Chapter 10: Terminal Server Installation Baseline

 

 

This chapter reviews a tier 3 Terminal Server Installation Baseline. A Terminal Server Installation Baseline provides employees with an approved procedure to install Terminal Server. It is used with other IT infrastructure policies to address interoperability and security of Terminal Server in the context of the entire information system. For example, in Chapter 6, the IT Server Room Security Policy defined physical and environmental security; Chapter 7, the Password Policy defined password requirements; Chapter 8, the Windows Terminal Server Standards policy defined Terminal Server Standards, and in Chapter 9, the Windows Server Security Policy defined an operating system baseline security configuration for all new servers. Together these policies reduce risk by implementing layered security controls (defense in depth) through the Enterprise.

 

Installing the Terminal Server role allows users to connect to a Terminal Server by using an RDP client. The installation is a quick and simple process that enables Terminal Services. The installation can be made using the Manage Your Server applet or from Add and Remove Programs.

 

The installation with the Manage Your Server applet provides a streamlined installation process that automatically configures a Terminal server in Full Security permission mode. The Add and Remove Programs installation method offers an additional window in which it is possible to select between Full Security, which is selected by default or Relaxed Security. The permission mode can be changed after the installation with the Terminal Services Configuration applet.

 

The permission settings dictate the default permissions for users accessing system files and registry keys. With Full Security, non-administrators cannot modify the HKEY_LOCAL_MACHINE registry key or write files to the server’s hard drive other than their profile directory. Full Security effectively restricts permissions for Terminal Server users to the “Users Group” permissions. The Relaxed Security setting provides Terminal Server users with quasi Power User access to system folders and registry keys. Relaxed Security is commonly used as a quick fix to enable legacy or poorly written applications to operate on Windows Server 2003.

 

A default Windows Server 2003 Terminal Server installation employs a default deny strategy by restricting system access exclusively to administrators. Users or groups must be explicitly added to each Terminal Server’s local Remote Desktop Users group in order to be granted logon rights to a Terminal Server.

 

From a security perspective, it is important to consider the permission mode and the membership of the Remote Desktop Users group. Ideally, all Terminal Servers should be in Full Security mode in order to protect the server from unauthorized access. In the event that a particular application will not run in Full Security mode, first troubleshoot the application on a test server in Full Security mode to determine and resolve the root cause before considering using Relaxed Security. Membership in the Remote Desktop Users group provides explicit access control to a Terminal Server environment. A best practice to manage Remote Desktop Users group membership is to create and audit a security group that contains only approved Terminal Server user accounts. This group is then added to the Remote Desktop Users group on each server to grant access.

 

List 10.1 shows prerequisites and assumptions for installing Terminal Server:

 

The following example is a tier 3 Terminal Server Installation Baseline that is used by employees to install Terminal Server. This example is intended for informational purposes only.

 

 

The purpose of this baseline is to define standards for the installation of Terminal Services. Before any servers are placed on the production network, standard processes will be executed to ensure that all servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service

 

This baseline is specifically for any Windows Terminal Server on the internal network and will be reviewed in conjunction with the other IT infrastructure policies.

 

1.      Log on to the target Terminal Server as administrator.

2.      Click Start > Programs > Administrative Tools > Configure your Server Wizard, and then click the “Add or remove a role” link. Click Next from the Preliminary Steps window.

3.      From the Server Role window, select the “Terminal server” role and click Next. Note: All other options should be set to No.

4.      Follow the remaining portion of the Wizard and restart the machine when prompted.

5.      After the server is restarted, log on as Administrator and click Finish and close the Help menu.

 

This policy will be reviewed annually.

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

 

 

This chapter beganwith a discussion about a Terminal Server Installation Baseline, followed by an overview the Terminal Server installation process. The chapter concluded with an example Terminal Server Installation Baseline.