|
 |
 |
 |
This
page lists best practices for securing Windows Terminal Server or
Windows XP (for use with VDI)
|
 |
|
| |
 |
How can I protect my terminal servers from
Spyware, Malware, Trojans, Worms, Viruses and un-authorized
software?
-
Start with a secure installation of the
Operating System. Windows Server 2003 installs by default
with the users being able to create files and folders in the
root of the system drive and
Windows 2000 Server installs by default with the Everyone
group having Full Control NTFS Permissions to the entire
System Drive. To lock down the System Drive on Windows 2000
Server, start with the following settings:
-
Root of System Drive - Authenticated
Users = "Read and Execute"
-
Root of System Drive - Administrators =
"Full Control"
-
Root of System Drive - System = "Full
Control"
-
Program Files Directory - Authenticated
Users = "Read and Execute"
-
Program Files Directory - Administrators
= "Full Control"
-
Program Files Directory - System = "Full
Control"
-
NEVER allow anyone to logon as an
administrator or power user, unless they are a member of the
IT Staff / IT Consulting Firm that is responsible for the
server, and they are logging on to perform administrative
functions, i.e. installing software, performing a backup...
-
Force "Empty Temporary Internet Files when
browser closed" via Group Policy. This will delete most bad
files from the Temp IE location of the user's profile, and
leave only the cookie files.
-
Implement Roaming Terminal Server Profiles,
Mandatory Terminal Server Profiles or Flex Terminal Server
Profiles.
-
Enable
DeleteRoamingCache in the
registry, or via "Delete
Cached Copies of Roaming Profiles" in Group
Policy. Since the Roaming Profile does not propagate the
user's Temp Directory, enabling this policy will usually
delete that anything the user downloaded unintentionally.
This policy deletes the user's local profile at logoff once
it's been successfully unloaded and copied to the roaming
location.
-
Install the
User Profile Hive Cleanup Service,
which helps to ensure user sessions are completely
terminated when a user logs off. Without this service, user
profiles are often not unloaded successfully which causes
the copy to the roaming profile location and
DeleteRoamingCache setting to fail.
-
Install a
Terminal Server compatible anti-virus
scanner on each terminal server, a VSAPI
anti-virus scanner on each SMTP Server, and an anti-virus
scanner at the Internet Gateway.
-
Set the Terminal Services Configuration
Permission Compatibility to
"Full Security" (Windows Server 2003),
or to
"Windows 2000 Users" (Windows 2000
Server).
If you use the "Permissions compatible
with Terminal Server 4.0 Users" (Windows 2000 Server) or
"Relaxed Security" (Windows Server 2003), each user logging
on is added to the TSUser Security Group, which has
permissions and rights of the Power Users Group.
-
Enable
Software Restriction Policies
in Group Policy, to define which files can be executed by
users.
-
If users need only one
application, specify this program to start when they logon.
This can be done for everyone via
Group Policy or Terminal Services
Configuration, or
for specific users via
Active Directory or Local User
Account.
-
Consider locking down
the user environment with a FREE program like
BrsSuite, designed by
Terminal Server Security Expert "Fabrice Cornet", of
FC Consult, Belgium.
-
Restrict access to
applications normal users shouldn't ever use, or that do not
follow the policy restrictions in place, i.e. winfile and
command.com
|
|
How can provide the most secure access to
terminal servers from the Public Internet? The RDP
Protocol is secure and uses RSA Security's RC4 cipher, at either
56 or 128 bits, however the following should be considered when
providing access to terminal servers over the Public Internet:
-
Set the
RDP-Tcp Encryption Level to "High"
(Windows 2000 Server or Windows Server 2003)
-
Define and enforce a
strong password policy.
-
If you require
password authentication to access a Remote Desktop Web
Connection (RDWC, aka TSAC or TSWeb), do so over an SSL
Connection. Since you have to logon to the Terminal
Server, there really is no advantage to requiring
authentication to access a RDWC.
-
Do NOT use traditional
client-to-server VPN to provide secure access to Terminal
Servers. This may sound strange, but traditional
client-to-server VPNs require connectivity over non-standard ports client software
on the remote computer. These often prevent remote users from
being able to connect. In addition to the connectivity problems
traditional VPN can cause, traditional client-to-server VPNs can open the
corporate network to viruses, trojans or worms, because they
extend the corporate network to the remote client.
-
Do consider providing
secure access to terminal servers via
SSL VPN or a Terminal Server Secure
Gateway, as these can provide access over
standard ports like 443 or 80, which makes connectivity easy
for remote users. These devices or software
applications also provide access to a specific computer, or
set of computers, instead of opening a secure tunnel to the
entire corporate network.
|
|
|
|
|
 
|
