows 2000 Terminal Services
• 257980 - Appsec Tool in the Windows 2000 Resource Kit Is Missing Critical Files
• 300958 - HOW TO: Monitor for Unauthorized User Access in Windows 2000
• 891076 - An event that is logged in the Security log does not in include the IP address or the computer name of the Terminal Services client - preSP5 hotfix

Citrix specific

• CTX105215 - MetaFrame Presentation Server Client for Win32 debugging functionality could be misused
• CTX108354 - Vulnerability in Program Neighborhood client could result in arbitrary code execution

3rd party security utilities

• PolicyMaker™ Application Security - a Group Policy extension that allows to attach permission levels to applications