![]() ![]() You can then right click on the Permission Compatibility option and select the Properties command from the shortcut menu. Your server’s security mode can easily be changed by opening the Terminal Services Configuration console and selecting the Server Settings container, as shown in Figure A. Fortunately, when you choose to run the Terminal Services using a relaxed security model, you are not making a permanent commitment. Resetting Terminal Service security should be an item on such a list. Any time that you are running a mixed mode environment, I recommend maintaining a list of things that should be done once all of the servers are brought up to date with the latest operating system. This is where planning comes into the picture. The problem is that your Terminal Server is still running in relaxed security mode. Windows terminal services resources windows#A year later though, you have upgraded your remaining servers to Windows Server 2003 and brought all of your applications up to date. ![]() You aren’t completely sure that Windows Server 2003’s security is completely compatible with your older servers and applications, so you go with the relaxed security model. To demonstrate how these permissions are a factor in network security, let’s pretend that you are running the Terminal Services on a Windows Server 2003 box, but you have some Windows 2000 Servers in your environment and you are running some older applications. The Windows 2000 version does something similar by offering you the choice of using either permissions compatible with Windows 2000 Server or permissions compatible with Terminal Server 4.0 Users. Windows terminal services resources install#When you install the Windows Server 2003 version of the Terminal Services, you are given the option of using “relaxed security” as a way of maintaining backward compatibility with older versions of Windows Server. This is exactly what happens when you deploy the Terminal Services. Often though, the only way to maintain this backward compatibility is to sacrifice some security features that the older operating system doesn’t support. As I’m sure you’re aware, each new version of Windows Server that comes out offers new security features, but maintains backward compatibility with previous versions of Windows Server. This means that if a user can gain physical access to a domain controller, they could just log in.Īnother common mistake that administrators make during a Terminal Service deployment is using an inappropriate security model. If the Terminal Services are running on a domain controller and this permission is applied, then users are granted Log on Locally permissions to all of the domain controllers in the domain. ![]() At least some versions of the Windows Terminal Services require users to have Log on Locally permissions in order to log in through a Terminal Service session. Naturally there is the issue that if one of your users manages to exploit a weakness and gain access to the underlying operating system, they have gotten access to a domain controller, but the security risks are actually much worse than that. Probably the best example of a “double duty” configuration that presents a security risk is running the Terminal Services on a domain controller. Doing so can place a major strain on server resources such as the CPU and memory, and creates a huge security risk. To put it simple, you should never run the Terminal Services along side some other server application such as Exchange Server. ![]() I know that many organizations are strapped for cash, but rule number one is that a Terminal Server should never be assigned double duty. Let’s start by talking about planning for Terminal Server deployment. Instead, I’m going to give you some basic pointers for securing your Terminal Service environment. I could probably write a good sized book on the subject, so there is no way that I can adequately cover the topic in a few pages. Before I get started, I want to mention that this article in by no means a comprehensive guide to Terminal Service security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |