![]() ![]() When you install the Windows Server 2003 version of the Terminal Services, you are given the option of using “relaxed security” as a way of maintaining backward compatibility with older versions of Windows Server. This is exactly what happens when you deploy the Terminal Services. Often though, the only way to maintain this backward compatibility is to sacrifice some security features that the older operating system doesn’t support. As I’m sure you’re aware, each new version of Windows Server that comes out offers new security features, but maintains backward compatibility with previous versions of Windows Server. This means that if a user can gain physical access to a domain controller, they could just log in.Īnother common mistake that administrators make during a Terminal Service deployment is using an inappropriate security model. If the Terminal Services are running on a domain controller and this permission is applied, then users are granted Log on Locally permissions to all of the domain controllers in the domain. At least some versions of the Windows Terminal Services require users to have Log on Locally permissions in order to log in through a Terminal Service session. ![]() Naturally there is the issue that if one of your users manages to exploit a weakness and gain access to the underlying operating system, they have gotten access to a domain controller, but the security risks are actually much worse than that. Probably the best example of a “double duty” configuration that presents a security risk is running the Terminal Services on a domain controller. Doing so can place a major strain on server resources such as the CPU and memory, and creates a huge security risk. To put it simple, you should never run the Terminal Services along side some other server application such as Exchange Server. I know that many organizations are strapped for cash, but rule number one is that a Terminal Server should never be assigned double duty. Let’s start by talking about planning for Terminal Server deployment. Instead, I’m going to give you some basic pointers for securing your Terminal Service environment. I could probably write a good sized book on the subject, so there is no way that I can adequately cover the topic in a few pages. Before I get started, I want to mention that this article in by no means a comprehensive guide to Terminal Service security. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |