Home » Securing Microsoft Terminal Services First Web Edition

Chapter 11: Terminal Server Security Baseline

Posted May 2nd, 2008 by roddyr

 

 
 
Chapter Overview:
This chapter will introduce a Terminal Server Security Baseline that is intended for educational purposes in order to provide guidance to develop a security baseline to meet your organization’s specific requirements. The chapter begins with a review of how a Terminal Server Security Baseline relates to other IT infrastructure policies and then gives a short overview of Server Role configurations, general Terminal Server security configurations, Terminal Server Desktop security, prerequisites, and assumptions. It concludes with an example Terminal Server Security Baseline.
 
The development of a production Terminal Server Security Baseline requires extensive testing to ensure that applications function properly and that the user environment is not too restrictive inthat it hampers user productivity. Each organization should evaluate its unique requirements in order to develop a security baseline that provides sufficient security and manageability, without limiting user productivity.
 
Organizations develop baselines to introduce Quality Assurance (QA) and reduce risk associated with the installation and configuration of technologies. A Terminal Server Security Baseline is one of many layered policies within the Platform Architecture Domain that is used with other IT infrastructure policies to address interoperability and security of Terminal Server in the context of the entire Enterprise. The Terminal Server Security Baseline relies on other IT infrastructure policies to provide security controls at each step of provisioning a Terminal Server and at each layer of the IT infrastructure. Together these policies reduce risk by implementing layered security controls (defense in depth) throughout the Enterprise. A Terminal Server Security Baseline is a process that can be reliably duplicated, audited or modified to meet evolving business and regulatory requirements.
 
Terminal Server Security Baselines tend to be large documents that cover server role configurations, Terminal Server security configurations and Terminal Server Desktop security. The next three sections will highlight each portion of the example Terminal Server Security Baselines. First, we will review the Server Role configurations and Terminal Server security configurations. These will be followed by the Terminal Server Desktop security section.
 
Server Role Configurations with the Microsoft Security Configuration Wizard
 
This section of the example baselines runs through the procedure to create a Terminal Server security role using the Microsoft Security Configuration Wizard. There are many third party solutions to develop security policies, but we selected the Microsoft Security Configuration Wizard because of its availability, acceptance and cost. The Security Configuration Wizard is bundled with Windows Server 2003 with Service Pack 1 and is well documented and widely adopted.
 
Microsoft calls the Security Configuration Wizard “an attack-surface reduction tool for Windows Server 2003 with Service Pack 1 family of products.” The Security Configuration Wizard supports a GUI and command line interface for the development of server security policies. It leverages Windows 2003 roles-based infrastructure to determine which ports and services need to be enabled for a given server role.
 
While developing a security policy, the server role’s minimum requirements are defined by disabling functionality that is not required. The security policy disables unneeded services, blocks unused ports, reduces protocol exposure and defines a high signal-to-noise audit ratio. The Security Configuration Wizard generates security policies as an XML file and the command-line utility can be used to convert an XML file into a Group Policy Object. Once the Group Policy Object is created, it must be linked to the target Organizational Unit. Security policies can be applied locally in XML format or centrally via Group Policy Objects.
 
Developing a security policy is broken down into four sections. These sections are organized and referenced in the Security Configuration Wizard user interface, using a security configuration database structure. Once the security configuration database is processed, it can be viewed or printed using the Security Configuration Wizard Viewer. The Wizard walks through the Server Role, Network Security, Registry Settings, Audit Policy and Internet Information Services (if installed) sections related to the server’s roles and functions.
 
The Security Configuration Wizard walks through the following sections and sub-sections:
 
Server Roles
  • Client Features
  • Administration and Other Options
  • Additional Services
  • Handling Unspecified Services
Network Security
  • Open Ports and Approved Applications
Registry Settings
  • Require SMB Security Signatures
  • Outbound Authentication Methods
  • Inbound Authentication Methods
Audit Policy
  • Do Not Audit
  • Audit Successful Activities
  • Audit Successful and Unsuccessful Activities
Internet Information Services
  • Web Service Extensions for Dynamic Content
  • Virtual Directories to Retain
  • Prevent Anonymous Users from Accessing Content Files
 
Server Roles Configuration
This section allows the configuration of installed and available services based on the server’s role. The Wizard does not install components or set up a server like the Configure Your Server Wizard does. Instead, it will enable services and open ports based on a list of server roles and client features.
 
Network security
This section is designed to configure inbound ports using the Windows Firewall. The configuration is based on the roles and administration options selected in the Server Role section. It ispossible to restrict access to ports and configure port traffic to be signed or encrypted using IPSec. This section will be skipped in the example because the Windows Firewall is not installed.
 
Registry settings
This section addresses the configuration of the protocols used to communicate with other computers on the network. This section allows a server to be configured in order to reduce protocol exposure when communicating with legacy Windows operating systems. Communication with legacy Windows operating systems uses protocols that are vulnerable to password cracking and man-in-the-middle attacks.
 
Audit policy
This section allows the configuration of system auditing based on organizational auditing requirements. The audit policy can be configured not to audit any events, to audit only successful events, or to audit both successful and unsuccessful events. The audit policy not only configures the Object Access events but also the entire audit policy list of events.
 
Internet Information Services (IIS)
This section is displayed only if IIS is installed. This section allows the configuration of the security aspects of Internet Information Services (IIS). This section will be skipped in the example because IIS is not installed.
 
 
This section of the Terminal Server Security Baselines will review the procedure to implement the security controls from Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG and the recommended restrictive settings from Microsoft “Locking Down Windows Server 2003 Terminal Server Sessions” white paper. All of the STIGs configurations and the Microsoft recommendations will be implemented using Group Policy.
 
The Security Technical Implementation Guides (STIGS) and the NSA Guides are the configuration standards for the U. S. Department of Defense (DoD) Information Assurance (IA) and Information Assurance-enabled devices and systems. Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG addressed the Department of Defense’s minimum security requirements for Terminal Server. Appendix B is broken into nine sections.
 
List 11.1 shows the sections inAppendix B.
  • B.1 Terminal Services
  • B.2 Windows Installer
  • B.3 Windows Messenger
  • B.4 LogonB.5 Group Policy
  • B.6 Windows Time Service
  • B.7 Network Connections
  • B.8 Installation of Printers Using Kernel-mode Drivers
  • B.9 Media Player – Automatic Downloads
 
Note: B.6 will not be included in the example Baseline.
 
In addition to the STIG, an extensive list of recommended restrictive settings can be found in a Microsoft white paper named “Locking Down Windows Server 2003 Terminal Server Sessions.” Not all of the setting from the STIG and Microsoft’s white paper are necessary; therefore organizations should evaluate and test all of the settings to determine if they are too restrictive for their environment. Enabling all of the settings will create a restrictive environment that may make the environment challenging to manage and hinder user productivity.
 
In addition to the setting in Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG and the recommended restrictive settings from Microsoft “Locking Down Windows Server 2003 Terminal Server Sessions” white paper, there are additional Group Policy configurations that should be considered. For example, virtual channel restrictions and encryption levels should be evaluated to determine which settings meet an organization’s specific requirements.
 
Table 11.1 lists security related virtual channel Group Policy settings. The settings can be configured with the Terminal Services Configuration utility (tscc.msc) or centrally via Active Directory from:
Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Client/Server data redirection
 
Table 11.1

Client/Server data redirection Setting
Explanation
Do not allow clipboard redirection
Determines if sharing of clipboard (cut and paste) contents between Terminal Server applications and local applications during a Terminal Server session should be disabled.
Allow audio redirection
By default Terminal Server on Windows Server 2003 disables audio redirection. 
Do not allow COM port redirection
Determines if the mapping of client COM ports during a Terminal Server session should be disabled.
Do not allow client printer redirection
Determines if mapping of client printers during a Terminal Server session should be disabled.
Do not allow LPT port redirection
Determines if the redirection of data to client LPT ports during a Terminal Server session should be disabled.
Do not allow driver redirection
Determines if the mapping of client hard drives during a Terminal Server session should be disabled.

 
All of the RDP client encryption levels can be configured locally on a Terminal Server using the Terminal Services Configuration utility (tscc.msc) or centrally via Active Directory. Using Active Directory administrators can select between three setting: Client Compatible, High or Low. The Group Policies can be configured in Active Directory by editing the desired Group Policy Object in the following location:
Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Encryption and Security.
 
Table 11.2 shows the client encryption settings.
 
Table 11.2

Setting
Explanation
FIPS
All data sent from client to server and the data sent from server to client is encrypted using the Federal Information Processing Standard (FIPS) encryption algorithms with Microsoft cryptographic modules.
Note: FIPS encryption must be configured locally on each Terminal Server using the Terminal Services Configuration utility (tscc.msc).
Client compatible
All data that traverses between the client and the server is encrypted based on the maximum key strength supported by the client.
High
All data that traverses between the client and the server is encrypted based on the server’s maximum key strength. Clients who do not support this level of encryption cannot connect.
Low
All data that traverses between the client and the server is protected by encryption based on the maximum key strength supported by the client.
Disabled or Not Configured
If the setting is Disabled or Not Configured, the encryption level is not enforced via Group Policy. Note: Administrators can configure the encryption level on the server with the Terminal Services Configuration tool.

 
 
 
 
 
This section of the Terminal Server Security Baselines will review the procedure to implement desktop security controls using Group Policy. The main objective of desktop security is to provide standardization, security and compliance. Desktop security controls for Terminal Server ensure that the Terminal Server desktop environment is secured in a way to protect the operating system and network from unauthorized user access. For example, access to the Control Panel, Start Menu, Taskbar and Desktop options should be individually evaluated and configured to protect the operating system and network from user access.
 
There are various user level Group Policy Object settings that provide control over Control Panel, Start Menu, Taskbar and Desktop options. Figure 11.1 show the location of the Group Policy Objects to configure Control Panel, Start Menu, Taskbar and Desktop options.
 
Figure 11.1
 
 
Implementing desktop security controls requires substantial testing in a lab or pilot environment to ensure that the desktop is adequately secured while not effecting user productivity.
 
 
Prerequisites and Assumptions
 
List 11.2 shows the prerequisites and assumptions to develop and apply the Terminal Server Security Baseline.
List 11.2
Part 1.  Server Role Configurations
  • For security reasons, the example server role disables Remote Windows Administration. To enable remote administration in the Security Configuration Wizard, select the “Remote Windows Administration” from the Select Administration and Other Options window.
  • When testing a baseline, the target test or pilot Terminal Server will be provisioned identical as the production Terminal Servers.
  • Validate and inventory all required anti-virus services.
  • Validate and inventory all required anti-virus inbound ports.
  • All applications will be tested and validated against the security profile before a production GPO is validated, named and deployed to production.
Part 2.  Terminal Server Security Configurations
  • Client/Server data redirection and encryption level configurations will be reviewed to determine which settings will be implemented.
  • Server scalability metrics will be validated to determine the maximum sessions per server. The metric is necessary to implement Appendix B, Section B.1.3 of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG.
  • By default, Terminal Servers allow an unlimited number of connections that allow a potential for denial of service (DoS) attacks.
  • Windows Messenger usage will be reviewed to determine which security controls outlined in Appendix B, Section B.3.0 of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG will be implemented.
  • The Windows Time Service will be reviewed to determine how to implement Appendix B, Section B.6 of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG.
    • The Windows Time service maintains date and time synchronization for Windows 2000XP/2003 machines. Time synchronization is used to ensure the security of Kerberos authentication within an Active Directory environment. Synching to a reliable time source can reduce the risk of replay attacks.
  • Folder redirection will be implemented for Application Data, Desktop, My Documents and the Start Menu.
  • All GPO settings will be validated in a lab environment before deployed into production.
Part 3.  Desktop Security
 
When testing the desktop security controls, the target test or pilot Terminal Server will be provisioned identical as the production Terminal Servers.
 
Tip: While developing policies, it is possible to lock yourself and users out of the machine. A quick way tocircumvent policies is to reboot the machine into safe mode. While in safe mode, policies are not applied and administrative capabilities will be restored. Edit the policy, execute “gpupdate”, and then restart the computer.
 
The following example is a tier 3 Terminal Server Security Baseline that will create a secure restrictive environment. The example baseline starts with a Purpose and Scope statement, which is followed by the procedure to create an XML template for a Windows Server 2003 Terminal Server with the Security Configuration Wizard, export it as a GPO and then link it to the Terminal Server Organizational Unit. Next is the configuration of the security controls from Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG, followed by the recommended restrictive computer and users settings from Microsoft’s “Locking Down Windows Server 2003 Terminal Server Sessions” white paper. The final section reviews the configuration of desktop security controls. The baseline concludes with the Policy Review, Compliance and Related Policies, Standards, and Guidelines statements. This baseline is intended for informational purposes only.
 
 
 
Purpose
The purpose of this baseline is to define a security baseline for all Terminal Servers. Before any servers are placed on the production network, standard processes will be executed to ensure that all servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.
 
Scope
This baseline is for all Windows Terminal Servers on the internal network and will be reviewed in conjunction with the other IT infrastructure policies. This baseline is divided into two sections: Server Role Configurations and Terminal Server Security Configurations.
 
Terminal Server Security Baseline
1.0 Server Role Configurations
The following procedure will create a XML template for a Windows Server 2003 Terminal Server, using the Security Configuration Wizard. Export it as a GPO and then link it to the Terminal Server Organizational Unit.
 
The template will be created, tested and validated in a lab or pilot environment on a test server. The test server will be provisioned identically as production Terminal Servers. All of the template settings will be validated against each production application with test users. While testing templates, the revision number will be appended to the end of the file name, such as WTS_DEV01, WTS_DEV02, and so forth. Once a template is validated, it will be named WTS_Prod_month/day/year and placed in production. Template modifications will be made using the Security Configuration Wizard option of “Edit an existing security policy.”
 
1.      Log on to the target Terminal Server as administrator.
2.      Click Start > Run, type “scw.exe” in the text area, and then click OK to access the Security Configuration Wizard.
3.      From the Welcome window, click Next to proceed.
4.      From the Configuration Action window, select the “Create a new security policy” radio button. Click Next to proceed.
5.      From the Select Server window, enter the “FQDN” of the local host. Click Next to proceed.
6.      From the Processing Security Configuration Database window, wait until the database has processed. Click Next to proceed.
7.      From the Role-Based Service Configuration window, click Next to proceed.
8.      From the Select Server Roles window, select only “Terminal Server.” Click Next to proceed.
9.      From the Select Client Features window, select the following:
·         Automatic update client
·         DNS client
·         DNS registration client
·         Domain member
·         Microsoft networking client
·         WINS client
Click Next to proceed.
10. From the Select Administrator and Other Options window, select the following:
·         Application Experience Lookup Service
·         Application installation from Group Policy
·         Terminal Server Printer Redirection
Click Next to proceed.
11. From the Select Additional Services window, select the desired anti-virus services. Click Next to proceed.
12. From the Handle Unspecified Services window, set the policy to “Do not change startup mode of the service.” Click Next to proceed.
13. From the Confirm Services Changes window, click Next to proceed.
14. From the Network Security window, select the “Skip this section” check box. Click Next to proceed.
15. From the Registry Settings window, ensure that the “Skip this section” is unchecked. Click Next to proceed.
16. From the Required SMB Security Signatures window, unselect both options. Click Next to proceed.
17. From the Outbound Authentication Methods window, unselect all of the options. Click Next to proceed.
18. From the Inbound Authentication Methods window, unselect all of the options. Click Next to proceed.
19. From the Registry Settings Summary window, click Next to proceed.
20. From the Audit Policy window, ensure that the “Skip this section” is unchecked. Click Next to proceed.
21. From the System Audit Policy window, select “Audit successful and unsuccessful activities.” Click Next to proceed.
22. From the Audit Policy Summary window, select the “Also include the Security Configuration Wizard Audit.inf security template” check box. Click Next to proceed.
23. From the Save Security Policy window, click Next to proceed.
24. From the Security Policy File Name window, accept the default path and type the template file name (i.e. C:\WINDOWS\Security\msscw\Policies\WTS_Prod_ month/day/year). Click Next to proceed.
25. From the Apply Security Policy window, select the “Apply now” radio button. Click Next to proceed.
26. From the Completing the Security Configuration Wizard window, click Finish to conclude the procedure.
 
Terminal Server Security Baseline
1.1 Server Role Configurations, Convert security policy file into a GPO.
 
1        Log on to a domain member server as an administrator that has the Group Policy Management Console and the Security Configuration Wizard.
2        From a command prompt type: “scwcmd transform /p:PathToPolicyFile /g:DesiredGPODisplayName” PathToPolicyFile is the production policy file created with the Security Configuration Wizard, including its .xml file extension. DesiredGPODisplayName is the name of the Group Policy Object as it appears in Group Policy Object Editor or in Group Policy Management Console.
3        Open the Group Policy Management console. In the left pane, expand the “forest and domain” nodes and select the “WTS Organizational Unit.” Right click the “WTS Organizational Unit” and link the GPO created in step 2 (the above step) to complete the procedure.
 
Terminal Server Security Baseline
Part 2. Terminal Server Security Configurations (Source: Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG)
 
1        Log on to a domain member server with the Group Policy Management Console as an administrator.
2        Open the Group Policy Management Console. In the left pane, expand the forest and domain nodes. Then expand the WTS Organizational Unit and right click the “WTS_Prod_ month/day/year” GPO and click edit. Add the following settings:
3        Computer Configurations > Administrative Templates > System > Group Policy and enable the “Use Group Policy loopback processing mode” policy.
4        B.1.1. Computer Configurations > Administrative Templates > Windows Components > Terminal Services and disable the “Keep-Alive Connections” policy.
5        B.1.2. Computer Configurations > Administrative Templates > Windows Components > Terminal Services and enable the “Restrict Terminal server users to a single remote session” policy.
6        B.1.3. Computer Configurations > Administrative Templates > Windows Components > Terminal Services and enable the “Limit number of connections” policy to “<number of maximum connections allowed>.”
7        B.1.4. Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Temporary folders and disable the “Do not use temp folders per Session” policy.
8        B.1.5. Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Temporary folders and disable the “Do not delete temp folder upon exit” policy.
9        B.1.6. Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Sessions and enable the “Set a time limit for active but idle Terminal Services sessions” policy and set the idle session limit to “15 minutes.”
10    B.1.7. Computer Configurations > Administrative Templates > Windows Components > Terminal Services > Sessions and enable the “Terminate session when time limits are reached” policy.
11    B.2.1. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Always install with elevated privileges” policy.
12    B.2.1. User Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Always install with elevated privileges” policy.
13    B.2.2. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Disable IE security prompt for Windows Installer scripts” policy.
14    B.2.3. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Enable user control over installs” policy.
15    B.2.4. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Enable user to browse for source while elevated” policy.
16    B.2.5. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Enable user to use media source while elevated” policy.
17    B.2.6. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Enable user to patch elevated products” policy.
18    B.2.7. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and disable the “Allow admin to install from Terminal Services session” policy.
19    B.2.8. Computer Configurations > Administrative Templates > Windows Components > Windows Installer and enable the “Cache transforms in secure location on workstation” policy.
20    B.3. Computer Configurations > Administrative Templates > Windows Components > Windows Messenger and enable the “Do not allow Windows Messenger to be run” policy.
21    B.3.1. Computer Configurations > Administrative Templates > Windows Components >Windows Messenger and enable the “Do not automatically start Windows Messenger initially” policy.
22    B.5. Computer Configurations > Administrative Templates > System > Group Policy and disable the “Turn off background refresh of Group Policy” policy.
23    B.7.1. Computer Configurations > Administrative Templates > Network > Network Connections and enable the “Prohibit use of Internet Connection Sharing on your DNS domain network” policy.
24    B.7.2. Computer Configurations > Administrative Templates > Network > Network Connections and enable the “Prohibit installation and configuration of Network Bridge on your DNS domain network” policy.
25    B.9. Computer Configurations > Administrative Templates > Windows Components > Windows Media Player and enable the “Prevent Automatic Updates” policy.
26    B.9. User Configurations > Administrative Templates > Windows Components > Windows Media Player > Playback and enable the “Prevent Codec Download” policy.
 
Terminal Server Security Baseline
Part 2.1 Terminal Server Security Configurations (Source: Microsoft’s white paper “Locking Down Windows Server 2003 Terminal Server Sessions”)
 
1.      Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and enable the "Devices: Restrict CD-ROM access to locally logged-on user only" policy.
2.      Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and enable the "Devices: Restrict floppy access to locally logged-on user only" policy.
3.      Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and enable the "Interactive logon: Do not display last user name" policy.
4.      Computer Configuration > Windows Settings > Security Settings > System Services and disable the "Help and Support" policy.
5.      Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Client/Server data redirection and enable the "Do not allow drive redirection" policy.
6.      User Configuration > Windows Settings > Folder Redirection and right click the “Application Data” node to access its properties. Recommended setting: “Basic redirection” and “Create a folder for each user under the root path.” Enter the desired Root Path. On the Settings tab, enable “Grant the user exclusive rights to Application Data.” Enable “Move contents of Application Data folder to new location.” Set the policy removal to “Redirect the folder back to the local user profile location when policy is removed.”
7.      User Configuration > Windows Settings > Folder Redirection and right click the “Desktop” node to access its properties. Recommended setting: “Basic redirection” and “Create a folder for each user under the root path.” Enter the desired Root Path. On the Settings tab, enable “Grant the user exclusive rights to Desktop.” Enable “Move contents of Desktop to the new location.” Set the policy removal to “Redirect the folder back to the local user profile location when policy is removed.”
8.      User Configuration > Windows Settings > Folder Redirection and right click the “My Documents” node to access its properties. Recommended setting: “Basic redirection” and “Create a folder for each user under the root path.” Enter the desired Root Path. On the Settings tab, enable “Grant the user exclusive rights to My Documents.” Enable “Move contents of My Documents to the new location.” Set the policy removal to “Redirect the folder back to the local user profile location when policy is removed.”
9.      User Configuration > Windows Settings > Folder Redirection and right click the “Start Menu” node to access its properties. Recommended setting: “Basic redirection” and “Redirect to the following location.” Enter the desired Root Path. On the Settings tab, set the policy removal to “Redirect the folder back to the local user profile location when the policy is removed.”
10. User Configuration > Administrative Templates > Windows Components > Internet Explorer and enable the "Search: Disable Find Files via F3 within the browser" policy.
11. User Configuration > Administrative Templates > Windows Components > Internet Explorer > Browser menus and enable the "Disable Context menu" policy.
12. User Configuration > Administrative Templates > Windows Components > Application Compatibility and enable the "Prevent access to 16-bit applications" policy.
13. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Removes the Folder Options menu item from the Tools menu" policy.
14. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove File menu from Windows Explorer" policy.
15. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Map Network Drive and Disconnect Network Drive" policy.
16. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Search button from Windows Explorer" policy.
17. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Security Tab" policy.
18. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Windows Explorer's default context menu" policy.
19. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Hides the Manage item on the Windows Explorer shortcut menu" policy.
20. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Hide these specified drives in My Computer" policy and then select “Enabled – Restrict all drives.”
21. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Prevent access to drives from My Computer" policy and then select “Enabled – Restrict all drives.”
22. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Hardware tab" policy.
23. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Order Prints from Picture Tasks" policy.
24. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Remove Publish to Web from File and Folders Tasks" policy.
25. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "No “Computers Near Me” in My Network Places" policy.
26. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "No “Entire Network” in My Network Places" policy.
27. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Turn off Windows+X hotkeys" policy.
28. User Configuration > Administrative Templates > Windows Components > Windows Explorer and enable the "Turn on Classic Shell" policy.
29. User Configuration > Administrative Templates > Windows Components > Windows Explorer > Common Open File Dialog and enable the "Hide the common dialog places bar" policy.
30. User Configuration > Administrative Templates > Windows Components > Task Scheduler and enable the "Hide Property Pages" policy.
31. User Configuration > Administrative Templates > Windows Components > Task Scheduler and enable the "Prohibit New Task Creation" policy.
32. User Configuration > Administrative Templates > Windows Components > Windows Update and enable the "Remove access to use all Windows Update features" policy.
33. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove links and access to Windows Update" policy.
34. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove common program groups from Start Menu" policy.
35. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove pinned programs list from Start Menu" policy.
36. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove programs on Settings menu" policy.
37. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove Network Connections from Start Menu" policy.
38. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove the Search menu from Start Menu" policy.
39. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove Drag-and-Drop shortcut menus on Start Menu" policy.
40. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove Favorites menu from Start Menu" policy.
41. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove Help menu from Start Menu" policy.
42. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove Run menu from Start Menu" policy.
43. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove My Network Place icon from Start Menu" policy.
44. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Add Logoff to Start Menu" policy.
45. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove and prevent access to Shut Down command" policy.
46. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Prevent changes to Taskbar and Start Menu settings" policy.
47. User Configuration > Administrative Templates > Start Menu & Taskbar and enable the "Remove access to the shortcut menus for the taskbar" policy.
48. User Configuration > Administrative Templates > Desktop and enable the "Remove Properties from My Documents shortcut menu" policy.
49. User Configuration > Administrative Templates > Desktop and enable the "Remove Properties from My Computer shortcut menu" policy.
50. User Configuration > Administrative Templates > Desktop and enable the "Remove Properties from Recycle Bin shortcut menu" policy.
51. User Configuration > Administrative Templates > Desktop and enable the "Hide My Network Places icon on desktop" policy.
52. User Configuration > Administrative Templates > Desktop and enable the "Prohibit user from changing My Documents path" policy.
53. User Configuration > Administrative Templates > Desktop and enable the "Remove My Computer icon on the desktop" policy.
54. User Configuration > Administrative Templates > Control Panel and enable the "Prohibit access to the Control Panel" policy.
55. User Configuration > Administrative Templates > Control Panel > Add or Remove Programs and enable the "Remove Add or Remove Programs" policy.
56. User Configuration > Administrative Templates > Control Panel > Printers and enable the "Prevent addition of printers" policy
57. User Configuration > Administrative Templates > System and enable the "Prevent access to the command prompt" policy and Set “Disable the command prompt script processing also” to No.
58. User Configuration > Administrative Templates > System and enable the "Prevent access to registry editing tools" policy.
59. User Configuration > Administrative Templates > System > CTRL+ALT+DEL Options and enable the "Remove Task Manager" policy.
60. User Configuration > Administrative Templates > System > Scripts and enable the "Run legacy logon scripts hidden" policy.
 
Terminal Server Security Baseline
Part 2.2 Desktop Security Controls
 
1.      User Configuration > Administrative Templates > Control Panel > Prohibit access to the control panel and enable the policy.
2.      User Configuration > Administrative Templates > Desktop > Active Desktop > Disable Active Desktop and enable the policy.
3.      User Configuration > Administrative Templates > Start Menu and Taskbar > Remove common start menu groups from Start Menu and enable the policy.
4.      User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Network Connections from Start Menu and enable the policy.
5.      User Configuration > Administrative Templates > Start Menu and Taskbar > Remove My Network Places icon from Start Menu and enable the policy.
6.      User Configuration > Administrative Templates > Start Menu and Taskbar > Remove and prevent access to the Shut Down command and enable the policy.
7.      User Configuration > Administrative Templates > Start Menu and Taskbar > Remove Set Program Access and Defaults from Start Menu and enable the policy.
8.      Close the Group Policy properties and exit the Group Policy Management Console.
 
Policy Review
This policy will be reviewed bi-annually.
 
Compliance
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
 
Related Policies, Standards, and Guidelines
Change Management Policy
 
 
This chapter discussed a Terminal Server Security Baseline policy, its contents, and how it relates to other IT infrastructure policies. It highlighted Server Role Configurations using Microsoft’s Security Configuration Wizard followed with an overview of Terminal Server Security Configurations from Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG and the recommended restrictive computer and users settings from Microsoft’s “Locking Down Windows Server 2003 Terminal Server Sessions” white paper and Terminal Server desktop security controls. The chapter concluded with a review of an example Terminal Server Security Baseline.
 
Terminal Server Security Baseline
  • The development of a Terminal Server Security Baseline requires extensive testing to ensure application operability and to validate that user restrictions do not hinder productivity.
  • Organizations evaluate their unique requirements to develop a security baseline that provides sufficient security and manageability, without limiting productivity.
  • Organizations develop baseline configurations to introduce Quality Assurance (QA) and reduce risk associated with the installation and configuration of technologies.
  • Terminal Server Security Baselines typically cover Server Role configurations, Terminal Server Security configurations and Terminal Server desktop security controls.
  •  
Security Configuration Wizard
  • Microsoft calls the Security Configuration Wizard “an attack-surface reduction tool for the Windows Server 2003 with Service Pack 1 family of products.”
  • The Security Configuration Wizard leverages Windows 2003's roles-based infrastructure to determine which ports and services need to be enabled for a given server role.
  • While developing a security policy, the server role’s minimum requirements are defined by disabling functionality that is not required.
  • Developing a security policy is broken down into fivesections: Server Role, Network Security, Registry Settings, Audit Policy, and Internet Information Services (if installed) sections related to the servers roles and functions.
 
Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG
  • The Security Technical Implementation Guides (STIGS) and the NSA Guides are the configuration standards for the U. S. Department of Defense (DoD) Information Assurance (IA) and Information Assurance-enabled devices and systems.
  • Appendix B of the Windows 2003/XP/2000 Addendum Version 5, Release 1 STIG addressed the Department of Defense’s minimum security requirements for Terminal Server.
  • Appendix B is broken into nine sections.
  • Not all of the settings from the STIGS are necessary; therefore organizations should evaluate and test all of the settings to determine if they are too restrictive for their environment.
 
Locking Down Windows Server 2003 Terminal Server Sessions
  • An extensive list of recommended restrictive settings can be found in a Microsoft white paper named “Locking Down Windows Server 2003 Terminal Server Sessions.”
  • Not all of the settings from Microsoft’s white paper are necessary; therefore organizations should evaluate and test all of the settings to determine if they are too restrictive for their environment.
 
Terminal Server Desktop Security
  • The main objectives of desktop security are to provide standardization, security and compliance.
  • Desktop security controls for Terminal Server ensure that the Terminal Server desktop environment is secured in a way to protect the operating system and network from unauthorized user access.
  • There are various user level Group Policy Object settings that provide control over Control Panel, Start Menu, Taskbar and Desktop options.
 
The next chapter will review two tier 3 Configuration Baselines, a Session Directory Configuration Baseline, and a Terminal Server Session Directory Group Policy Configuration Baseline.
 
Reference
Security Configuration Wizard Documentation:
http://www.microsoft.com/downloads/details.aspx?familyid=903fd496-9eb9-4a45-aa00-3f2f20fd6171&displaylang=en
Microsoft white paper named “Locking Down Windows Server 2003 Terminal Server Sessions”:
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

 

‹ Chapter 10: Terminal Server Installation BaselineupChapter 12: Software Restriction Policy Baseline ›