Chapter 13: Session Directory Configuration Baseline

 

 

This chapter will review two tier 3 Session Directory Configuration Baselines. The first baseline is a Session Directory Configuration Baseline that specifies an organization’s approved installation and configuration standard for Microsoft Session Directory. It isfollowed by a Terminal Server Session Directory Group Policy Configuration Baseline that defines an approved configuration standard for Terminal Servers that participate in a Terminal Server Session Directory.

 

Organizations develop baseline configurations to introduce Quality Assurance (QA) and reduce risk associated with the installation and configuration of technologies. Baselines are security controls that work in conjunction with other security controls, such as policies and standards. Together these policies provide guidance to plan, build, run and monitor an organization’s technology portfolio as a single unit.

 

As discussed in Chapter 2, it isimportant to consider what happens when the Session Directory fails. Other than losing Session Directory functionality, logon times will increase because each Terminal Server attempts to connect to the unavailable Session Directory server. With large server farms, a failed Session Directory can affectthe availability of services. Microsoft clustering technology can be implemented to provide fault tolerance and high availability for the Session Directory to help meet business and regulatory requirements.

 

From a regulatory compliance perspective, Session Directory fault tolerance is often a requirement. A Risk Assessment should be conducted to validate whether regulatory or business requirements mandate Session Directory fault tolerance.

 

To use the Session Directory, the following three configurations are needed:

1.      Turn on the Session Directory service. (Session Directory Server)

2.      Add each Terminal Server account to the Session Directory Computers group. (Session Directory Server)

3.      Configure each Windows Server 2003 Enterprise Edition Terminal Server in the farm to participate in the Session Directory. (Terminal Servers)

 

The first two configurations are made locally on the server hosting the Session Directory service. The third configuration can be made in one of three ways: locally on each server with local Server Policy, locally on each server with the Terminal Services Configuration Tool (tscc.msc), or centrally via Active Directory Group Policy. Each option has its pros and cons. Microsoft recommends using Active Directory because it isconfigured and managed centrally. Business requirements and personal preference will dictate the configuration used for an environment.

 

As discussed in Chapter 2, the first time the Session Directory service is started, a new local group is created called Session Directory Computers. By default, the Session Directory Computers group is empty. Access to Session Directory functionality must beexplicitly granted by adding each Terminal Server’s domain computer account to the Session Directory group. The Session Directory service will only accept connections from servers in this local group. The accounts can be added individually or by creating a domain group containing the Terminal Servers and then adding the domain group to the local Session Directory Computers group.

 

List 13.1 shows the prerequisites and assumptions for the following Session Directory Configuration Baseline:

 

The following example Session Directory Configuration Baseline reviews the configuration of a single member server in an Active Directory domain supporting a load-balanced Terminal Server farm. The example baseline beginswith a Purpose and Scope statement and then continues with the procedure to turn on the Session Directory service. It concludes with adding a domain group that contains the Terminal Server farm members. This baseline is intended for informational purposes only.

 

The purpose of this baseline is to define standards for the installation and baseline configuration of Microsoft Session Directory. Before any servers are placed on the production network, standard processes will be executed to ensure that all servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.

 

This baseline is for all Windows Session Directory servers on the internal network and will be reviewed in conjunction with the other IT infrastructure policies.

 

1.      Log on to the Session Directory server as administrator.

2.      From the Session Directory server desktop, click Start, click Run, type “services.msc /a,” and then press Enter to access the Services Console.

3.      As shown in figure 1, from the right pane under the Name column, double click the “Terminal Services Session Directory” service to access its properties.

 

Figure 1

 

4.      From Terminal Services Session Directory Properties General tab, change the Start up type from Disabled to Automatic, and then click Apply. Next click the Start button to start the Session Directory service. Validate that the service status is Started to proceed.

5.      As shown in Figure 2, from the Services Console, validate that the Terminal Services Session Directory service is Started and the Startup Type is set to Automatic. Close the Services Console.

 

Figure 2

 

1.      From the Session Directory server desktop, click Start, click Run, type “lusrmgr.msc /a,” and then press Enter to access the Local Users and Groups Console.

2.      As shown in figure 3, in the left pane of the tree view select “Groups” and then in the right pane double click the “Session Directory Computers” group to access its properties.

 

Figure 3

 

 

3.      From the Session Directory Computers properties, click Add to access the Select Users, Computers, or Groups window.

4.      Click the “Object Types” button. From the Object Types window, select the Computers node and click OK.

5.      Enter the name of the Terminal Server domain group in the “Enter the object name to select” text box. Then click the “Check Names” button to validate the name of the Terminal Server domain group. After the name of the Group is validated, click OK to complete the procedure.

This policy will be reviewed annually.

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Change Management Policy

 

The next example is a Terminal Server Session Directory Group Policy Configuration Baseline.

 

List 13.2 shows prerequisites and assumptions for the following Terminal Server Session Directory Group Policy Configuration Baseline:

 

 

The purpose of this policy is to define standards for the baseline configuration of <Company Name>’s Windows Terminal Servers that participate in the Terminal Server Session Directory. Before any servers are placed on the production network, standard processes will be executed to ensure that all servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use and disruptions in service.

 

This policy is specifically for all Windows Terminal Servers that participate in the Terminal Server Session Directory on the internal network.

 

1.      Log on to a domain member server as administrator. From the desktop, click Start, click Run, type “gpmc.msc/a,” and then press Enter to access the Group Policy Management Console.

2.      In the left pane of the tree view, expand the Terminal Server OU. Select and right click the “WTS_Prod_month/day/year” Group Policy Object and click Edit.

3.      In the left pane of the tree view node, navigate to Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Session Directory. Double-click the “Session Directory Server” policy to access its properties.

4.      From the Session Directory Server Properties’ Settings tab, change the setting from “Not Configured” to “Enabled” and then type the “FQDN” of the server hosting the Terminal Services Session directory service in the “Session Directory Server” text box. Click OK to save the settings and close the window.

5.      Double click the “Session Directory Cluster Name” Setting to configure its properties.

6.      From the Session Directory Cluster Name Properties’ Settings tab change the setting from “Not Configured” to “Enabled.” Then type the “FQDN” of the Session Directory Cluster Name in the “Session Directory Cluster Name” text box. Click OK to save the settings and close the window.

7.      From the Group Policy Object Editor Console, double click the “Join Session Directory Setting” to access its properties.

8.      From the Join Session Directory’s Settings tab, change the setting from “Not Configured” to “Enabled.” Click OK to save the settings and close the window.

9.      From the Group Policy Object Editor console, validate that the state of the Join Session Directory, Session Directory Server, and Session Directory Cluster Name settings are Enabled.

10. Close the Group Policy Object Editor console and the Group Policy Management Console to conclude the procedure.

 

This policy will be reviewed annually.

 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Change Management Policy

 

 

This chapter began with a review of a baseline policies followed byan overview of the Session Directory feature, Session Directory design considerations, and required Session Directory configurations. This chapter concluded with two example baselines: Session Directory Configuration Baseline and Terminal Server Session Directory Group Policy Configuration Baseline.

 

 

The next chapter will review Microsoft’s Network Load-Balancing technology and introduce a tier 3 Terminal Server Network Load-Balancing Configuration Baseline.