Terminal Service Question

[Davetoo]

I'm about to deploy a Terminal Server into my domain. A bit of background on this: we have about 60 outside people that will need to access this Terminal Server through a VPN connection. We have an additional 30 users on the inside that will be accessing it as well. So, I'm going to put the server into our domain as a DC, since everyone already has accounts in our domain (the outside people are for mail only up until now).

Right now, and for the forseable future, they will only be running one application on the TS. So, I've found the setting in the users profile (Environment) to set a specific program to start on logon. I've tested this on my test server, and best I can determine, when I do this, the user that is logged in can not get to anything else on the Terminal Server. If the program is closed, the session ends. If the program is minimized, there's nothing else on the desktop, just the minimized program.

Am I correct in my assumption that this is a pretty safe bet that the users can not get to anything else on this Terminal Server (other than through known hacks, etc....after all, if a system running Windows is turned on, it's a vulnerability)?

I am going to use GPO's to further inhibit the users, as well as strict NTFS settings, but this method seems to provide a very narrow ability for the users to cause any problems for us. Now, if I have to run a second program on the TS, then I have a problem, but for now, I don't see that happening.

Thanks.

Dave

 

[GrnEyedLdy]

Lander215,

Why run it on a DC? Seems to me running it on a member server would be much safer.

Just a thought,

Patty

 

[Davetoo]

Patty,

Well, to reduce redundancy. If it's on a member server, then I have to have all of the user accounts in two places...on my DC's and then on the member server as well.

I'm open for suggestions about this, but it seems if I lock down the accounts that are using the Terminal Services from the outside (since my inside users already have access, can't really do anything further to protect against them), then I should be safe from the users.

Dave

 

[tecknic]

You server doesn't have to be a DC. Actually I don't recommend it either! leave it as a member server.

if you have the monay get yourserver citrix Metaframe or Canaveral IQ which permit you to publish applications. The user when login doesn't access a desktop environment but just the published applications.

 

[Davetoo]

Well, according to Microsoft, the Terminal Server either has to be a DC in a domain, or not be part of a domain. So, it can't be a member server in a domain, but could be in a workgroup by itself separate from the domain. If it's not in the domain, then I have to have two sets of credentials for every user that needs to run the Terminal Server application.

I understand not recommending something, but I'm asking why is it not recommended? I'm failing to find any concrete evidence as to why this is inherently bad, giving the simultaneous deployment of strict GPO's for the users?

Thanks.

Dave

 

[Davetoo]

I just thought of something, and haven't uncovered the answer yet.

Can two different people connect up to a Terminal Server using the same username/password at the same time? If they can, then that would solve my problem. Put the server into it's own workgroup and have the users use the same username/password to access it. That way I only have one or two users to setup on the terminal server.

Would that work though?

Thanks.

Dave

 

[InvalidResponse]

I'd be interested to see where MS says that a terminal server has to be a DC. Our terminal server is a member server in our domain with absolutley no problems.

Andy

 

[CitrixEngineer]

I believe that Microsoft recommend that a DC is NOT a Terminal Server.

You'll need to lock down applications using Group Policies, since users can (obviously) access Explorer simply by choosing File -> Open or Save As. This is a large area, and requires investigation prior to letting users on the system.

For users to be able to log on, you require Terminal Server Client Access Licenses, and a TS License server, otherwise temporary licenses will be issued and users will stop being able to log on after 90 days.

If you are not planning on using Roaming Profiles, you can let users share logins, but for security reasons, I'd advise against it. There will come a time when you need to track what users are doing, IME. What if a single user runs a cmd prompt, and types dir *.* /s. I can't think of a good reason why either, this is just an example, since this is guaranteed to send the processor to 100%, and stop ALL TS users from working, and other users from getting their necessary services, such as logon.

There's no reason to make all Terminal Server users local users - they can use their existing Domain logins, and have roaming profile by entering the path in the local user manager field.

Terminal Services puts huge demands on a server, and can require more frequent reboots - since in effect 25 users logging on for 10 days would be like 1 user running a PC for 250 days. I'd bet that wouldn't last a month before it needed a reboot. I usually reboot Windows 2000 Terminal Servers once a week, but some require more frequent reboots - especially when resource hungry apps like Outlook or IE are used. Both can be launched from Microsoft Word in many different and subtle ways - eg, try typing a URL into Word, then press return. Now click on the freshly underlined URL.

Also remember that users require a good deal more than the recommended amount of RAM - allow at least 32Mb per user, PLUS 128Mb for the Operating System at a bare minimum. And it's not a good idea to go above 30 users on a single processor.

I hope this is useful.

CitrixEngineer@yahoo.co.uk

 

[Davetoo]

I may be in error on that. The book I'm using W2K Server Administrator's Companion, indicates the License Server has to be on a DC, not the TS.

Dave

 

[Davetoo]

CitrixEngineer,

Very helpful, thank you. A few questions though:

1 - by using the environment option to only launch one application upon connection, I can find no way to get to the desktop. The program I've selected launches, and if I close it, the session ends. If I minimize it, there's nothing else on the desktop. It appears safe, but is there a known hack?

2 - All of my users are W2K and have CAL's to access the server. From my investigation, no Terminal Service CAL is required because it utilizes the built-in W2K license to access it legally.

The server is a dual 2.0 GHz Xeon with 1GB RAM. The most we expect on the system at any one point in time is 15, so the system should handle it ok I hope. ;-)

Thank you again.

Dave

 

[spikestik]

Re-Read Citrix Engineer's post....they are right on the money.

Chris
MCSA,CCA

 

[Davetoo]

Chris,

I've read it, but it doesn't address issue #1 that I asked for further info on. I've looked further into issue #2 and no Terminal Service CAL's are required if the clients are running W2K and have CAL's to access a server.

Thanks.

Dave

 

[tecknic]

Lander,

For your first question... I believe it would be fine. I don't know any hack but ideally is to get that windows terminated as soon as possible. it might be not possible to do anything throught the session itself but it remain a open connection to your TS box that sit there and do nothing waiting for any hacker to share it lonelyness... got it?


2- in order to stay legal you need several licences.
for a w2k terminal server. you need

1- cal... so you can run the windows 2k environnement with or without the desktop.
2- you need a TS cal that give you the right to CONNECT to your TSserver.

if your workstation is a win2k or XP you don't need to purchase a CAL because your workstation licence is tranfered. but you need to get a TScal.
If you connect throught a win95-98, 3.11... etc. you have to get a CAL + TScal.
+ you will need a licence for each office applications you will release throught your TS box.

regards,

Nic

 

[Davetoo]

Nic,

Thank you. I'm also setting a limit on lenth of connection (1 hour), and idle time of 15 minutes with a disconnect set at 15 minutes also. I believe this will provide a narrow window of opportunity for anyone to snag the connection. They are also coming into the server via a VPN connection through my firewall, so I believe it'll be protected about as well as I can?

The licensing issue was a complete mess at first, but finally found where, if the clients were W2K, then they were supplied a CAL from the "free" pool within the license server. Microsoft is changing this for Server 2003...all connections will require a TS CAL. More money for them.

Thanks again.

Dave