2. Terminal Services Configuration
The Terminal
Services Configuration applet provides a way to configure settings that
are relevant to a specific server. When you open Terminal Services
Configuration, you'll note that the tree in the left pane of the console
has two nodes: Connections and Server Settings.
When you select Server
Settings, you're provided with either six or seven options in the right
pane, depending on whether your terminal server machine is a member of a
cluster. These options, and their intended purpose, are described here:
Delete temporary folders on exit
If this option is set
to Yes, any temporary folders created by Windows will be deleted. If the
option is set to No, all temporary folders will remain. The default is
Yes.
Use temporary folders per session
If this option is set
to Yes, each session will have its own set of temporary folders for its
exclusive use. If this option is set to No, all sessions will use one
set of server-based temporary folders. The default is Yes.
Licensing
If this option is set
to Per Device, Terminal Services CALs are given to each client computer
that connects to the host. If this option is set to Per User, CALs are
distributed to each user that connects to the host. The default is Per
Device.
Active Desktop
If this option is
set to Enable, users will be allowed to enable Active Desktop on their
sessions. If this option is set to Disable, users will be prevented from
enabling Active Desktop. The default is Disable.
Permission Compatibility
If this option
is set to Full Security, users will not have full access to the Registry
and to some parts of the filesystem through their applications, which
might cause some older programs to fail. If this option is set to
Relaxed Security, users will have access to these previously restricted
areas, and older programs should still work. The default is Full
Security.
Restrict Each User to One Session
If this option is set
to Yes, no user can log on more than once to a particular Terminal
Services host machine. If this option is set to No, a user can log on
multiple times to the same server. The default is Yes.
The following
subsections will take you through common administrative tasks using the
Connections node inside Terminal Services Configuration.
2.1. Creating a new connection listener
Use the Terminal Services Configuration applet to create a new Terminal Services connection by following these steps:
Open the Terminal Services Configuration applet.
In the console tree, select Connections.
Pull down the Action menu and select Create New Connection.
The configuration wizard starts. Follow the prompts on the wizard to configure your connection.
Windows permits only one
RDP-based connection per network card in the machine running Terminal
Services. Usually, administrators find that the preconfigured connection
created when Terminal Services is installed is really the only one they
need. However, if you need more RDP connections, you'll need to install
an additional network adapter for each connection needed.
2.2. Restricting Terminal Services connections
You can restrict the total
number of RDP connections to any given server, which can be helpful if
you have bandwidth problems on your network or your Terminal Services
server machine has limited hardware resources.
To restrict the total
number of RDP connections to a server through the Terminal Services
Configuration applet, follow these steps:
Open the Terminal Services Configuration applet.
In the console tree, select Connections.
In the Details pane, select the applicable connection, right-click it, and choose Properties.
Move to the Network Adapter tab and click Maximum Connections.
Enter the maximum number of sessions you want to connect to this server.
To do so using GP, which
overrides and takes precedence over the settings specified in Terminal
Services Configuration, follow the steps described next.
Open the Group Policy Object Editor snap-in.
Navigate through Computer Configuration → Administrative Templates → Windows Components in the tree in the left pane.
Select Terminal Services, and in the right pane, double-click the Limit Number of Connections setting.
Move
to the TS Maximum Connections allowed box. In it, enter the maximum
number of connections you want to allow, and then click OK.
You might want to restrict the number of Terminal Services
sessions by server to improve performance and decrease load. This
technique works especially well when you have a terminal server farm
consisting of machines of various capabilities and configurations. You
can adjust each server to the optimal number of connections to ensure a
consistent response time across the farm for your users.
RDP connections, by default, are configured to allow an unlimited number of sessions on each server.
2.3. Encryption levels
Terminal
Services supports multiple levels of encryption to secure communications
between the client and the server. To change these levels through
Terminal Services Configuration, follow these steps:
Open the Terminal Services Configuration applet.
Select Connections from the console tree.
Find the connection you want to modify in the righthand pane, right-click it, and select Properties.
Navigate
to the General tab, and select the encryption level that best suits
your needs. (I provide a description of the levels shortly.)
Check
the Use standard Windows authentication checkbox if you want the
connection to default to the standard authentication even if another
authentication package exists.
You can also change the TS encryption level using Group Policy:
Open the Group Policy applet.
Navigate through Computer Configuration → Administrative Templates → Windows Components → Terminal Services.
Select Encryption and Security.
In the righthand pane, double-click the Set Client Connection Encryption Level setting, and then click Enabled.
In the Encryption Level list, click the desired security level.
Click OK to finish the procedure.
Use the following guide to determine which security setting is best for your environment:
FIPS Compliant
Encrypts
client-to-server and server-to-client communications strongly enough to
be in accordance with the Federal Information Processing Standard
(FIPS). This method uses Microsoft-developed cryptographic modules.
If
you have already established FIPS encryption through a system
cryptography policy object or through the Terminal Services Set Client
Encryption Level option, you cannot change the encryption level through
the Terminal Services Configuration applet or through a GPO. |
|
High
Encrypts
client-to-server and server-to-client communications using strong
128-bit encryption; useful only when the terminal server resides in an
environment composed of 128-bit compliant clients only (i.e., one of the
Windows Server 2003 operating systems). Other clients using
non-compliant OSes will not be able to connect unless they download a
separate Terminal Services client that supports high encryption from
Microsoft's web site at:
-
http://www.microsoft.com/downloads/details.aspx?FamilyID=33AD53D8-9ABC-4E15-A78F-EB2AABAD74B5&displaylang=en
Client Compatible
Encrypts
client-to-server and server-to-client communications at the maximum
possible level (key strength) supported on the client end. This option
is best when the terminal server resides in a mixed client environment.
Low
Encrypts client-to-server communications only, using 56-bit encryption.
It's also important to
note that the aforementioned GP procedure will work for local security
policy configurations. However, if you have a domain environment and
want to push this policy onto an existing domain or organizational unit,
you need to connect to the domain controller using an account with
administrator rights. Then you need to make the change through the Group
Policy Management Console.
Also be aware that data sent from the server to the client (and not vice versa) is not encrypted.
2.4. Remote control permissions
You can adjust how
administrators will be able to "shadow" a Terminal Services session. You
can restrict a user to viewing a session only, or allow him or her to
have full control of the keyboard and mouse. To adjust these settings
through Terminal Services Configuration, follow these steps:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
righthand pane. Right-click the connection and select Properties.
Navigate to the Remote Control tab.
Click
Use Remote Control with the Following Settings to configure remote
control for the connection. Or, to disallow remote control, click Do Not
Allow Remote Control.
To
display a message on the client, asking permission to view or take part
in the session, check the Require user's permission checkbox.
Under
Level of Control, click View the Session to specify that the user's
session can be viewed only, or click Interact with the Session to
specify that the user's session can be actively controlled with your
keyboard and mouse.
Click OK to complete the procedure.
To do so using GP, follow these steps:
Open the Group Policy applet.
Navigate through Computer Configuration → Administrative Templates → Windows Components.
Select Terminal Services.
In
the righthand pane, double-click the Set Rules for Remote Control of
Terminal Services User Sessions setting, and then click Enabled.
In
the Options box, click the desired remote control permissions as
described previously. Or, to disallow remote control, click No Remote
Control Allowed.
Click OK to complete the procedure.
You should thoroughly
test any changes you make to GP settings before applying them to users
or computers. Use the RSoP tool to test new policy settings and confirm
they will be applied as you intend.
The aforementioned GP
procedure also will work for local system policies. If you're using an
Active Directory-based domain, though, and you want to push this policy
onto an existing domain or organizational unit, you need to connect to
the domain controller using an account with administrator rights and
then make the change through the Group Policy Management Console.
Policies in effect are applied to and therefore are in full force for every client that connects to the terminal server.
2.5. Connecting to drives and printers
Terminal Services
enables you to preserve mapped drives, mapped printers, and associated
settings between sessions so that users don't have to recreate them each
time they log on. To adjust the settings for this feature through
Terminal Services Configuration, follow these steps:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
righthand pane. Right-click the connection and select Properties.
Navigate to the Client Settings tab.
In
the Connections section, uncheck the Use connection settings from user
settings checkbox. (This will ensure that any changes you make in this
procedure will apply globally to all connections.)
Select one of the following options:
Connect client drives at logon
Reconnects to all mapped client drives during the logon process.
Connect client printers at logon
Reconnects to all mapped local client printers during the logon process.
Default to main client printer
Prints to the default printer of the client. If one doesn't exist, the session reverts to the default printer of the server.
To do so through GP, follow these steps:
Open the Group Policy applet.
Navigate through Computer Configuration → Administrative Templates → Windows Components → Terminal Services.
Select Client/Server Data Redirections.
In
the righthand pane, select the specific options you want to configure
(as described previously) and select Enabled/Disabled as appropriate.
Click OK to complete the procedure.
These settings affect
all clients that use the connection to log on to a terminal server. If
you want to define settings on a per-user basis, use Terminal Services
Group Policies or the Terminal Services Extension to Local Users and
Groups.
Again, you can use
these settings when configuring local security policy, but if you want
to push them out throughout a domain, you need to change your domain's
security policy through the Group Policy Management Console.
2.6. Session device mapping
One of the neat features of
RDP is the ability to redirect local drives and local printers to your
remote session so that through the remote computer's user interface you
can still access the drives and printers on your personal machine. This
is great when using hosted applications because Save As... and Open...
dialog boxes work the same way as users expect.
To adjust the settings for this feature through Terminal Services
Configuration, follow these steps:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
right-hand pane. Right-click the connection and select Properties.
Navigate to the Client Settings tab.
Select one of the following options and enable or disable it as appropriate:
Drive mapping (enabled by default)
Windows printer mapping (enabled by default)
LPT port mapping (enabled by default)
COM port mapping (enabled by default)
Clipboard mapping (enabled by default)
Audio mapping (disabled by default)
To do so through GP, follow these steps:
Open the Group Policy applet.
Navigate through Computer Configuration → Administrative Templates → Windows Components → Terminal Services.
Select Client/Server Data Redirections.
In
the righthand pane, select the specific options you want to configure
(as described previously) and select Enabled/Disabled as appropriate.
Click OK to complete the procedure.
As before, you
can use these settings when configuring local security policy. However,
if you want to push them out throughout a domain, you need to modify
your domain's security policy through the Group Policy Management
Console.
2.7. Default Terminal Services permissions
You might want to give permission for specific users and groups to use Terminal Services.
You can accomplish this
using the Terminal Services Configuration applet. The procedure is much
like granting and revoking permissions on files and folders. To do so,
follow these steps:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
right-hand pane. Right-click the connection and select Properties.
Move to the Permissions tab and click Add.
The
Select Users of Groups dialog box appears. Click Locations... to
identify places to search, and click Object Types... to specify the
types of objects you want to search for.
Click the Check Names button.
When the name is located, click OK. The name now appears in the Group or User Names list on the Permissions tab.
If you want to change
the default permissions applied to users and groups that can access
Terminal Services, follow these steps to use the Terminal Services
Configuration applet to modify the default Terminal Services permissions
assigned to users:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
right-hand pane. Right-click the connection and select Properties.
Move to the Permissions tab and click the Advanced...button.
The
Advanced Security Settings dialog box appears. In Permission Entries,
select the user or group for which you want to change permissions. Click
Edit... to open the Permission Entry dialog box.
Select or clear as appropriate the Allow/Deny boxes to grant or revoke privileges to the users you have selected.
Follow this procedure to remove a group from the list of users authorized to access Terminal Services:
Open the Terminal Services Configuration applet.
In the console tree, click Connections.
Find
the connection for which you want to configure remote control in the
right-hand pane. Right-click the connection and select Properties.
Move to the Permissions tab. In Group or User Names, select the user whose privileges you want to revoke and click Remove.
To
change permissions and revoke permissions for specific users, you
absolutely must use the Remote Desktop Users group, which is built-in
and configured during the operating system installation, to manage
remote access to Terminal Services
and Windows' Remote Desktop for Administration features. |
|
2.8. Ensuring RPC-based security
If you want to secure
Terminal Services-based RPC traffic to and from the server, use Group
Policies to accomplish this. Simply follow these steps:
Open the Group Policy applet.
Navigate
through Computer Configuration → Administrative Templates → Windows
Components → Terminal Services → Encryption → RPC Security Policy in the
left pane.
In the righthand pane, double-click the Secure Server (Require Security) setting.
Click Enabled, and then click OK to finish.
You use the RPC
interface to manage and configure Terminal Services. By setting the
Secure Server (Require Security) option to Enabled, only RPC clients
that support secure transactions are allowed to communicate with the
server. If the setting is disabled, the terminal servers will always
request a secure channel, but will allow connections that are unsecured
if the client doesn't support secure transactions. The default status
for this setting is not configured, which allows for unsecured
transactions.
