Install, configure, and secure Terminal Services in your enterprise

\[Author's Note: Each month, this column discusses various aspects of the advanced administration of e-business sites. This month, I show you how to install, configure, and secure Windows 2000 Server Terminal Services so that you can streamline IIS server management.\]

Terminal Services provides remote access to a server desktop through terminal-emulation software. This remote access makes managing multiple servers a breeze because you can do everything from one machine. This month, I introduce you to the different installation options available in Terminal Services and the different client options available during implementation. In addition, I discuss the security implications that Terminal Services implementation poses. The Web-exclusive "Related Reading" box provides articles and white papers that will help in your Terminal Services research and implementation.

Installing and Configuring Terminal Services
Installing Terminal Services is simple. You can install the service either during Win2K installation or later from the Control Panel Add/Remove Programs applet. To install Terminal Services from the applet, double-click Add/Remove Programs, then click the Add/Remove Windows Components icon to start the Windows Components Wizard. Select the Terminal Services and Terminal Services Licensing check boxes, then follow the wizard's prompts to complete the installation. (See the sidebar "Remote Administration vs. Application Server" for a comparison of these two Terminal Services installation modes.)

To verify successful installation, right-click My Computer, then select Manage to open the Computer Management console. Expand Services and Applications, then click Services. In the right pane, scroll down to the Terminal Services service. The Terminal Services service should be running and should be configured to start automatically. If you right-click the service, select Properties, then click the Dependencies tab, you'll see that it has no dependencies on other services.

Terminal Services Administrative Tools
Successful Terminal Services installation adds three tools to Administrative Tools. They are Terminal Services Client Creator, Terminal Services Configuration, and Terminal Services Manager.

Terminal Services Client Creator. The Terminal Services Client Creator tool, which Figure 1 shows, facilitates the creation of installation disks that install 16- and 32-bit Terminal Services clients. These installation disks are intended for Application Server mode, in which a client must be dedicated to running Terminal Services to run applications remotely. You probably won't be interested in creating installation disks for Application Server mode.

Terminal Services Configuration. The Terminal Services Configuration tool, which Figure 2 shows, lets you configure the connection that clients use to log on to a Terminal Services session. One TCP/IP connection is automatically configured when you install and enable Terminal Services on a Win2K Server machine. Typically, this connection is the only one you need for remote administration through Terminal Services. The Terminal Services Configuration tool also lets you customize several aspects of the Terminal Services client connection:

  • You can reconfigure the properties of the RDP-TCP connection. (RDP is the protocol that Terminal Services uses.) For example, you can limit the amount of time that client sessions remain active on the server and set protection levels for encryption.
  • You can set session time limits on a per-connection basis.
  • You can configure settings that apply globally to the Terminal Services server, including settings for temporary folders, default connection security, and enabling and disabling Internet Connector licensing.

Terminal Services Manager. The Terminal Services Manager tool, which Figure 3 shows, lets you view information about the Terminal Services servers within the trusted domains in which you're authenticated. When you select a computer in the left pane, clients connecting remotely through Terminal Services appear on Terminal Services Manager's Sessions tab. In addition, the names of users who log on appear on Terminal Services Manager's Users tab. You can monitor on the Processes tab any applications that users run during their sessions. Therefore, you can oversee all sessions, users, and processes on each Terminal Services server from one location.

Terminal Services Clients
Microsoft provides three advanced administrative clients that facilitate remote connections to Terminal Services. However, the client software isn't automatically installed when you install the Terminal Services service. In fact, Microsoft developed these three client software packages after Win2K shipped, so you must download them from the Microsoft download site (http://www.microsoft.com/windows2000/downloads/recommended/tsac/default.asp). Many IIS administrators don't implement Terminal Services because they can't figure out which client they should use to effectively put the technology into action. Each Terminal Services advanced client package comes as a self-extracting setup program that you can install independently of the others. Thus, you can install all three packages—the Terminal Services Full Client Windows Installer package, the Web package, and the Microsoft Management Console (MMC) Terminal Services Connections snap-in—then decide which one best suits you.

The Terminal Services Full Client Windows Installer package. This client tool provides the flexible deployment options of the full-blown Terminal Services Client. The tool includes auto-repair functionality through Microsoft Windows Installer and application publishing through either IntelliMirror management technologies or Microsoft Systems Management Server (SMS).

The Web package. This ActiveX control provides almost the same functionality as the full Terminal Services Client but delivers functionality through Microsoft Internet Explorer (IE) 4.0 or later. The Web package setup installs the downloadable ActiveX control, the ActiveX Client Control Deployment Guide, and sample Web pages on a server running IIS 4.0 or later. This tool provides the broad reach you need if you want to use Terminal Services to manage IIS servers remotely from outside your LAN environment (i.e., outside the firewall). See the section "Terminal Services Security Implications" before you implement this package.

The Terminal Services Connections snap-in. This snap-in lets you manage multiple Terminal Services connections in an easily navigable MMC console. Because of its power and ease of use, this tool will probably be the one you use to manage multiple IIS Web servers. Figure 4, page 12, shows the Terminal Services Connections snap-in with three Terminal Services connections (i.e., servers). From this console, I can quickly switch between the three servers as I perform the management tasks necessary to keep them running smoothly.

Terminal Services Security Implications
Obviously, allowing remote administration on your network servers brings security problems. Terminal Services offers three levels of encryption between clients and the server: High, Medium, and Low. Encryption based on the key strength installed on the server protects all data sent between clients and the server. To configure the encryption level that the Terminal Services Configuration tool uses, navigate to the Connections folder within the tool, then right-click the RDP-Tcp connection and select Properties. Click the General tab, which Figure 5 shows. By default, Terminal Services is configured for Medium encryption strength—56-bit encryption from the client to the server and vice versa. Low encryption strength is 56-bit encryption from the client to the server only. High encryption strength uses 128-bit encryption from the client to the server and vice versa. Only United States (Domestic) versions of Windows offer 128-bit encryption. Whenever passwords travel between the client and server, they're encrypted.

The Terminal Services Configuration tool lets you limit the number of user logon attempts to prevent intruders from using tools such as password generators that quickly and systematically produce passwords to attempt to access a system. You can also limit the connection time of any individual user account or group. Similarly, you can manage user security by user account or group. For example, you can limit the ability of a user authenticated in a Terminal Services session on a server to redirect to local devices.

RDP packets are encapsulated within TCP/IP packets. So, you might think that providing access for remote administrators with an Internet connection is simply a matter of opening a TCP port—port 3389, in the case of Terminal Services—for inbound communication through your firewall. However, some simple and powerful hacker tools systematically "touch" ranges of publicly available IP addresses. When they find a vulnerable IP address, they usually test whether port 3389 is open. You can't customize this port; thus, you should never extend remote access to Terminal Services outside the firewall. Instead, extend Terminal Services remotely and securely through a VPN.

An Indispensable Tool
Using Terminal Services to facilitate the management of multiple IIS servers from one desktop is practically a prerequisite, even if you manage one IIS machine that's just in a different room. Terminal Services' power and ease of use make this service a must-have in your management tool belt. However, nothing this powerful comes without risk, so consider the security implications carefully before implementing Terminal Services in your enterprise. With the proper security in place, Terminal Services will help you manage you IIS servers more effectively. Next month, I'll show you how to set up, configure, and implement a Win2K VPN to provide secure remote access to the servers on your LAN.