Chapter 2: Terminal Server Technical Review

 Chapter 2: Terminal Server Technical Review

By default RDP traffic can be configured to use one of four levels of encryption. Terminal Server on Windows Server 2003 supports Low, Client Compatible, Federal Information Processing Standard (FIPS) Compliant, and High encryption levels. Encryption levels can be locally or centrally configured via Group Policy. The encryption algorithm used depends on the configured encryption mode. For example, not all RDP clients can support FIPS Compliant and High encryption levels, so in a mixed environment with legacy and non-Windows clients, Medium encryption may be the highest supported encryption level. The RDP protocol uses Triple DES (3DES) and Secure Hash Algorithm v1.0 (SHA1) for FIPS compliant connections or RC4 symmetric encryption algorithm with an MD5 hash with Low, Client Compatible, and High encryption levels.

List 2.1 shows each encryption level.

• FIPS: encrypts both the data sent from client to server and the data sent from server to client by using the Federal Information Processing Standard (FIPS) encryption algorithms with Microsoft cryptographic modules. This feature is supported on Windows 2000 or Windows XP with the RDP 5.2 client.
• High: encrypts both the data sent from client to server and the data sent from server to client using a 128-bit key. Legacy RDP clients that do not support this level of encryption will not be able to connect.
• Medium: encrypts both the data sent from client to server and the data sent from server to client, by using a 56-bit key if the client is a Windows 2000 or above, or a 40-bit key if the client is an earlier version. This level is ideal when Terminal Servers are supporting mixed or legacy clients.
• Low: encrypts only the data sent from client to server, using either a 56-bit or 40-bit key, depending on the client version. The data sent from the server to the client is not encrypted.

The encryption levels can be configured locally on a Terminal Server using the Terminal Services Configuration utility (tscc.msc) or centrally via Active Directory. The Group Policies can be configured in Active Directory by editing the desired Group Policy Object from the following location:
Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Encryption and Security.

Figure 2.4 shows the Group Policy “Set client connection encryption level Properties.”

Figure 2.4

Terminal Server Access Requirements
Windows Server 2003 has three different layers of access rights that control who can log on to a Terminal Server. To allow users to log on to a Terminal Server, the following settings must be made:

The Allow logon through Terminal Services right:

• Windows 2000 required the log on locally right to all users to gain access to a Terminal Server. The log on locally right allows users to log on at the console of the server, bypass-ing RDP level restrictions. This configuration gave users unnecessary privileges and was once considered a material weakness.
• Windows 2003 Server fixed the problem by separating the right to log on to the console from the right to log on through Terminal Services. By default, the Allow logon through Terminal Services right is granted to Administra-tors and to the Remote Desktop Users group

Permission to use RDP:

• Administrators can configure permissions on RDP with the Terminal Services Configuration tool.
• Windows 2000, the local Users group, is granted access to RDP.
• Windows 2003 Server restricts this right to the local Re-mote Desktop Users group. Users must be explicitly added to this group in order to log on to a Terminal Server.

The Allow logon to terminal server check box:

• By default, the Allow logon to terminal server check box is enabled for all users in their Active Directory user proper-ties. The Allow logon to terminal server check box controls if the user is permitted to log on to a Terminal Server.

Two of the three access requirements are dependent on membership in the Remote Desktop Users group. When a user receives a “You do not have permission to access this session” error message, one of these three settings (The Allow logon through Terminal Services right, Per-mission to use RDP or the Allow logon to terminal server check box) is the problem.

Application Access
The default behavior with Terminal Server is to assume that all legitimate users have access to all applications installed on a Terminal Server. The default behavior is widely adopted and used in most deployments because of its simplicity. To meet business and regulatory requirements, many organizations implement application access restrictions to control which applications are available to specific users. There are two strategies used to employ application restrictions: black-list or white-list policies. A black-list policy is used when an administrator explicitly specifies which applications are not allowed to execute, and all other applications are allowed. A white-list policy is used when an administrator explicitly specifies which applications are allowed to execute, and nothing else is allowed.

Application Access Restrictions
Application access restrictions are typically implemented to meet business objectives and regulatory mandates. For example, access to financial applications may need to be restricted to a specific user or group of users in order to comply with the Sarbanes-Oxley Act. Another example would be the need to restrict access to a payroll application from the general user population. A wide variety of integrated solutions are on the Windows Server platform to apply application access restrictions. One strategy is to leverage the default behavior so that all users can execute the majority of installed applications excluding specific applications with access restrictions; this procedure follows the black-list model. Another strategy is to use the white-list model to specify which applications are allowed to execute and nothing else is allowed. Implementing Terminal Server silos is another strategy in which only specific users are granted access to a dedicated Terminal Server silo that hosts restricted applications. Many applications require a secondary authentication, which is an application level access restriction as well.

The next sections will introduce five application access restriction options: NTFS file system level restrictions, Software Restriction policies, the Run only allowed Windows Applications Group Policy, Terminal Server Silos, and application level access restrictions.

Note: The implementation of Application Access Restrictions requires extensive testing to ensure that applications function properly and that the user environment is not too restrictive. Each organization should evaluate its unique requirements to develop Application Access Restrictions that provide sufficient security and manageability, without limiting user productivity.

NTFS File System Restrictions
NTFS file system restrictions can be employed to restrict access to an application’s executable to approved users or groups.  NTFS file system restrictions follows the black-list model where administrators explicitly specify what applications are not allowed to execute, and all other applications are allowed. This method of enforcing application restrictions is widely adopted and typically used together with the default behavior. The use of NTFS file system restrictions with the default behavior allows a single server farm to host an organization’s entire application portfolio without the need to dedicate servers to host restricted access applications.

Configuring NTFS file system application restrictions is identical to the configuration of NTFS file and directory security. In a Windows Server 2003 environment, NTFS file system permissions can be configured centrally using Active Directory and Group Policy. Centralized configuration of NTFS file system application restrictions with Active Directory and Group Policy allows an organization to centralize the configuration, enforcement, and auditing of NTFS file system level application restrictions.

When properly implemented, NTFS file level security is very difficult to circumvent. Regardless of how users access the server, restricted applications will only execute for users with the appropriate NTFS rights.

Software Restriction Policies & Run Only Allowed Windows Applications Group Policy
Software Restriction Policies were introduced with Windows XP and Windows 2003 Server and have effectively replaced the Windows 2000 Run Only Allowed Windows Applications Group Policy. Microsoft Software Restriction Policies provides the integrated framework to implement granular application execution policies by using Active Directory Group Policy without the need of any additional 3rd party software.  Software Restriction Policies are supported on Windows XP and the Windows Server 2003 platform.

Software Restriction Policies provide the security controls to restrict application and file access execution and to mitigate the introduction of hostile code through email or web browsing, such as script based viruses or Active X controls. This method is more restrictive and secure than Terminal Server’s default behavior and provides more granular control over application execution than NTFS file system restrictions.

Terminal Server Silos
Another strategy is to implement a siloed environment as described in Chapter 1. One Terminal Server silo is used to support the general user population leveraging the default behavior, and dedicated Terminal Server silos are established to host restricted access applications. Terminal Server silos allow the appropriate security controls, such as auditing and encryption, to be implemented based on the sensitivity of the data or application hosted on a silo. This strategy is widely adopted and is typically used with software restriction policies in order to satisfy regulatory mandates.

Application Level Restrictions
Application level restriction requires users to enter secondary credentials, such as user name and passwords, to gain access to an application. Applications that employ application level restrictions typically maintain their own user database, which is not integrated or synchronized with Active Directory. Typically this approach leads to password policy violations because users write down their secondary user credentials on a piece of paper or on some pad near their computer.

In many cases, application level restrictions require a Single Sign-on solution in order to meet business or regulatory objectives. A Single Sign-on solution will securely store and automatically submit user credentials to applications that employ application level restrictions.

Application Access Conclusion
Terminal Server provides tremendous flexibility in terms of centralized application deployment and granular application access entitlements. Organizations can use a single Terminal Server farm to host their entire application portfolio by using a black-list model and leveraging the default behavior with NTFS file system restrictions. If a more restrictive and secure environment is required, a white-list model can be implemented using Active Directory Group Policy, application level restrictions, and silos. These application access options allow organizations to meet business and regulatory requirements using proven industry standards.

Terminal Services Technologies
This section will look at the technologies behind Terminal Server. We will review Terminal Services, Session Directory, Terminal Server license server, and a Terminal Server farm.

Terminal Services and the Session Manager
Terminal Services, a Windows service, enables multi-user technology by implementing a Session Manager layer between the system and user layers. The Session Manager replies to new session requests by creating a separate instance of the Win32 subsystem, WIN32K.SYS, for each user session. The Session Manager then executes the client-server runtime subsystem, CRSS.EXE, and the Windows logon service, WINLOGON.EXE, within the session.

Figure 2.5 shows which processes make up Terminal Services divided between user mode and kernel mode and indicates whether they are per server or per session.

Figure 2.5

Figure 2.5 illustrates the process that allows multiple user sessions to run simultaneously on today’s Windows operating systems. The Session Manager directs users to their sessions and then directs the applications, services, and resources to the new session. Session Manager assigns each session a unique ID and address space so that resource and network requests can be directed to the correct user.

Session Directory
The Session Directory service is a Windows Server 2003 Enterprise Edition feature that provides a single point of entry into a load-balanced Terminal Server farm. The Session Directory service is installed by default on all editions of Windows Server 2003. It is used in conjunction with a load-balancing solution like Microsoft’s load-balancing service or a third-party hardware load-balancer. Session Directory acts as a RDP session load-balancer, connecting users to the least busy server while maintaining a jet database of active sessions within the Terminal Server farm. This feature enables disconnected users to reconnect to their active, disconnected session at the same server. When a user connects to a server farm through the Session Directory server, the Session Directory checks the list of active and disconnected sessions. If the username is found in the database, the connection is directed to the server running the session.

Windows Server 2003, Standard Edition, may be used to run the Session Directory service, although all servers in the Terminal Server farm must be on Windows Server 2003 Enterprise Edition to take advantage of Session Directory functionality.

List 2.1 explains how the Session Directory works.
1.    An incoming connection to the server farm is load-balanced to a Terminal Server, which presents a logon prompt.
2.    When the user authenticates, the Terminal Server that received the original client logon request sends the username to the Session Directory server.
3.    The Session Directory server checks the username in the database and sends the result to the requesting Terminal Server.
a.    If the user has no disconnected sessions, the logon process continues from the server that received the initial connection.
b.    If the user has a disconnected session, the Terminal Server that received the original client logon request sends the client information to the server hosting the disconnected session, and the user authenticates on the server hosting the disconnected session.
4.    Once the user accesses the disconnected session, the Session Directory is updated.

A load-balanced farm is accessed by end users with a single virtual IP address (VIP). A virtual IP address is shared among multiple computers and is typically used for load balancing. Intra machine communication, such as Terminal Server to Session Directory server, is RPC on port 135 and on randomly allocated high TCP ports. The name of the system service for the Session Directory is “tssdis”.

To use the Session Directory, the following three configurations are needed:
1.    Turn on the Session Directory service. (Session Directory Server)
2.    Add each Terminal Server domain account to the Session Directory Computers group. (Session Directory Server)
3.    Configure each Windows Server 2003 Enterprise Edition Terminal Server in the farm to participate in the Session Directory. (Terminal Servers)

The first time the Session Directory service is started, a new local group is created on the host called Session Directory Computers. By default, the Session Directory Computers group is empty. Access to Session Directory functionality must be explicitly granted by adding each Terminal Server’s domain computer account to the Session Directory group. The Session Directory service will only accept connections from servers in the Session Directory local group. The accounts can be added individually or by creating a domain group containing the Terminal Servers and then adding the domain group to the Session Directory group.

Note: The Session Directory may not work with non-Windows clients in a load-balanced environment. The Session Directory uses a token to pass information to the load balancer and RDP client. If the load-balancing solution or non-Windows clients do not support tokens, reconnection to disconnected sessions will not work.

From a security perspective, it is important to consider what happens when the Session Directory fails. Other than losing Session Directory functionality, logon times will increase as each Terminal Server attempts to connect to the Session Directory server, which could affect the availability of the Terminal Server farm. The Session Directory service supports Microsoft’s clustering technology, which should be considered to provide fault tolerance and high-availability.

Terminal Services Licensing
For a Terminal Server to accept connections after the 120-day trial period, a terminal services licensing server must be configured. To connect to a Windows Server 2003 Terminal Server, clients need to be issued a Windows Server 2003 license token, which is referred to as a CAL (Client Access License). Windows Server 2003 CALs can only be issued by a Windows Server 2003 terminal services license server. A Windows 2000 services license server cannot issue Windows Server 2003 CALs. Terminal services licensing consists of the Microsoft Clearinghouse, one or more Windows Server 2003 terminal services licensing servers (any edition of Windows Server 2003), and Terminal Servers. From a Terminal Server console, the Microsoft Clearinghouse can be accessed to activate license servers and to acquire and install license key packs on the terminal services licensing server. The Microsoft Clearinghouse is accessible via the Internet, through a web page, or by telephone.

Terminal services licensing servers store all terminal services tokens while continually monitoring all tokens that have been issued to computers or users. Terminal Servers must be able to communicate with a terminal services licensing server in order to issue permanent tokens. Intra machine communication, such as Terminal Server to terminal services licensing server communication, is RPC on port 135 and randomly allocated high TCP ports. The name of the system service for terminal services licensing is “TermServLicensing”.

Note: Inactivated license servers can only issue temporary licenses.

Terminal services licensing can be installed on domain controllers or member servers in Enterprise license server or domain license server mode. The primary difference between the two modes is the license server discovery process. Domain controllers or member servers configured in Enterprise license server mode are automatically discovered by Terminal Servers; license servers that are configured in domain license server mode are not automatically discovered. Terminal Servers cache the names of discovered license servers in the following locations of the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Parameters\EnterpriseServerMulti (Enterprise license servers)
HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing\Parameters\DomainLicenseServerMulti (Domain license servers)

If the discovery process fails, and no license server is found, a Terminal Server will automatically run a discovery once every hour. After a license server is found, no additional discoveries are made until all of the cached license servers in the registry are unavailable.

Environments with a member server in domain license server mode need to configure each Terminal Server with a preferred license server. Configuring a preferred license server requires a registry modification by adding a subkey with the hostname of the preferred license server on each Terminal Server in HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\TermService\Parameters\LicenseServers subkey.

From a security perspective, it is important to consider high availability when designing a Terminal services licensing solution. When Terminal services licensing fails, the availability of the system is at risk because users could be denied access. Microsoft’s recommended configuration for license server high availability is to install a minimum of two license servers with Terminal Services CALs. Each license server should have 50% of the CALs, effectively load balancing the licenses between license servers providing high availability.

Terminal Server Farm
When multiple Terminal Servers are load-balanced, it is commonly referred to as a Terminal Server farm. A Terminal Server farm consists of a network load-balancing solution, two or more Terminal Servers, and optionally a Session Directory server. A load-balanced farm is accessed by end users with a single virtual IP address; therefore, each Terminal Server in a farm should be identically provisioned and configured to ensure consistency.

A Terminal Server farm allows organizations to scale out their Terminal Server environment by adding machines to the farm to increase capacity. A Terminal Server farm can be load-balanced with Microsoft’s integrated load-balancing service or a third-party hardware load-balancer.

Figure 2.6 shows an example Terminal Server farm.

Figure 2.6

From a security perspective, it is important to consider fault tolerance and high availability when designing a Terminal Server farm. Fault tolerance and high availability for Terminal Server licensing, Session Directory, and Load-Balancing should be considered to ensure the availability of the system.

Figure 2.7 shows a Terminal Server farm configured for high availability with two license servers. Each license server has 50% of the CALs, a Session Directory cluster, and Microsoft's Load-Balancing Services.
 
Figure 2.7

Terminal Server Reference Design
The Terminal Server Reference Design presented in this section is a high level baseline that represents a secure, flexible, and scaleable framework. It contains software, hardware, and storage components that enable an organization to centralize the deployment and management of its Windows desktop and Windows applications infrastructure using Microsoft Terminal Server.

Figure 2.8 shows an architectural overview of the Terminal Server Reference Design. Please note that each security domain (i.e. uncontrolled, controlled, restricted, and intranet) is a separate network segment. A firewall and/or a router are used to filter network traffic between security domains.
 
Figure 2.8

As shown in Figure 2.8, there are multiple components within the Terminal Server Reference Design. These components include, but are not limited to, the following:
1.    The Terminal Server Farm.
2.    Required Terminal Server Infrastructure Services.
3.    Required Microsoft Infrastructure Services.
4.    Back-end Application and Data Storage Servers.
5.    Required Network Infrastructure.
6.    Operational Support Systems (OSS) includes help desk, system and SLA monitoring, and capacity planning as well as applica-tion, service pack, and hotfix provisioning.

In addition to the components listed above, there are at least four distinct network subnets along with additional isolated subnets within the restricted security domain. These network subnets include the
1.    Uncontrolled
2.    Controlled
3.    Restricted
4.    Intranet

Note: See Chapter 5 for a detailed explanation about the network topology in Figure 2.8.

Users access the system from either the Internet or within the LAN environment. From the Internet, users are routed to one of the Terminal Server farm servers via a VPN. From the LAN, users are routed to one of the Terminal Server farm servers via a router. Depending on the type of application and data request, a connection to a back-end application server and a back-end data store may also have to be made to deliver an application or data.

The Terminal Server Farm
Multiple Terminal Servers that are load-balanced are commonly referred to as a Terminal Server farm. A Terminal Server farm consists of a network load-balancing solution, two or more Terminal Servers, and optionally a Session Directory server. A load-balanced farm is accessed by end users with a single virtual IP address; therefore, each Terminal Server in a farm should be identically provisioned and configured to ensure consistency.

A Terminal Server farm allows organizations to scale out their Terminal Server environment by adding machines to the farm to increase capacity by providing robust, centralized application delivery and management capability. It is scalable, reliable, manageable, and secure. And it offers predictability in terms of performance, user experience and cost.

Required Terminal Server Infrastructure Services
A Terminal Server farm consists of a network load-balancing solution, two or more Terminal Servers, and an optional Session Directory server and a licensing server.

Load-Balancing
A Terminal Server farm can be load-balanced with Microsoft’s integrated load-balancing service or a third-party hardware load balancer.

Load Balancers allows a group of servers to be configured as a load-balanced cluster with a single Virtual IP address (VIP). Users access the cluster with the DNS name associated with the Virtual IP address.

Session Directory
The Session Directory service is an optional feature that provides a single point of entry into a load-balanced Terminal Server farm. The Session Directory service is used together with a load-balancing solution. Session Directory acts as a RDP session load-balancer, connecting users to the least busy server while maintaining a database of active sessions within the Terminal Server farm. This feature enables disconnected users to reconnect to their active, disconnected session on the same server.

Terminal Services Licensing
Terminal services licensing consists of the Microsoft Clearinghouse, one or more Windows Server 2003 terminal services licensing servers (any edition of Windows Server 2003), and Terminal Servers.

From a security perspective, it is important to consider high availability when designing a Terminal Server farm, fault tolerance, and high availability for Terminal Server licensing; Session Directory and Load-Balancing must be considered in order to ensure the availability of the system while meeting regulatory mandates.

Required Microsoft Network Infrastructure Services
The Microsoft Network Infrastructure Services required to support a Terminal Server farm includes Active Directory, DNS and File Services.

Back-End Application and Data Storage Servers
Many applications require a back-end application and/or data storage. An example of this is an N-tier web application. The front end resides on a web server, and the data resides on a SQL Server database.

Required Network Infrastructure Services
The required network infrastructure services required to support a Terminal Server farm include firewalls, VPNs, switches, routers and load balancers.

Operational Support Systems (OSS)
Operational Support Systems (OSS) encompasses technologies, services, and solutions that help an organization efficiently manage their environment and provide support to their users.

Chapter 2 Summary
This chapter provided a technical overview of Terminal Server and the inter-relationships between supporting technologies that work together with Terminal Server.

Terminal Server technical review

• RDP is an application layer multiple-channel remote networking protocol that functions as a virtual display, keyboard and mouse on the server.
• An RDP client is a software application that establishes and maintains a connection between a terminal with an RDP client and a Terminal Server.
• Terminal Server in Windows Server 2003 has three different layers of access rights. Two of the three access rights requirements are dependent on membership in the Remote Desktop Users group.
• The default behavior with Terminal Server is to assume that all users have access to all applications installed on a Terminal Server.
• Application access restrictions are sometimes necessary to meet business objectives and regulatory mandates.
• Application access can be controlled using file level rights, Software Restriction policies, the Run Only Allowed Windows Applications Group Policy, or 3rd party solutions.

Terminal Services and the Session Manager

• A Windows service enables multi-user technology by implementing a Session Manager layer between the system and user layers.
• The Session Manager replies to new session requests by creating a separate instance of the Win32 subsystem, WIN32K.SYS, for each user session.
• The Session Manager directs users to their sessions and then directs the applications, services, and resources to the new session.
• The Session Manager assigns each session a unique ID and address space so that resource and network requests can be directed to the correct user.

Session Directory

• The Session Directory service is a Windows Server 2003 Enterprise Edition feature that provides a single point of entry into a load-balanced Terminal Server farm.
• The Session Directory service is installed by default on all editions of Windows Server 2003.
• Session Directory service is used in conjunction with a load-balancing solution and acts as a RDP session load-balancer by connecting users to the least busy server while maintaining a database of active sessions within the Terminal Server farm.
• Terminal Server to Session Directory server communication is RPC TCP traffic on port 135 and on randomly allocated high TCP ports.
• The first time the Session Directory service is started, a new local group is created on the host called Session Directory Computers, which by default is empty.
• Access to Session Directory functionality must be explicitly granted by adding each Terminal Server’s domain computer account to the Session Directory group.
• When the Session Directory fails, other than losing Session Directory functionality, logon times will increase.
• The Session Directory service supports Microsoft’s clustering, which should be considered to provide fault tolerance and high availability.

Terminal Services Licensing

• For a Terminal Server to accept connections after the 120-day trial period, a terminal services licensing server must be configured.
• Terminal services licensing consists of the Microsoft Clearinghouse, one or more Windows Server 2003 terminal services licensing servers, and Terminal Servers.
• Terminal services licensing servers store all terminal services tokens while continually monitoring all tokens that have been issued to computers or users.
• Intra machine communication, such as Terminal Server to terminal services, to licensing server communication, is RPC TCP traffic on port 135 and randomly allocated high TCP ports.
• The name of the system service for terminal services licensing is “TermServLicensing”.
• Microsoft’s recommended configuration for license server high availability is to install a minimum of two license servers with Terminal Services CALs.

Terminal Server Farm

• Multiple load-balanced Terminal Servers are commonly referred to as a Terminal Server farm.
• A Terminal Server farm consists of a network load-balancing solution, two or more Terminal Servers, and optionally a Session Directory server.
• A load-balanced farm is accessed by end users with a single virtual IP address.
• It is important to consider high availability when designing a Terminal Server farm; fault tolerance and high availability for Terminal Server licensing, Session Directory and Load Balancing.