Terminal Services, Part 1

Windows 2000 Server Terminal Services provides new possibilities for remote administration and user support, but also presents significant security risks. Offering the best of two worlds, Terminal Services gives you the graphical, interactive environment of PCs with the manageability and simplicity of a mainframe. When you install Terminal Services on a Windows 2000 system, users at other Win2K systems and at Windows NT, Windows 95, or even Windows 3.11 workstations can use the Terminal Services Client to connect to the Win2K system and open a remote desktop session. In the Terminal Services Client window, users see another desktop, which is actually executing on the remote Win2K system. Any applications that users run within that second desktop window are actually executing on the remote terminal server.

Because most Microsoft Management Consoles (MMCs) support remote functionality, you can already complete most administration tasks without being present at the actual server. Although performing Control Panel and Local Security Policy tasks work better if you are at the server's console, with Terminal Services you can fully administer a server thousands of miles away. You can even use Terminal Services from your Internet connection at home to handle those weekend server problems that occur at the office. Let's look at the steps involved in setting up Terminal Services for remote administration

The first step in setting up remote administration is to install Terminal Services. In Control Panel, open Add/Remove Programs. Click Add/Remove Components, and scroll down the component list to Terminal Services. Select the check box next to Terminal Services, and click Next. Win2K asks which mode you want to use to enable Terminal Services. Select Remote Administration, and click OK. After you complete installation, Win2K prompts you to reboot. After the server reboots, it's ready for remote administration client connections, which you can verify by opening the MMC Terminal Services Configuration snap-in. (Administrators use this MMC snap-in to configure Terminal Services, including security options.) Next, open the MMC Terminal Services Manager snap-in. The MMC Terminal Services Manager snap-in lets you monitor and control client sessions. Currently, you don’t have any remote clients connected. The only session is the local console session where the administrator is logged on at the server’s local keyboard and screen.

The next step is to install the Terminal Services Client on another system, for which you'll need two floppy disks. Create the client installation disks first. At the server where you just installed Terminal Services, open Terminal Services Client Creator in Administrative Tools. To create client installation disks for another Win2K system or NT or Win9x, select Terminal Services for 32-bit x86 windows. To format the floppy disks automatically, select the Format disks check box and click OK. (Win2K will prompt you to enter each disk.) After you create the installation floppy disks, insert the first floppy disk into another system and run setup.exe from the disk. The installation program will prompt you for the second floppy disk, the program location, and whether you want to install the client for all users of this computer or just the current user. When you've completed the installation, open Terminal Services Client in the Programs folder of your Start menu. As Figure 1 shows, you are now ready to use the Terminal Services Client to open a remote desktop session. You can select which Terminal Services server you want to connect to and also the screen resolution. Select a screen resolution at least one step down from your current resolution so that you can display the entire desktop at one time. Remember that the remote desktop session displays in another window on your local desktop. Click Connect, and Terminal Services Client displays a window for your remote desktop session, as Figure 2 shows. As you can see in the screen shot, you must first log on as if you are at the local server console. After you log on with an administrative account, you can fully administer the system, including using such programs as Control Panel (as Figure 3 shows) and Local Security Policy. To access the task bar and the Start menu on the remote desktop session, just move the cursor over the bottom of the session window, and the task bar pops up. (You might notice that, depending on system performance at the server and the network traffic, your screen updates and mouse movements can be a little jerky.)

Typically, you press Ctrl+Alt+Del to access the Windows Security window, which lets you change your password, lock the workstation, log off, shutdown, or open the Task Manager. However, you can also use Ctrl+Alt+Del to open the Windows Security window of your local desktop session. To access the Windows Security window for your remote desktop session, open the Start menu on your remote desktop window and select Windows Security. Now, go back to the Terminal Services Manager MMC snap-in, and click View\Refresh. Figure 4 shows the new remote session connection using RDP over TCP. The Information tab provides important information such as the workstation name, IP address, and client username. The Processes tab shows all processes currently running in that session. As administrator, you can selectively end a process.

I've shown you how to enable administration of your remote servers, but we haven’t discussed the security implications. You need to be careful when you install Terminal Services; otherwise, you might open a new doorway for attackers to access your system, so don’t install Terminal Services without considering the security ramifications. In Terminal Services, Part 2, I'll show you how to use a variety of Win2K features to secure remote administration and how to secure Terminal Services in an application server scenario.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.