Brian Madden Logo
Your independent source for application and desktop virtualization.
Blogs » Original Blogs on BrianMadden.com » Brian Madden » How do you lock down a Terminal Server?
Marketplace

advertisement
Brian Madden's Blog

Syndication

Recent Posts

Tags

View more

Archives

How do you lock down a Terminal Server?

Written on Jul 11 2008
Filed under: ,
5,393 views, 12 comments

by Brian Madden

Two friends of mine, Christa Anderson and Kristin Griffin, are collaborating on a Windows 2008 Terminal Services book for Microsoft. Part of this project includes small "tips from the field" entries written by different people. They asked me to write a short bit on security, specifically, what's my one "hot tip" about locking down a terminal server?

For me this was easy, because I think there's one super simple thing that's better than any other advice I've ever received about locking down a Terminal Server. That tip? Remove the "execute" NTFS permission from everywhere except the folders where it's absolutely needed (which is probably only the Windows and Program Files folder). But folders like temp, temporary Internet files, the Outlook saved attachments folder, and the home drives--there is no reason that a user should ever have to execute anything from these folders. And honestly, if you just pull the execute permissions, you almost don't have to worry about anything else. How could users possibly install rogue software if they can't run anything from those locations? (Well, depending on your client drive mapping rules I guess.) How can users even infect a server if they can't execute anything from these locations?

Implementing this is pretty straightforward. The easiest way is to create a path rule with software restriction policies (part of Group Policy in Windows 2003 / 2008). You could also do this via good old-fashioned NTFS permissions, although you have to be careful that users don't have enough permissions in a folder to grant themselves execute permissions if you just remove it.

Besides this, what else do you do to lock down a Terminal Server? Microsoft actually has a great KB article detailing all of the Group Policy settings you can make to lock down Terminal Servers. They also published a fairly decent white paper on this topic a few years back. What other tips and tricks do you have?

Comments

Guest wrote Sounds like a good idea but has anyone done this in production?
on 07-11-2008 10:41 AM
Sounds like a good idea but has anyone done this in production?  comments?
Nick Fields wrote Some of the basics...
on 07-11-2008 12:32 PM
For us the basics are removing the run line from the start menu and hiding the local drives.  Those aren't the only things we do, but it's 2 of the simplest quick lockdown ideas we do...
Joseph Duncan wrote Re: Sounds like a good idea but has anyone done this in production?
on 07-11-2008 3:10 PM
i do this on my production wts 2003 boxes (silly students like to try and do bad things)... and will be doing so here when i transition over 2008 this summer
Guest wrote File Screening?
on 07-11-2008 5:45 PM
Removing the execute permission (Actually traverse folder/execute file) with inheritace set to files only is quite bothersome in any larger environment (due to how NTFS works)  Windows 2003 R2/2008 file screenig seems to be the easier alternative.
Aaron Parker wrote Two things
on 07-11-2008 6:02 PM

Restricting the UI is only saving users from themselves, it's not what I would call effective lockdown. There are really only two things worth implementing:

  1. Ensure all users have standard user accounts only
  2. Enable a whitelist of applications (e.g. Software Restriction Policy, AppSense Application Manager, RES PowerFuse etc)
Mark Prigg wrote Re: Two things
on 07-12-2008 7:46 AM

Hi Aaron,

Where you say use a whitelist of applications, do you mean a list of executables that CAN run or a list of executables on the system that CANNOT be run?  Is it possible do you know if the functionality of AppSense Application Manager can be achieved using Windows' Software Restriction Policies (2003 and\or 2008)?

Thanks, Mark

 

Guest wrote Thanks for the plug, Brian!
on 07-13-2008 5:03 PM

Hey, Brian--thank you for the plug. It makes working on the book on a gorgeous July weekend in Seattle a bit easier.

For anyone who's interested, the TS Resource Kit (MS Press) will be out this fall.

--Christa 

 

Aaron Parker wrote Re: Two things
on 07-13-2008 6:25 PM
Hi Mark, Application Manager is more flexible than SRP. The default configuration for AM will block any executable content that is not owned by the administrator. Which essentially means that users cannot run an executable not installed on the machine by the administrator. I think RES does something similar.
Guest wrote Re: Two things
on 07-14-2008 2:25 AM
You could quite easily automate/script SRP so that it does the same. It all depends if you have the skills, money, or both.
shane wescott wrote Doco re security on Terminal Servers
on 07-16-2008 7:02 AM

Hi Christa

 I wrote a doco on this for my Sans Gold certification.  

http://www.sans.org/reading_room/whitepapers/honors/1721.php

Had some good feedback on it.

 

Catch ya

 

Shane

 

Mike Cardinal wrote ThinLaunch Software - Thin Desktop
on 08-15-2008 1:51 PM
Have you ever looked at ThinLaunch Sofwtare's product, Thin Desktop?
Guest wrote IronDoor?
on 09-03-2008 2:13 PM
Check out WorldExtend IronDoor, you can use it to secure connections to your server, and keep users seeing what only they need to see.

(Note: You must be logged in to post a comment.)

Copyright © 1997-2008 The Brian Madden Company, LLC | Disclosures | Privacy | Terms of Use | Contact Info