In Part 1 of this article, I pointed out the benefits of using Windows 2000 Server Terminal Services to administer remote servers—even over the Internet—and I showed you how to set up Terminal Services for remote administration. Here, in Part 2, I’ll discuss some of the other features available in the Microsoft Management Console (MMC) Terminal Services Configuration snap-in and how to use these features to secure your server.
Terminal Services provides configuration options at the server, connection, and user level. You can view server-level options by opening the MMC Terminal Services Configuration snap-in and selecting the Server Settings folder. Although the server and user-level settings are not relevant to security when you run Terminal Services in remote administration mode, several connection-level settings are important to security when running Terminal Services.
When you install Terminal Services, Win2K creates a connection object. This connection object represents different combinations of network adapters, connection types, and transport protocols that you use to enable clients to connect to Terminal Services. One such connection object is RDP-Tcp. Double-click the connection object, and you'll notice that on the General tab you can connect clients to the server using RDP instead of TCP/IP, as Figure 1 shows.
The first important security setting is the encryption level you select for the RDP-Tcp connection. Terminal Services uses the RSA RC4 encryption algorithm to encrypt data you send over the network. The type of data that you send over the network between a Terminal Services client and Terminal Services server is different from the data you send between a standard workstation and file server or application server. For instance, with a conventional client/server configuration, when you execute Microsoft Word on your workstation and open a document on your file server, the server sends the contents of the entire file to your client over the network. When you run MS Word in a Terminal Services session and open a document stored on the Terminal Services server, the server sends only the first screen of the MS Word document to your client over the network. As you scroll through the document, the server sends screen updates to the client. Whenever you edit the document, the client sends your keystrokes and mouse movements to the server. Terminal Services uses RDP for all this data. Theoretically, if you scroll through the entire document, a malicious intruder on your network can capture each RDP packet and reconstruct the contents of your file. (However, capturing these packets would be much more difficult than in the conventional file server scenario I just described.) It's important, therefore, that you select one of three encryption levels (Low, Medium, or High) from the General properties tab shown in Figure 1.
Low encryption specifies that only data you send from the client to the server should be encrypted. This one-way encryption protects the passwords that users enter to access the Terminal Services server. Remember: when you use Terminal Services, the client sends each keystroke to the server. Therefore, when you open a Terminal Services session and log on, someone else on the network can easily capture those packets and steal your password if you don't encrypt the data you send from the client to the server. If you select Medium encryption, Terminal Services encrypts the data sent in both directions. If your client is a Win2K computer, Terminal Services uses a 56-bit key for Low and Medium encryption. If you connect with any other client, Terminal Services uses a shorter 40-bit key. If you select High encryption, Terminal Services encrypts data sent in both directions—like Medium, except that High encryption uses a much stronger 128-bit key. (High encryption is available only in the US and Canada.) If you use Terminal Services over an untrusted network such as the Internet, I recommend you use Medium or High encryption. When you administer servers, you expose a large amount of sensitive information (e.g., user accounts, groups, configuration settings), which is valuable to a network intruder. If you use Medium or High encryption, you ensure that someone else won't view the information-filled screens you view during your administrative activities. The other security setting under the General tab, Use standard Windows authentication, isn’t relevant unless you’ve installed a third-party authentication package on your server.
For the next security setting, click the Logon Settings tab. This tab is where you can control whether users who connect to the Terminal Services server need to explicitly log on. If you select Always use the following logon information, as Figure 2 shows, you can specify that as soon as a user opens a session on this server, the server will automatically log on this user using the user name, domain, and password you specify under the Logon Settings tab. If these credentials fail to successfully log on the user, Terminal Services presents the standard logon dialog box and lets the user enter different credentials. This option is convenient for those times when users access an application that requires its own logon. In those cases, you might decide to have all users log on with one generic Win2K user account. You can then rely on the application to authenticate the user. Of course, this setting isn't appropriate for remote administration. Instead, I recommend that you select Use client-provided logon information, where Terminal Services presents the standard logon dialog box and requires that the user specify logon credentials. Back at their own workstations, users can use the Client Connection Manager to create shortcuts that remember the server, username, and password.
You can use these shortcuts to open a session quickly and automatically log on to a Terminal Services server. However, I don’t recommend storing passwords in shortcuts. If intruders access your workstation or profile, they can easily steal the passwords. If you select Use client-provided logon information but you don’t want to let users log on with a password stored in a shortcut, you can check the Always prompt for a password check box. Alternatively, if you select Always use the following logon information and check Always prompt for a password, Terminal Services displays the logon dialog box with a default username and domain filled, waiting for the user to enter the password. In this case, the dialog box lets the user change his or her username and domain. Next time, I’ll continue this discussion of Terminal Services’ security features, and I'll show you some ways you can benefit from managing services remotely while still keeping your systems secure.