Network administrators frequently turn to Terminal Services for remote desktop and server management. But any time a remote communication is configured, a potential security hole is created, so you should familiarize yourself with Terminal Services' built-in security controls. You'll need to know them to safeguard your systems, and if you're planning to take the Windows 2000 Network Security Design test (Exam 70-220), you'll be tested on them.
Using Terminal Services, you can:
- Administer distributed file system (Dfs) support.
- Create, delete, and manage Terminal Services sessions.
- Monitor system performance on remote systems.
- Send administrative messages to users.
- Perform remote administration.
- View and control others' sessions.
- Configure network load balancing.
Don't forget the fundamentals
Any user who is given both administrative permissions and rights to use Terminal Services' administrative features will be able to remotely configure desktops and servers that have Terminal Services installed. Two simple safeguards can protect against unauthorized changes. First, don't extend Terminal Services administrative rights to users who shouldn't be administering desktops and servers. In Windows 2000, you can specify Terminal Services rights at the user level. Second, Terminal Services shouldn't be installed on systems unnecessarily. Disable Terminal Services on clients and servers that don't require it.
Terminal Services also offers several features that significantly enhance security. For instance, you can encrypt Terminal Services sessions and limit the number of failed logons and even connection time.
Terminal Services also works on firewall-protected networks. Because Terminal Services relies upon the Remote Desktop Protocol (RDP) to perform many tasks, you just need to remember to open port 3389 so that RDP traffic flows properly.
Encryption is critical
Terminal Services supports three levels of encryption. The Low level encrypts communications the client sends the server. When using the Low encryption level, Windows 2000 systems enjoy 56-bit encryption, while earlier versions of Windows drop down to 40-bit encryption.
The Medium level encrypts communications that the client sends the server and the communications that the server sends the client. Again, Windows 2000 systems enjoy 56-bit encryption, but older versions of Windows receive 40-bit encryption. Microsoft recommends using Medium encryption when a server is being used to send sensitive data to client systems.
When using the High encryption level, communications traveling both ways between the client and server are encrypted using a 128-bit key. When taking the exam, remember that the 128-bit encryption option is available only in the United States and Canada.
Managing connection permissions is important too
You can adjust permissions to further lock down Terminal Services sessions. Permissions can be applied to users, groups, and computers in both local and trusted domains.
Several permissions are set by default with the standard TCP/IP connection automatically installed with Terminal Services:
The System and Administrators groups provide the same permissions by default. Both groups provide the user with Full Control, meaning a user can perform all Terminal Services functions, including create and end sessions, join sessions in progress, view session information, change connection settings, perform remote administrative tasks, and send users messages.
The Users permission provides the ability to log on to a session, view information about a session, send messages to other users, and connect to other sessions. The Guests permission allows only logging on to a session.
All of the permissions can be customized as necessary. Just remember that adjusting Terminal Services permissions requires that the user configuring the change possess administrative rights.
Network administrators frequently rely on Terminal Services, and its use is often extended to enterprise users. Regardless of who's using Terminal Services, you must know how to use the default security features to protect your network. Terminal Services security is also tested in the Windows 2000 Network Security Design exam. Be sure that you understand the need to open a port for RDP traffic, how different encryption levels work, and which permissions extend which rights.