When you install Terminal Services on a Windows Server 2003 server
in your data center, you have the option to either select the Relaxed Security
setting or choose the Full Security option for your clients. While the answer
may appear to be a simple one, it’s important to consider your organization’s
specific applications before clicking that Full Security option.

First of all, make sure you understand the Terminal Services
language. In this case, relaxed doesn’t
necessarily mean lax—it’s actually shorthand for Windows NT Server 4.0,
Terminal Server Edition Permissions Compatibility Mode (Relaxed Security). Your
other option, Full Security, actually stands for Windows 2000/Windows Server
2003 Permissions Mode.

If you select the Relaxed Security option, users connecting
to the terminal server can modify certain system files (such as those located
in the SYSTEM32 directory) as well as registry keys. Windows 2000 and Windows
Server 2003 restrict user access to these areas to boost security and

You might wonder why you would ever want to allow users to access
such important system areas. However, some earlier programs won’t operate
unless the user has access to certain registry keys and the SYSTEM32 folder,
and Terminal Services’ Relaxed Security setting allows the support of these

The good news is that these programs are all generally
pretty old. The even better news is that the Relaxed Security setting precludes
you from having to grant users Administrator privileges on the system. But even
though it’s better than giving users admin rights, it still creates a major
security hole.

So, whenever possible, choose the Full Security option to
lock down your terminal server. If you’re not sure if a particular application
will work, try running it under the Full Security setting first. If that doesn’t
work, you’ll likely need to use the Relaxed Security option. However, to better
protect your network, segregate such applications by putting them on their own
terminal server.

Miss a tip?

Check out the Windows Server 2003 Archive,
and catch up on the most recent tips from this newsletter.

Stay on top of the
latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter,
delivered each Wednesday. Automatically
sign up today!