Security

Security

This page is about securing a Terminal Server. For general security information (Security Bulletins, encryption, virus and spyware prevention, etc), choose the appropriate items in the menu on the left.

The basic steps to create a locked down Terminal Server:

• use NTFS and Registry permissions to keep users out of sensitive areas of the file system and the registry.
  A standard installation of Windows 2003 doesn't need any modification. On Windows 2000 Server, modify the NTFS permissions as follows:

     %SystemDrive%, %SystemRoot%, %ProgramFiles%
       and %SystemRoot%\system32 :      
    System - Full Control
    Administrators - Full Control
    Authenticated Users - Read & Execute
  

  Also make sure that users have only Read permissions on these keys:

    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  

• do not install Terminal Services (in Application Server mode - W2K) on a Domain Controller
• during the installation of Terminal Services, choose "Full Security" compatibility mode (on 2003) or "Permissions compatible with Windows 2000 Users" (on W2K)
• create a restrictive GPO (see KB 278295), using loopback processing (see KB 231287)
• grant users access to the Terminal Server by making them members of the Remote Desktop Users group (2003 only)
• choose the highest encryption level possible
• do not give users elevated user rights when an application doesn't work for normal users.
  Instead, download Process Monitor (former FileMon and Regmon combined). Run these programs as Administrator on the console of the Terminal Server (when no user is connected), start a TS session as a normal user and try to run the application. Process Monitor will show you all "access denied" errors that occur, so that you can give your users the necessary permissions on a file-to file or Registry subkey basis.
• do not assume that configuring an "Initial application" (rdp) or publishing an application (ica) prevents users from accessing the full desktop of the server (see CTX991230)
  
  If you need more granular control on an application basis, consider a 3rd party utility to enhance security.

More info + guidelines

• 278295 - How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session
• 243554 - Explanation of RDP-TCP Permissions in Windows 2000
• 231289 - Using Group Policy Objects to hide specified drives
• 816594 - HOW TO: Secure Communication Between a Client and Server with Terminal Services
• 823659 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
• Understanding and Using NTFS Permissions on Citrix and Terminal Servers - by Jeff Pitsch
• Understanding Terminal Server's Permissions Compatibility Options - by Jeff Pitsch
• CTX991230 - Terminal Server Desktop, Explorer.exe, Launches from a Published Application - applies to RDP connections as well

Windows 2008 specific

• WS2008: Network Level Authentication and Encryption
• Changes to Terminal Service Security Related Group Policy Settings in Windows Vista and Longhorn Server - by Brien M. Posey

Windows 2003 specific

• Download the Windows Server 2003 Terminal Server Security White Paper
• 298372 - Permissions Mode Behavior Under Terminal Services
• 837954 - Difference in the user right "Deny log on locally" between Windows 2000 and Windows 2003
• 278433 - Accessing Terminal Services Using New User Rights Options
• Locking Down Windows Server 2003 Terminal Server Sessions
• 324036 - HOW TO: Use Software Restriction Policies in Windows Server 2003
• Using Software Restriction Policies to Protect Against Unauthorized Software
• 895433 - How to configure a Windows Server 2003 terminal server to use TLS for server authentication - requires SP1
• 942841 - A Windows Server 2003-based computer cannot make an SSL connection or a TLS connection to the out-of-band interface on an Intel Active Management Technology (AMT)-enabled computer
• How to secure remote desktop connections using TLS/SSL based authentication - by Martin Kiaer
• 816521 - HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003
• 815141 - Internet Explorer Enhanced Security Configuration Changes the Browsing Experience
• How can I prevent my users from redirecting their local disk drives?

XP specific

• 944939 - The first logon to a Windows XP-based computer through terminal services is not denied even though the user is not a member of the Remote Desktop Users group

Windows 2000 specific

• 315055 - How To Use IPSec Policy to Secure Terminal Services Communications in Windows 2000
• Guide to Securing Microsoft Windows 2000 Terminal Services - PDF file, by NSA
• 320181 - HOW TO: Use the Application Security Tool to Restrict Access to Programs in Windows 2000 Terminal Services
• 257980 - Appsec Tool in the Windows 2000 Resource Kit Is Missing Critical Files
• 300958 - HOW TO: Monitor for Unauthorized User Access in Windows 2000
• 891076 - An event that is logged in the Security log does not in include the IP address or the computer name of the Terminal Services client - preSP5 hotfix

Citrix specific

• CTX105215 - MetaFrame Presentation Server Client for Win32 debugging functionality could be misused
• CTX108354 - Vulnerability in Program Neighborhood client could result in arbitrary code execution

3rd party security utilities

• PolicyMaker™ Application Security - a Group Policy extension that allows to attach permission levels to applications

Logon problems

Logon problems

For a user to log on to a Terminal Server, the following permissions and rights must be granted:

• 2003 only: Allow log on through Terminal Services
  This user right is by default granted to Administrators and members of the local Remote Desktop Users group on the server.
• W2K only: Log On Locally
  This user right can be granted in the security policy for the server, in Security Settings\Local Policies\User Rights Assignment\Log On Locally.
• Permission to use the rdp-tcp connection
  2003: The local Remote Desktop Users group has by default "User access" permission on the rdp-tcp connection.
  W2K: The local Users group has by default "User access" permission on the rdp-tcp connection.
• Allow logon to Terminal Server checkbox, in the properties of the user account in AD.
  By default, this checkbox is checked for all users.

So on a standard installation of a 2003 Terminal Server, you only have to add your users or user groups to the local Remote Desktop Users group on the Terminal Server.

If your TS is also a Domain Controller (not recommended!), then you must do the following:

1. add the users to the built-in domain local Remote Desktop Users group in AD
2. enable the following setting in the Default Domain Controller Policy:

   Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment
   "Allow log on through Terminal Services"
   

   and add the Remote Desktop Users group to the list of allowed users
3. add the Remote Desktop Users group to the permission list of the rdp-tcp connection

Modifying the permissions on the rdp-tcp connection can be done in Terminal Services Configuration, or programmatically:

• 290720 - How to Add a User to Terminal Services RDP Permissions by Using WMI (2003)
• 259129 - How to modify or query the RDP connection permissions for Terminal Services (W2K)

Error messages - permission problems

Here are some common error messages which users get when they haven't been granted the correct permissions and user rights:

• "The local policy of this system does not permit you to logon interactively"
  2003: The user account is not a member of the local Remote Desktop Users group. See 289289
  SBS2003: The Remote Desktop Users group does not have the "Allow log on through Terminal Services" right - see 886620
  W2K: The user does not have the "Log On Locally" right in the servers security policy.
• "You do not have access to logon to this session"
  2003: The user account is not a member of the local Remote Desktop Users group.
  W2K: The user doesn't have the necessary permissions on the rdp-tcp connection. This happens when you remove the User group from the properties of RDP-tcp
• "Your interactive logon privilege has been disabled"
  The user does not have the "Allow Logon to terminal server" check box selected on the Terminal Services Profile tab of their account.
  2003: The user account is denied Read permissions to the Active Directory directory service. This right is by default denied to the Guest account. See 815266
• "The desktop you are trying to open is currently available only to administrators", followed by
  "You do not have access to logon to this session"
  2003 + Citrix PS3.0 only: Installing Citrix PS 3.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See 931353 and CTX104106
• "To log on to this remote computer, you must have Terminal Server User Access permissions...."
  2003 + Citrix PS4.0 only: Installing Citrix PS 4.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See CTX109925

Error messages - misc. problems

• "An error occurred in the licensing protocol"
  Vista: not enough permissions on the local registry to store the client license
  See 187614
• "The remote computer disconnected the session because of an error in licensing protocol"
  XP: Terminal Services service is not started; invalid stored license
  See 921045
• "Because of a security error, the client could not connect to the remote computer"
  W2K + 2003: corrupted certificate on the Terminal Server
  See 329896
• "Because of a security error, the client could not connect to the terminal server"
  W2K: invalid certificate on the Terminal Server
  XP: invalid stored license
  See 323597
• "The terminal server has ended the connection"
  W2K with SRP1: invalid certificate on the Terminal Server
  See 323497
• "The remote computer has ended the connection"
  XP with SP2: DFS client is disabled
  See 898713
• "No authority could be contacted for authentication"
  Vista client to Vista host in 2003 domain: Kerberos service account problem
  See 939820
• "The system could not log you on"
  RDP 6.0 client to XP SP2 host: smart card login problem
  See 939682
• "The remote session was disconnected because another user has connected to the session"
  2008: autologon enabled
  See 947714
• "Your system administrator does not allow the use of default credentials..."
  Vista RDP client with Single Sign-On enabled
  See Problems using default credentials with Vista RDP clients with Single Sign-on Enabled
• "Winlogon has encountered a problem and needs to close"
  2003: when many users connect at the same time
  See 953675

Misc. logon problems

• 922044 - A Windows Server 2003 Service Pack 1-based terminal server cannot accept new incoming Terminal Service connections
• 828664 - An access violation error occurs if your Terminal Services information is corrupted (W2K preSP5, XP preSP2, 2003 postSP1 hotfix)
• 258021 - Event ID 52 When You Start Terminal Services
• 328002 - You Cannot Connect to Terminal Services from a Web Page
• 270588 - Remote Desktop Protocol Clients Cannot Connect to Terminal Services Server
• 312030 - Cannot Connect to a Windows 2000-Based Computer with Terminal Services Installed and RDP Listener Is "Down"
• 290706 - Cannot Automatically Log on Remotely to Terminal Server with Long User Name or Password
• 329155 - "The Server May Be Too Busy" Error Message If Terminal Services Installed in Remote Administration Mode (SBS2000)
• 914048 - Event IDs 1000 and 1004 may be logged in the Application event log, and Windows Server 2003 Terminal Server client connections and logon tries may sometimes fail, when you try to connect to a remote computer
• 931353 - Error message when you use RDP to connect to a Windows Server 2003-based computer that is running Terminal Server and Citrix MetaFrame Presentation Server 3.0: "The desktop you are trying to open is currently available only to administrators"
• 939820 - Error message when you try to use Remote Desktop Connection to connect to another Windows Vista-based computer in Windows Vista: "No authority could be contacted for authentication"
• 939682 - Error message when you try to log on to a computer that is running Windows XP SP2 by using a Remote Desktop Protocol connection: "The system could not log you on"
• 947714 - You cannot create a remote desktop session as an administrator when Autologon is enabled in Windows Server 2008
• 951028 - You are prompted two times for credentials when you use the Remote Desktop Client to connect to a Windows 2000 Terminal Server from Window Vista or from Windows Server 2008

Citrix specific issues

• CTX109925 - Error: To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions..... (2003 + PS4)
• CTX104106 - Connection Error : The desktop you are trying to open is currently available only to administrators (2003 + PS3)
• CTX159159 - Troubleshooting and Explaining Session Sharing
• 894457 - You cannot connect to your previously disconnected session when you try to use a Citrix ICA client to connect to Citrix MetaFrame for Windows Server 2003 (postSP1 hotfix)
• CTX112347 - Users Cannot Connect to ICA Sessions after Installing Version 6.0 of the RDP Client
• CTX107051 - Unable to Connect with ICA After Installing Microsoft Rollup 1 for Windows 2000
• CTX543560 - Connecting to a MetaFrame XP Server Shows a Popup Window Indicating initializing. The Window Then Disappears. (Citrix MF XP + PS3)
• CTX108638 - Configuring Smart Access for Published Applications

Misc. issues

• 555061 - Unable To Reconnect To Terminal Server In Application Mode (Windows Mobile 2003 for Pocket PC)
• 242051 - RDP client can lose connection to Terminal Server if Terminal Server initiates a RAS session to a remote server
• 886212 - You are unexpectedly logged off when you try to connect to a computer that is running Windows Server 2003 or Windows XP
• 888820 - "The system cannot find the file specified" error message when you try to connect to a Terminal Server that is located on a Small Business Server 2000 domain
• 294761 - Logon Timer Error Is Received upon Connection to Terminal Server
• 830581 - How to limit the number of connections on a terminal server that runs Windows Server 2003
• 237282 - Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0

Connectivity

Connectivity

Windows 2008 specific info

One of the new features of Windows 2008 Terminal Services is the TS Gateway role service. It enables remote users to connect securely to the corporate servers from the Internet, without the need for a VPN. Read all about it here:

• Terminal Services Gateway
• WS2008: Terminal Services Gateway Overview
• Windows Server 2008 TS Gateway Server Step-by-Step Guide
• IT Showcase: Windows Terminal Services 2008 and TS Gateway
• 947716 - TS Gateway behavior for NPS policies in Windows Server 2008
• 951047 - When you try to use the Terminal Services resource authorization policy to connect to a Windows Server 2008-based computer, the connection may fail

General info, How-To's

• 186572 - Terminal Server Walkthrough: Startup, Connection, and Application
• 186566 - Connection Configuration in Terminal Server
• 885187 - Remote Desktop Protocol settings in Windows Server 2003 and in Windows XP
• 270897 - How Terminal Server Advanced Client connects to a Terminal Server computer
• 323258 - Description of the Automatic Reconnection Feature in Windows Server 2003 and Windows XP SP1
• Automatically Connecting the User to their Disconnected Session


• 314537 - HOW TO: Use a Handheld PC or a Pocket PC as a Mobile Terminal
• 187623 - How to Change Terminal Server's Listening Port
• 306759 - How to change the listening port for Remote Desktop
• 304304 - How to configure the Remote Desktop client to connect to a specific port when you use Windows XP
• 326945 - How to change the listening port in the Windows Terminal Server Web Client
• 275210 - How to Allow Access to Terminal Services on ISA from the External Interface
• 294720 - How to Server Publish a Terminal Server with ISA While also Running Terminal Services on the ISA Server

General network / connectivity issues

• 186645 - Troubleshooting RDP Client connection problems
• 187628 - Using Telnet to Test Port 3389 Functionality
• 314825 - How to Troubleshoot Black Hole Router Issues
• 925280 - Changes in PMTU black hole router detection in Windows Server 2003 and in Windows Vista
• 951037 - Information about the TCP Chimney Offload feature in Windows Server 2008
• 936594 - You may experience network-related problems after you install Windows Server 2003 SP2 or the Scalable Networking Pack
• How to make your intermittent or flaky terminal services connection a little more stable



• 274805 - Error message when you try to connect to a Windows server-based computer that is running Terminal Services: "Terminal Server has ended the connection"
• 931656 - FIX: You cannot use the Remote Desktop Connection feature or the Remote Desktop MMC to connect to a remote Windows Server 2003-based server (post SP2 hotfix)
• 282128 - VBScript Error Message Occurs When You Use Terminal Services Advanced Client
• 886209 - Users cannot connect to remote desktops by using the Windows Small Business Server 2003 Remote Web Workplace
• 928055 - After you apply a Windows XP service pack, the remote desktop session fails
• 901023 - A TCP/IP session that is inactive for more than one minute may be disconnected when you connect to a terminal server from a Windows Server 2003 SP1-based computer (with ISA 2000)
• 272142 - Users Are Automatically Logged Off When Attempting to Log on to Terminal Services
• 216783 - You cannot completely disconnect a Terminal Server connection
• 302904 - You May Be Unable to Connect to Terminal Services Computer When Its Language Is Different from the Client
• 840689 - You cannot log on to a domain controller from a Windows 2000 Terminal server in a WINS environment
• 951607 - You cannot connect to a remote computer or start a remote application when you use Terminal Services Web Access or Remote Web Workspace on a Windows XP SP3-based computer

Vista specific connectivity issues

• 947773 - A Windows Server 2003-based computer responds slowly to RDP connections or to SMB connections that are made from a Windows Vista-based computer
• 934430 - Network connectivity may fail when you try to use Windows Vista behind a firewall device
• Remote Desktop Freezes When Connecting Through Windows Vista
• 929709 - A Remote Desktop session disconnects even after you press a key when you receive the "Idle timer expired" message in Windows Vista

Citrix specific connectivity issues

• CTX104998 - Configuring Microsoft ISA Server to Allow Outbound ICA Connections
• 329700 - Event ID 1004 and "Network or Dialup Problems Are Preventing Communications with Citrix Server" Error Message When Clients Try to Connect to Terminal Server
• CTX952065 - Tips and Techniques for Using the ICA Async Transport to Connect to a Citrix Server
• CTX708444 - Configuring TCP KeepAlive Values to Improve WAN links and ICA KeepAlives to place ICA Session in a Disconnected State
• 922732 - Error message when an ASP program tries to connect to a Citrix MetaFrame installation: "An error occurred while attempting to connect to the MetaFrame servers" (W2K)
• CTX112347 - Users Cannot Connect to ICA Sessions after Installing Version 6.0 of the RDP Client

Thin Client Printing

Printing

Windows Server 2008 Terminal Services contains an exciting new feature: Terminal Services Easy Print, a driver-free solution to printer redirection!
Read WS2008: Terminal Services Printing.

But for a long time to come, there will be downlevel (Windows 2003 / 2000) Terminal Servers around, and thus the need to install a matching printer driver on the TS. If your Terminal Server is one of them, this information is for you.

One of the biggest challenges for Terminal Server Administrators is to provide remote users with the possibility to print to their local printers, whether these printers are attached to a local port on the client computer or shared on the local network.

If your client printers are not redirected in the TS sessions, check the EventLog on the Terminal Server for any printer-related events at the time the client connected to the TS.

1. no Events: redirection is not attempted at all
   Solution: check the configuration of printer redirection in the RDP client and on the Terminal Server, update the RDP client to the version that comes with Windows Server 2003 (located in C:\WINDOWS\system32\clients\tsclient\win32\msrdpcli.msi) or apply KB article 302361 to get support for redirection of non-standard local port names, including tcp/ip ports.
2. Event 1111, 1105 and 1106: redirection is attempted, but fails because the server doesn't have a driver for the printer.
   Solution: whatever you do, do not install a 3rd party printer driver on the Terminal Server, unless it is a Windows Hardware Quality Labs (WHQL) signed driver. Many non-WHQL drivers are not TS-compatible, and some are known to crash your printer spooler or the whole server. In stead, map the printer to a native driver by creating a custom ntprintsubs.inf file, as described in KB article 239088.

• If you have a problem with a crashing spooler service, you can use the Spooler Cleaner utility from the Windows 2003 Resource Kit (cleanspl.exe). It will delete all printer drivers, printers, ports, port monitors, print processors, and print job spool files from the server.
• If you are running at least Windows 2003 SP1 on your Terminal Server and your printers support PCL or PS natively, you can configure a Fallback Printer Driver.
• If you are supporting Macintosh clients, you must use a PostScript driver, unless all Mac clients run the Beta version of the Mac RDC version 2.0 client, which supports all printers
• If you are running an x64-based version of Windows Server 2003 on your Terminal Server, you must use 64-bit printer drivers, as explained in KB article 895612.
• If you manage more than a handful of servers and more than a dozen of printer models, it will be worth it to invest in a 3rd party printer management solution. If you need to support Host based printers using Lightweight Imaging Device Interface Language (LIDIL), you must use a 3rd party Universal Printer Driver.

Documentation and Best Practice Guides

• Brian Madden's Terminal Server Printing: Design and Configuration
• Citrix Printing: Brush up on the basic best practices - by Kevin Buchaniec
• Terminal Services and Printing White Paper (2003)
• How Microsoft's Windows 2003 SP1 Fallback Printer Driver Works - by Stefan Vermeulen
• The Hunt for the Bad Printer Driver - by Stefan Vermeulen
• 911913 - How to redirect the default printer of a Terminal Services client to a Windows Server 2003 Terminal Server session (applies to W2K as well)
• 331055 - Best Practices for Installing and Using Printer Drivers With Windows 2000 Terminal Services
• 895612 - How to find a compatible printer driver for a computer that is running a 64-bit version of Windows
• 135406 - Steps to Manually Remove and Reinstall a Printer Driver (W2K / XP)
• 286047 - How to Print to a Local Network Printer in Terminal Services (W2K)
• 305402 - HOW TO: Change Printing Preferences on Print Server for All Connected Users
• 189105 - How to add printers with no user interaction in Windows
• 291251 - Non-default printer properties are not reflected in a Terminal Services redirected printer
• 243942 - Terminal Services printer redirection not signaled on change to server-side Device Settings tab in Windows 2000 or Windows Server 2003

Autocreation problems

• Terminal Server and Printer Redirection - troubleshooting steps
• Printer Redirection EventIDs
• 239088 - Windows 2000 or Windows Server 2003 Terminal Services server logs events 1111, 1105, and 1106
• Download Microsofts Printer Driver Redirection Wizard
• Printer Driver Matrix - by PrintingSupport
• 276532 - Windows 2000 Terminal Server Reports Event ID 1103 in the System Event Log
• Event 1103 - An internal communication error occurred. Redirected printing will no longer function
• 302361 - Printers That Use Ports That Do Not Begin With COM, LPT, or USB Are Not Redirected in a Remote Desktop or Terminal Services Session
• 329756 - Remote Desktop Connection Software May Cause an Access Violation If FilterQueueType Is Set
• 929270 - You cannot set a redirected printer as the default printer in a Windows Server 2003-based terminal server session
• 933996 - A user who is logged on to a Windows Server 2003-based Terminal Server cannot configure a printer as the default printer

Misc. problems

Windows 2003

• 270005 - OEM Print Drivers Are Overwritten by Microsoft Drivers That Use Terminal Services Redirect Printing
• 888196 - The Print Spooler service stops frequently, Dr. Watson logs an error message, and Event ID 7031 is logged in Windows 2000 Server or Windows Server 2003 (with Citrix MF XP 1.0)
• 313733 - Spooled files may be printed in an incorrect Terminal Services session
• 317780 - Print Jobs That Are Sent to Terminal Services Redirected Printers May Print on Another Client's Printer
• 826026 - Documents from Terminal Server Users Who Map LPT1 to Different Printers Appear on the Same Printer
• 297883 - XL2000: You Can See Other Users' Printers in a Terminal Server Session
• 313683 - XL2002: Can See Other Users' Printers in Terminal Server Session
• 268065 - Terminal Services event messages 1100 or 1114 in Windows 2000 Server or Windows Server 2003
• 817870 - Error Event 1109 Appears in the Event Log When Terminal Services Clients Disconnect
• 909906 - A print job is deleted without being printed on a computer that is running Windows Server 2003 with Service Pack 1
• 301444 - An Error Message May Be Displayed When You Use Terminal Services and the Print to File Feature in Application Mode
• 279452 - Cannot Add Print Device Inside of a Terminal Services Session - AppleTalk or DLC-based network printer
• 870981 - Printer tray assignments on a print server may not transfer to the client computer when you install a network printer in Windows XP or Windows Server 2003
• 911713 - Event ID: 20 may be logged frequently on a Windows Server 2003-based computer when you print to a shared network printer
• 900090 - Print spooling operation in Windows Server 2003-based Terminal Services (TS) computer is slow when Remote Desktop Connection thin clients use printer redirection
• 911028 - When you use a 32-bit program to print a document from a 64-bit version of Microsoft Windows, you may receive a Stop error message, or objects on the page are omitted
• 840371 - High processor usage from the spooler occurs when a user logs off from a session on a terminal server that is running Windows Server 2003 or Windows 2000
• 947477 - The printer spooler may crash randomly on a Windows Server 2003-based computer that has an HP printer that is installed
• 951009 - An application may be unresponsive, documents may not print, and event IDs 6162 or 61 may be logged on a Windows Server 2003-based computer

Windows 2000

• 822143 - Printers Remain Installed on a Terminal Server After You Disconnect from the Terminal Server (W2K)
• 832219 - Users cannot print after you install a service pack, update rollup, or printer hotfix on a server in Windows 2000
• 918622 - You cannot print when you use Terminal Server after you apply Update Rollup 1 for Microsoft Windows 2000 Service Pack 4
• 843259 - A limited user can no longer print to a shared printer from a terminal server session after you restart the Spooler service in Windows 2000 - needs also 826026
• 831754 - You receive an error message when you try to print to a shared network printer in a terminal server session
• 908506 - You may be unable to print to a network printer after you install security update 896423 on a computer that is running Windows 2000 with Service Pack 4
• 822834 - Spooler Failure Causes High CPU Usage in the Winlogon.exe and Spoolsv.exe Processes on a Windows 2000 Terminal Server

Citrix specific issues

• CTX109374 - StressPrinters 1.2 for 32-bit and 64-bit Platforms - a tool to simulate multiple sessions autocreating printers using the same print driver
• CTX108004 - How to Give Access Permission to Administrators to Manage Autocreated Printers
• CTX884335 - How to Publish Print Manager on a Windows NT/2000/2003 Terminal Server
• CTX681954 - Troubleshooting Citrix ICA Printer Autocreation
• CTX107137 - Troubleshooting Printing Problems In Presentation Server 4.0
• Printing - TechNotes - a list of known Citrix PS 4.0 printing issues
• CTX104692 - Only Autocreate Client Default Printer... Option with Java Client 8.x and Later is Not Working
• CTX104375 - Default Printer is Not Mapped Properly Within an ICA Session
• CTX051476 - Troubleshooting the Deletion of AutoCreated Printers
• CTX105577 - Deletion of Print Drivers and Event Log Print Entries / Logging
• CTX626451 - Sample WTSUPRN.INF File for Use in Autocreation
• CTX107322 - Printers Supported by HP for use with Citrix Presentation Server 4.0 for Windows - including scanners and All-in-One printers

Need some printing tips? Get the best printer ink cartridges along with toner cartridges to make your pictures shine! Try out printer ink by Epson and see a difference! Get your Epson ink for less here!

3rd party printer driver information

• 952065 - You cannot install third-party printer drivers for cross-architecture support in Windows Vista or in Windows Server 2008
• bpl11245 - Print Jobs Hang in the Print Queue and Reprint When the PC Is Rebooted - HP LaserJet Series Printers
• HP Color LaserJet and LaserJet Printers - Print Driver Issues in Mixed Environments
• HP Color LaserJet, LaserJet, All-in-One, and Multi-Function Series Products - HP Printers Supported in Citrix MetaFrame Presentation and Terminal Server Environments
• HP Deskjet, HP Business Inkjet, and HP Color Inkjet Printers - Operating Systems and Printers Supported by Windows Terminal Server
• HP DeskJet 895, 970, 990, 5550, and 6120 Series Printers and W2K TS
• HP Designjet Printers - Windows Terminal Services Compatibility
• HP Universal Print Driver Series for Windows
• Lexmark Printers - Windows Server 2003 compatibility
• Brother MetaFrame Homepage
• 267896 - Adobe Acrobat .pdf Documents May Not Print Correctly in a Terminal Services Session
• Windows Print Migrator

3rd party printer management software and utilities

• Differences Between Several Universal Printer Solutions - by Wilco van Bragt
• ThinPrint's .print RDP Engine
• triCerat's ScrewDrivers
• Provision Networks' Print-IT
• INGENICA's UniPrint
• Net2Printer
• DEFSET - a freeware tool to set the default printer on a per user basis, by Ctrl-Alt-Del IT Consultancy

Licensing

Licensing

Contrary to the general believe, Terminal Services licensing isn't very difficult to implement.
If you have a licensing problem (verify this by checking the EventLog on your Terminal Server), following this checklist should solve most problems:

1. Do you have a Terminal Services Licensing Server installed and activated?
   Note that you always need an activated Licensing Server, even when your TS runs Windows 2000 and all of your clients run W2K Pro, XP Pro or Vista Business.
2. Can the Terminal Server located the Licensing Server?
   Again, the EventLog on the Terminal Server will tell you if you have a Licensing Server discovery problem. If that is the case, use KB article 279561 (for 2003) or 239107 (for W2K) to fix it.
   If you run 2003 SP1 or later, you can also set the preferred TS Licensing Server in Administrative Tools - Terminal Services Configuration - Server Settings, which will create the registry entry described in KB 279561. Or use a GPO setting to define the preferred licensing server, but be sure to apply the hotfix from KB 922508 (included in SP2) first.
3. Do you have enough available TS CALs on the LS for every client or user that needs one?
   Note that every client or user needs a purchased 2003 TS CAL when connecting to a 2003 TS.
4. 2003 only - If you installed Per User TS CALs, is the Terminal Server configured to use the Per User licensing mode?
   You can check this from Administrative Tools - Terminal Services Configuration - Server Settings - Licensing Mode
   If it's set to Per Device mode, it will request a Device TS CAL from the LS. And since the LS only has Per User TS CALs, it will issue temporary Per Device TS CALs, which will expire after 90 days.

   In Windows 2003, your Per User licenses are listed as "Not Applicable" (N/A) in the Licensing Manager. That's because Per User licenses are unmanaged in Server 2003, as documented in KB article 822134, and won't be issued at all. You will have to keep track of the total (not concurrent!) number of connecting users by hand.
   This is changed in Terminal Services Licensing for Windows Server 2008, which provides Per User TS CAL tracking and reporting.

If the above doesn't solve your problem, check the information below to find out more:

Windows Server 2008 specific

• Per-User Tracking and Reporting
• Improvements to the License Manager User Interface to easily spot configuration issues
• WMI Providers for administration
• Windows Server 2008 TS Licensing Step-by-Step Setup Guide

• Terminal Services Licensing Diagnosis Snap-in extension
• Licensing Diagnosis: Problems and Resolutions
• Terminal Services Per User Licensing Usage Tracking
• Generating Per Device license usage reports
• Manual Revocation of Client Access Licenses (CALs)
• Changes to Windows Server 2008 Terminal Server Licensing (Part 1) and (Part 2) - by Michael Burke

Windows Server 2003 specific

• 813052 - Maximizing the Windows Server 2003 Terminal Services Evaluation Period
• Checklist: Configure Terminal Server Licensing
• Windows Server 2003 Terminal Server Licensing



• Windows Server 2003 Terminal Server Licensing White paper - highly recommended reading, especially if you have a mixed 2003/W2K environment!
• Guidelines for Deploying Terminal Server
• 823313 - Windows Server 2003 Terminal Server licensing issues and requirements for deployment
• 822134 - The Function of Terminal Server CALs in Windows Server 2003
• 325869 - How to activate a License Server by using Terminal Server Licensing in Windows Server 2003
• 814593 - HOW TO: Deactivate or Reactivate a License Server Using Terminal Services Licensing
• 932453 - You receive an error message when you try to install Terminal Services Client Access License by using automatic activation after you configure Terminal Services on a Windows Server 2003-based computer
• 832917 - "A Product ID was not generated during installation" error message when you try to activate a Terminal Server license server
• 310122 - Terminal Services Licensing Service May Not Start and Event ID 43 May Be Logged



• 301932 - Terminal Services Licensing service discovery
• 279561 - How to Override the License Server Discovery Process in Windows Server 2003 Terminal Services
• 945631 - A Windows Server 2003-based terminal server cannot locate the Terminal Services license server



• Troubleshooting Licensing Error Messages
• Troubleshooting Terminal Server Licensing
• 917915 - A terminal server cannot obtain a license from a licensing server that is running Windows Server 2003
• 918658 - Some Windows Server 2003-based terminal servers cannot acquire a license when there is more than one License Server security group
• 926935 - A Terminal Services client may be unable to connect to a Terminal Services license server that is installed on a Windows Server 2003-based computer
• 927074 - An incorrect client name appears in the license server database when you connect the client to a Windows Server 2003-based terminal server
• 885013 - Event ID 1009 is logged on a Terminal Server License server in a Windows Server 2003-based domain
• 283760 - "No License Server" Error Message Appears When You Try to Connect to Terminal Server After Mode Change

Windows 2000 specific

• Windows 2000 Terminal Services Licensing
• 291807 - Terminal Services Licensing Server Required for Windows Server Terminal Services Clients
• 232520 - Description of Terminal Services License Server Discovery
• 304080 - Terminal Server is unable to locate a License Server
• 239107 - Establishing Preferred Windows 2000 Terminal Services License Server
• 281258 - Event 1010 Is Reported After Specifying Default License Server
• 306622 - HOW TO: Activate a License Server by Using Terminal Services Licensing in Windows 2000
• 306578 - HOW TO: Deactivate or Reactivate a License Server Using Terminal Services Licensing
• 237811 - How to Activate a Terminal Services License Server and Install CALs Over the Internet
• 823427 - Error while activating your terminal licensing server
• 276141 - Terminal Services Licensing Wizard May Not Work
• 277917 - Terminal Server Licensing Service Failure
• 274026 - Terminal Services Licensing Service does not start
• 312028 - Cannot Start the Terminal Server Licensing Service and Events 7024 and 37 Occur
• 887443 - Event 17 is recorded in the System log on a Windows 2000 Server-based computer that is running Terminal Services Licensing Server
• 262663 - Error Message: The Licensing Wizard Cannot Connect to the Selected License Server
• 280667 - You receive an error message when you try to open the Terminal Services Licensing snap-in in Windows 2000 Server
• 329888 - "Error Connecting to Terminal Server: " Error Message Occurs When You Try to Connect to a Terminal Server
• 323597 - Windows XP Clients Cannot Connect to a Windows 2000 Terminal Services Server
• 256854 - Terminal Services OEM License Server Activation Does Not Validate PIN or Recognize License Server ID
• 268519 - How to Activate License Server on OEM Versions of Windows 2000
• 258045 - Terminal Services Licensing Does Not Accept a Valid License Key Pack
• 825027 - Terminal Services Licensing Denies Your Connection to Your Terminal Server from Your WBT Device
• 827355 - Event ID 1004 is logged when a thin client tries to obtain a Terminal Services license



• 275052 - Terminal Services Licensing Technology for Application Service Providers
• 274441 - Not for Resale and Microsoft Developer Network Versions Report that Terminal Services Cannot Issue Licenses
• 288379 - Terminal Services Internet Connector License and ASPs

Common to 2003 and W2K

• 291795 - HOW TO: Locate a Phone Number for the Microsoft Clearinghouse
• Microsoft Licensing Sites Worldwide
• How do I move my TS licenses to a new TS Licensing Server?
• 317592 - HOW TO: Use the Terminal Services Licensing Reporter Tool (Lsreport.exe)
• 270898 - Permissions Required to Install a Terminal Services Enterprise License Server
• Manually Publishing and Un-publishing Terminal Server License Servers
• 895151 - Windows Server 2003-based or Windows 2000-based terminal servers do not automatically discover a license server that is designated as an enterprise license server
• 887444 - You cannot activate a Terminal Services license server in Windows 2000 Server or in Windows Server 2003
• 839878 - You cannot install the Terminal Services CAL pack on Windows Server 2003-based or Windows 2000 Server-based computers
• 313567 - Terminal Services License Database Size Increases
• 273566 - How to rebuild Windows 2000 and 2003 Terminal Services Licensing database
• 187614 - Removing Terminal Server Licenses from an RDP Client
• 315277 - "Event ID 1004" error message when you connect to Terminal Server
• 253292 - Windows Base Terminal Devices Take Multiple Terminal Services Client Access Licenses

Citrix specific

• CTX112636 - Application Streaming Licensing Explained (PS4.5)
• Citrix Access Suite Licensing Guide
• CTX106032 - How to Enable Report Logging with Access Suite Licensing 4.x
• CTX108654 - Licensing: Generating Usage Reports Using the License Management Console
• 329700 - Event ID 1004 and "Network or Dialup Problems Are Preventing Communications with Citrix Server" Error Message When Clients Try to Connect to Terminal Server (W2K + MF1.8)
• 329944 - Event Message 1004 Terminal Services Licensing When You Use the Citrix ICA Client
• CTX103626 - Clients or Servers Consume Multiple Licenses from the Citrix License Server
• CTX104605 - RDP Connections Will Consume a Connection License on MetaFrame Presentation Server
• CTX101845 - Terminal Server Client Access License (TSCAL) Issue with the Citrix ICA Client for Java

OS / Software licensing

• 948472 - How to extend the Windows Server 2008 evaluation period
• Windows Server 2008 Downgrade Rights
• Run the online Microsoft Product Licensing Advisor to find the right Volume Licensing program
• Volume Licensing - Volume Activation
• Licensing Overview for Windows Server 2003
• SBS 2003 Licensing: Frequently Asked Questions
• 327644 - How to configure licensing on an additional Windows server in an SBS network
• 153140 - How to reset License Manager information
• 10 Key Licensing, Pricing Changes For Vista, Office 2007
• 824196 - Description of the License Logging Service in Windows Server Operating Systems
• Office 2003 Licensing - Office as a client on Windows Terminal Services
• Download Licensing of Microsoft Desktop Application Software for Use with Windows Server Terminal Services
• Keeping compliant with software licensing through a batch file

Client Configuration

Client Configuration

• 925876 - Remote Desktop Connection (Terminal Services Client 6.0)
• Vista Remote Desktop Connection Authentication FAQ
• WS2008: Frontside Authentication and SSO
• 941641 - Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection
• Problems using saved credentials with Vista RDP clients and above
• Single credential prompt for TS Gateway Server and Terminal Server
• Bandwidth Allocation for Terminal Server connections over RDP (2008)

Keyboard

• 929709 - A Remote Desktop session disconnects even after you press a key when you receive the "Idle timer expired" message in Windows Vista
• 938080 - Some later keystrokes are interpreted as part of the previous keyboard shortcut in the Terminal Services session of a Remote Desktop window on a Windows Vista-based computer

Remote Desktop Connection 5.x

Configuration

• 885187 - Remote Desktop Protocol settings in Windows Server 2003 and in Windows XP
• Terminal Services Client Configuration through the .rdp File
• RDP Registry Settings
• 912178 - An unexpected program may start when you use the "Start a program" feature in Remote Desktop Connection

Keyboard and Mouse

• 186624 - Terminal Server Client Shortcut Key Combinations
• 290176 - The NUM LOCK Key Is Always Disabled When Terminal Services Is Installed
• 258070 - NUM LOCK Not Synchronized When Using ALT+TAB in Terminal Server Client (W95x clients)
• 237559 - Keyboard Stops Responding to Input During RDP Terminal Session
• 906693 - The default keyboard layout changes when you use Remote Desktop Connection to connect to a Windows XP-based computer
• CTX140219 - How to Enable or Disable Hotkeys within an ICA file (including Template.ica)
• 885350 - User connected to Terminal Services must press the SHIFT key two times to turn off Caps Lock
• 263749 - There are no extended characters when you use an MS-DOS-based program in a Terminal Services session
• 926934 - You cannot use a keyboard shortcut that uses the ALT GR key in a Terminal Services session that connects to a Windows Server 2003-based terminal server
• 918184 - The Windows Language bar closes unexpectedly when you start a Citrix Presentation Server-published application on a Windows Server 2003 SP1-based computer that runs Terminal Services
• 929274 - Keystroke repetition and keyboard scrolling do not work smoothly when you use a Remote Desktop connection to connect to a Windows Server 2003-based terminal server
• 933737 - When you log on to a Windows Server 2003 Service Pack 1-based terminal server from a client computer that is running a Japanese version of Windows XP, the keyboard layout on the terminal server differs from the IME keyboard layout on the client computer



• 830209 - Mouse pointer movement is not smooth if you use Microsoft Terminal Services Advanced Client 5.1 or later

Display

• 907478 - Description of a design change in Remote Desktop Protocol version 5.2 where the "Connection" bar is always displayed for the first five seconds of a user session in Windows XP
• 192523 - Print Screen Functionality on Terminal Server Client
• 942610 - The color depth is unexpectedly changed to 8-bit when a high screen-resolution setting is used in a terminal-server session that is connected to a Windows Server 2003-based computer
• 278502 - HOW TO: Connect to Terminal Services with Color Resolution That Is Greater Than 256 in Windows XP
• 273725 - Cannot Increase the Screen Resolution to Greater Than 256 Colors in Terminal Services (W2K)
• CTX074578 - Troubleshooting Various Scrolling Issues

Drive and Clipboard redirection

• CTX238200 - Troubleshooting Various Client Drive Mapping Issues
• Why does my shared clipboard not work? Part I and Part II - on the Terminal Services Team Blog
• 836420 - You can still redirect hard disks when the "Connect client drives at logon" setting is not selected on an RDP-TCP connection in Windows Server 2003
• 272519 - How to Redirect a Client Drive in Terminal Services
• 944341 - Incorrect client names may be displayed for redirected drives in Windows Server 2003 terminal server sessions if both Windows-based and Macintosh-based terminal server clients are used
• 321711 - HOW TO: Install and Use the Drive Share Utility in Windows 2000 Terminal Services
• 244732 - How to: Install the File Copy Tool Included with the Windows 2000 Resource Kit
• 309825 - How to: Securely Copy and Paste Files Between the Terminal Services Client and the Terminal Server in Windows 2000
• 306885 - Cannot paste information between local and remote computer during Remote Desktop connection
• 302443 - Clipboard Redirection May Not Work on Terminal Server
• 315870 - Current Client Mappings Are Lost After You Attach a File System Filter
• 940458 - Terminal Services session to a Windows Server 2003-based terminal server, the first drive letter of the client is not redirected to the Terminal Services session with smart card redirection

Port redirection

• 938645 - You cannot communicate with the local device by using a redirected COM port in a Windows Server 2003-based terminal-server session
• 907572 - A Windows XP-based client computer may leak memory when the Remote Desktop utility is configured to connect serial port devices to the host computer (XP preSP3 hotfix)
• CTX816193 - USB Support in MetaFrame Products

Audio redirection

Windows Server 2003 and 2008 support audio redirection from the server to the client. However, audio redirection is not bi-directional, so you can't speak into the microphone at the TS client and have that audio recorded on the server. You will need 3rd party software for bi-directional audio redirection, like Citrix Presentation Server.

• 307071 - You Do Not Hear Any Sound During a Terminal Server Session
• 293884 - Audio That Is Redirected When Using Terminal Services May Sound Garbled
• 818465 - HOW TO: Use Group Policy to Permit Users to Redirect and Play Audio in a Remote Desktop Session to Terminal Services in Windows Server 2003
• 897599 - The initial volume may be set to the maximum level when you use Windows CE Terminal Services Client to start an RDP session to a remote system

PDAs

• CTX821115 - How to Configure ActiveSync for PDA Synchronization
• Palm Pilot Hotsync Terminal Server Installation and Configuration Notes
• CTX103125 - How to get Palm's Hotsync Manager to Work with Published Applications
• USB-IT - from Provision Networks. Enables Terminal Server clients to seamlessly access their USB-based Palm, BlackBerry, and Pocket PC handhelds over RDP connections

Client modem

• 308405 - TAPI Is Not Terminal Services Aware

Macintosh RDC client 2.0 (beta)

• Features and feedback link
• Brian Madden's comments on the RDP 6 Mac beta client

Citrix client

• CTX107102 - ICA Program Neighborhood Client, ini file reference
• CTX331178 - Appsrv.ini Parameters Deciphered
• CTX145271 - PN.ini Parameters Deciphered
• Download a free Script to Manipulate APPSRV.INI - by Jason Conger
• CTX114265 - Client File Security is Disabled After Upgrading From Version 10 of the Presentation Server Client to Version 10.1
• How to Install the Citrix Client without Administrative Privileges - by Douglas A. Brown
• How to Configure the Citrix Program Neighborhood Agent - by Patrick Rouse
• How To Install And Configure the Citrix ICA Client for Linux - by Ruiguo Yang

Server configuration

Server configuration

Server-wide settings can be configured in several ways:

• with the Terminal Services Configuration tool on the server.
  If settings in tscc.msc are greyed out and you can't change them, it means that these settings are configured and enforced through a Group Policy.
• with Group Policy Objects (GPOs)
  This is the recommended method. Gives you centralized control and ensures that identical settings are configured on multiple servers.
• with the Terminal Services WMI provider.
  Be sure to read the TS Remote Configuration Primer Part 1 and Part II

Server-wide settings

Server 2008 specific

• Terminal Services Web Access
• Terminal Services RemoteApp™ Session Termination Logic
• Display data prioritization
• 947708 - A user's icon and name are not displayed on the logon screen in Windows Server 2008 after you add the Terminal Server server role
• How to enable Single Sign-On for my Terminal Server connections
• 953460 - The Terminal Services Configuration tool crashes when you use keyboard shortcuts to open the Properties dialog box on a Windows Server 2008-based computer

General settings

• Terminal Services Tools and Settings
• Configure Terminal Services Connections
• 243215 - Examining the Terminal Server Key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
• 272464 - How Windows Terminal Server Uses Temporary Folders
• 186566 - Connection Configuration in Terminal Server
• 885187 - Remote Desktop Protocol settings in Windows Server 2003 and in Windows XP
• RDP Registry Settings

• 302883 - "Restrict Each User to One Session" Setting in Tscc.msc Does Not Work
• 260711 - How to Configure Automatic Logon to a Terminal Server
• 324807 - How To Use Group Policy to Configure Automatic Logon in Windows Server 2003 Terminal Services
• 290706 - Cannot Automatically Log on Remotely to Terminal Server with Long User Name or Password
• 195461 - How to Set Up a Logon Script Only for Terminal Server Users
• 924034 - How to prevent a computer from running a user logon script in Windows Server 2003
• 231289 - Using Group Policy Objects to hide specified drives

• 932039 - Two taskbars are displayed, or the Language bar is displayed two or more times on the taskbar, on a computer that is running Windows Server 2003 or Windows XP
• 257592 - Changes in File Types and File Association Features in Windows 2000 and Windows Server 2003
• 924852 - How the "Regional and Language Options" settings in Windows Server 2003 are applied
• 932659 - How to use the new language locales in Windows Server 2003 Service Pack 2 (SP2)
• Configuring Terminal Server for Differing Time Zones (2003)
• 924607 - The GetThreadLocale function returns an incorrect user locale for remote users of a terminal server that is running Windows 2000 Server
• 302090 - Cannot View Program with a Remote Desktop or Terminal Services Connection
• 302555 - ClearType Is Not Supported in a Remote Desktop Session
• 946633 - The "Font smoothing" feature has no effect in Windows Server 2003 terminal sessions
• 237551 - Advanced Power Management Features Are Disabled with Terminal Services
• Change the Logon Screen Wallpaper
• 270857 - How to Use a Modem with Terminal Services
• 928046 - A custom wave driver is unloaded when a remote client computer connects to a Windows Server 2003-based computer that is running a TAPI program

Citrix specific settings

• How to Configure the Citrix Program Neighborhood Agent - by Patrick Rouse
• CTX107102 - ICA Program Neighborhood Client, ini file reference
• CTX106625 - Updated Requirements for PDA Synchronization Support in Citrix Presentation Server 4.0 Advanced Edition
• CTX107574 - How to Confirm that UseClientIP Registry Works in a Session