Terminal Services: Friend and Foe

One great feature in Windows 2000 Server is Terminal Services. Before Win2K, you needed a separate version of Windows NT (Windows NT Server 4.0, Terminal Server Edition—WTS) to obtain and install Terminal Services. In Win2K Server, you can use the Control Panel Add/Remove Programs applet to enable Terminal Services. Terminal Services not only provides remote system connectivity and application sharing for users but also provides remote administration of servers. Installing Terminal Services, however, requires thought and attention to security, or you could open a large security hole in your network.

If you install Terminal Services, you must consider several important security matters. (For information about installing Terminal Services, see Robert McIntosh’s Windows 2000 Magazine Network article, "Using Terminal Services for Administration," http://www.win2000mag.com, InstantDoc ID 15813.) First think about how you want to use the service. If you plan to use it only for remote administration, the main security precaution to take is to disable terminal access for accounts that aren’t going to connect for remote administration. Also consider creating a decoy Administrator account to deflect attackers’ attention from the real Administrator account: Rename the original Administrator account, and give it a strong password (all accounts should have strong passwords, but for accounts that have access to the terminal server, this precaution is especially important). Then create a new fake Administrator account (with "administrator" as its name) with no access.

To enable Terminal Services access and set user access, open the Microsoft Management Console (MMC) Computer Management snap-in, then click the Local Users and Groups folder. Double-click the Users folder or the Groups folder, right-click the user or group you want to manage, then select Properties. In the dialog box, select or clear Allow logon to terminal server check box, depending on the user’s needs. If you select the check box, you need to specify a couple of other items that can help limit an intruder’s advantage. First, click the Sessions tab, which Figure A shows. For the When a session limit is reached or connection is broken group, select the End session option button. Selecting this option limits the possibility of intruders taking a client system offline and jumping into its place (hijacking the session). Second, for the Allow reconnection group, select the From originating client only option button. Setting these two options this way can sometimes cause problems if the user has an unreliable connection and can’t reconnect from the originating session, but from a security standpoint, these settings are wise. Setting an idle limit for the session is also a good idea—a limit in the range of 5 to 10 minutes should be more than enough time, although you might want to make this longer for a user who spends all day in front of a Terminal Server session and requires constant access.

Finally, remember that installing Terminal Services on a unit that acts as a domain controller (DC) is unwise because if an attacker manages to access such a machine, all your users’ account information would be available. If you’re considering using the new Advanced RDP Web client, you should enable Secure Sockets Layer (SSL) certificate security on your Microsoft IIS server to help encrypt the authentication to the Web site you use for Terminal Services connections. Enabling SSL certificate security will help increase security during client logon. If you plan to heavily use Terminal Services, implementing IP Security (IPSec) on your Win2K server is mandatory to help secure data and authentication of your remote clients. For more information about securing Terminal Services, see Morris Lewis, "Terminal Services Security," February 2001.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.