A major part of any computing environment is security. We've not dwelled much on security in the preceding chapters due to the fact that when you focus on the security of your Terminal Server environment, you must do it from end-to-end. You can't just "do a little security here, and a little there." There would be no benefit to talking about security of profiles in the user profile chapter because even if you did everything profile-related to tighten security you might have overlooked a major security hole somewhere else.
To prevent this, we'll analyze the security elements of a complete Terminal Server system in this chapter. We will systematically analyze every Terminal Server component, taking note of what the potential security risks are and what to do to minimize each of them.
Let's begin by reviewing the components that make up a Terminal Server system. We can represent the individual components as layers in the complete Terminal Server system, as shown in Figure 12.1. (These layers like the OSI model applied to a Terminal Server.)
Figure 12.1: Terminal Server layers
This chapter focuses primarily on the security of the Terminal Server components. It is not meant to be an end-to-end security manual. Your Terminal Server environment is only as secure as its weakest component, and often human elements are involved for which no technical manual can prepare you.
Security Configuration Layers
Let's take another look at the different layers in which many of the security-related settings can be made. For example, client drive remapping can be enabled or disabled as part of a user's AD account properties, via a GPO, as a setting on the RDP client, or as a property of a server's connection listener port. Beyond that, applications launched via an RDP file can also have the printer mappings configured within the RDP file itself.
When a single parameter is configured in multiple locations with conflicting settings, the most restrictive configuration will always take precedence (unless a GPO is involved, in which case the rules change. See Chapter 6.) Referring to Figure 12.2, if the client device and the GPO were configured to allow drive mapping, but the server connection was set to prohibit it, no session connecting via that connection would be able to access client drives. Although the client is configured differently, users must still traverse the connection configured for the absence of drive mapping. In this example, we can say that the "client layer" was set to allow drive mapping, and the "connection layer" was configured to deny it.
Figure 12.2: The drive mapping security parameter configured at multiple layers
Figure 12.3 shows all of the possible layers where a security parameter can be configured. Not every security parameter can be configured at every layer. It's important to look at the Terminal Server settings and determine the proper layer at which the security parameter should be applied. Do all users require drive mapping or only users connecting to certain servers? Might users only connecting to a server via a specific IP addresses need drive mapping?
- GPO: All users logging into servers where the policy is applied.
- Server: All users connecting to one server.
- Connection: All users attaching via one defined server connection. Multiple connections can exist on one server.
- Client: All users connecting from one RDP client device, regardless of the user rights or the server or farm hosting the RDP session.
- User Account: User profile settings. These settings follow the user, regardless of the server or connection used.
- RDP File: Settings affect anyone using the RDP file, regardless of settings in other locations.
Figure 12.3: Various configuration scope layers
Throughout this chapter we'll look at dozens more security settings configurable at all layers. Beyond that, the appendix of this book contains a "Terminal Server 2003 Component Configuration" chart detailing every setting within the Terminal Server environment and listing the layer at which it can be configured.
The rest of this chapter is divided into sections that each focus on a different security configuration layer, including:
- Server security
- Application security
- Connection security
- Network security
- User Account Security