Home » Securing Microsoft Terminal Services First Web Edition

Chapter 8: Windows Terminal Server Standards

Posted May 2nd, 2008 by roddyr

 

Chapter 8: Windows Terminal Server Standards
 
 
Chapter Overview:
This chapter introduces an example tier 3 Terminal Server Standards policy that specifies Enterprise wide Terminal Server standards. A Windows Terminal Server Standards policy explicitly states Enterprise wide requirements from a plan, build, run and monitor perspective. It provides personnel with an approved framework to design, implement and support a Windows Terminal Server environment.
 
Standards are used to provide the uniform use of technologies to drive consistency and reproducibility, lower operational costs, and enable faster deployments of technologies and functions. Standards allow organizations to meet strategic and tactical Information Technology objectives better while maximizing the business value of information technology.
 
From a security perspective, Windows Terminal Server Standards provide uniformity and predictability which improves the security posture of an environment. The example Terminal Server Standards policy will reference other policies.
 
The following example is a Windows Terminal Server Standards policy. This policy is intended for informational purposes only.
 
Windows Terminal Server Standards
 
Purpose
The purpose of these standards is to define Enterprise wide Windows Terminal Server architecture requirements in order to provide opportunities to meet strategic and tactical Information Technology objectives better. These standards define a template and a set of requirements used to implement and support Windows Terminal Server.
 
Scope
These standards are applicable for <Company Name> and any <Company Name> business units that support Windows Terminal Server.
 
Standards
 
Terminal Server Architecture and Server Farm Design
Multiple load-balanced Terminal Servers are referred to as a Terminal Server farm which consists of a network load-balancing solution, two or more Terminal Servers and optionally a Session Directory server. A Terminal Server farm allows an organization to scale out its Terminal Server environment by adding servers to the server farm to increase capacity and to scale horizontally.
 
From a network design perspective, Terminal Servers will be placed within close physical proximity to the data to ensure that as little data as possible traverses over a network, thereby promoting efficiencies in bandwidth management and bandwidth usage.
  • A centralized server farm will be established and collocated with application and user data.
  • If the data or application cannot be hosted in the centralized data center, a separate Terminal Server or Terminal Server farm will be established within close physical proximity to the data or application.
  • When more than two Terminal Servers are deployed, a server farm will be established with a Session Directory and the Microsoft load-balancing service.
 
Session Directory
  • A Session Directory will be installed on a dedicated and highly available server.
 
Load-Balancing
  • The Microsoft load-balancing service will be used.
  • All load-balanced farm servers will be on the same subnet.
 
Terminal Server Licensing Server
  • Terminal Server licensing shall be installed on two domain controllers in Enterprise license server mode.
 
Licensing
  • One “server license” for each Terminal Server is required.
  • One Terminal Server Client Access License (TSCAL) is required for each user or device that connects to the Terminal Server farm.
  • Terminal Server will be configured in per user licensing mode.
 
Hardware
  • 64-bit platform will be used to mitigate the 4GB memory limitations.
 
CPU
  • 2 physical dual-core processors.
 
Memory
  • 12 GB memory.
 
Hard Disk
  • The operating system files and paging files should be placed on separate partitions.
  • The system partition should be mirrored, so that in the event of a hard disk failure, users are not disconnected from their sessions.
  • The partitions that are to contain the applications shall be configured with a RAID 5 array to ensure that applications remain usable in the event of a single hard disk failure.
 
Operating System Installation and Configuration
 
Operating System
  • Windows Server 2003 Standard x64 Edition shall be used for single server environment.
  • Windows Server 2003 Enterprise x64 Edition shall be used for each member server in a server farm.
 
Installation
  • An automated server build process will be established to maintain consistency and stability and to enable rapid deployment and recovery.
 
Anti-virus Prevention
  • All Terminal Servers will have <Product Name> anti-virus software installed and automated to run at regular intervals.
  • Anti-virus software and virus pattern files must be kept up to date.
  • Guidelines from the Desktop Application Security Technical Implementation Guide v 3, release 0, Appendix B. Anti-virus Product Specific Guidance will be used to configure and support <Product Name> anti-virus software.
 
Patch management
  • Patch management will be automated using Windows Server Update Services.
 
Server Security
  • All Terminal Servers will comply with <Company Name> Windows Server Security Policy and Terminal Server Security Baseline.
 
Terminal Server Installation
  • All Terminal Servers will comply with <Company Name> Terminal Server Installation Baseline.
 
Terminal Server Management
  • Terminal Servers will be managed in a separate Organizational Unit (OU) by Group Policy.
 
Securing Terminal Server Sessions
  • All Terminal Servers will comply with <Company Name>'s Terminal Server Security Baseline.
Applications
  • All applications on Terminal Servers will comply with <Company Name>’s Terminal Server Application Software Policy.
 
Application Access Rights
  • All applications that access classified, financial or human resources data will require access restrictions.
 
Client Devices
  • Client devices that connect to Terminal Servers shall comply with <Company Name>'s Platform Architecture Policy.
 
RDC Clients
  • The Remote Desktop Connection (RDC) client and Remote Desktop Web Connection clients will be supported.      
 
Printing
  • Server printers and client printers will be supported.
 
User Profiles
  • Terminal Server roaming user profiles will be implemented.
  • User profiles will be managed via Group Policy.
  • User profiles will be kept as small as possible.
  • Profile size will be limited per Group Policy.
  • Creation of new profiles will be fully automated.
  • User profiles will be backed up as part of the daily data backup process.
 
Monitoring and Reporting
  • Microsoft Operations Manager (MOM) is the standard monitoring and reporting solution.
Security Policy Auditing
  • Security auditing will comply with <Company Name>’s Audit Vulnerability Scan Policy
Incident Response
  • All security incidents shall comply with <Company Name>'s Incident Response Policy.
 
Change Management
  • All modifications made to a production Terminal Server shall comply with <Company Name>'s Change Management Policy.
 
Backups
  • <Company Name> employs automated server builds, application packaging, and deployment for Terminal Servers with remote storage of all Terminal Server user and application data.
  • Terminal Servers will not be backed up.
  • Terminal Server roaming profiles will be backed up as part of the daily data backup process.
 
Review Cycle
  • This document will be reviewed annually unless an exception is needed.
 
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
 
Resources
  • Windows Server Security Policy
  • Terminal Server Security Baseline
  • Terminal Server Application Software Policy
  • Audit Vulnerability Scan Policy
  • Incident Response Policy
  • Platform Architecture Policy
  • Desktop Application Security Technical Implementation Guide v 3, release 0, Appendix B. Anti-virus Product Specific Guidance
 
 
This chapter reviewed an example tier 3 Terminal Server Standards policy. The policy defines Enterprise wide Terminal Server standards and requirements from a plan, build, run and monitor perspective.
 
  • Standards are used to provide a uniform use of a technology that drives consistency and reproducibility, lower operational costs, and enable faster role outs of technologies and functions.
  • From a security perspective, a Windows Terminal Server Standards policy provides uniformity and predictability.
 
These policies and guidelines were referenced within the Terminal Server Standards:
  • Windows Server Security Policy
  • Terminal Server Security Baseline
  • Terminal Server Application Software Policy
  • Server Security Auditing Policy
  • Incident Response Policy
  • Platform Architecture Policy
  • Server Monitoring and Reporting Policy
  • Desktop Application Security Technical Implementation Guide v 3, release 0, Appendix B. Anti-virus Product Specific Guidance
 
The next chapter will review a tier 3 Windows Server Security Policy.
 
Resources:
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

 

‹ Chapter 7: Password PolicyupChapter 9: Windows Server Security Policy ›