proper AD security on Terminal Server

  • Thread starter Thread starter mike i
  • Start date Start date
M

mike i

Hello,

I have a small w2k domain with a server running terminal
services. I had to make regular users members of the
local admin group on the terminal server in order for them
to log on. I was wondering if there's a good reference
somewhere for proper AD security for w2k terminal server.
I'd like to prevent the users from installing apps or
otherwise destroying the box.

Thank you,
Mike
 
Making normal users Administrators should never be necessary. What
they probably needed was the right to logon locally (by default
only granted to Administrators). This TS is not running on a
Domain Controller, is it? Because that is a security risk in
itself and therefore not recommended.

These links should help:

243554 - Explanation of RDP-TCP Permissions in Windows 2000
http://support.microsoft.com/?kbid=243554

278295 - How to Lock Down a Windows 2000 Terminal Services Session
http://support.microsoft.com/?kbid=278295

320181 - HOW TO: Use the Application Security Tool to Restrict
Access to Programs in Windows 2000 Terminal Services
http://support.microsoft.com/?kbid=320181

257980 - Appsec Tool in the Windows 2000 Resource Kit Is Missing
Critical Files
http://support.microsoft.com/?kbid=257980

Securing Windows 2000 Terminal Services
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/prodtechnol/win2kts/maintain/optimize/secw2kts.asp

Guide to Securing Microsoft Windows 2000 Terminal Services
http://nsa1.www.conxion.com/win2k/guides/w2k-19.pdf
 
Thank you. Looks like I have some reading to do. No, the
TS is not a DC, but I only had 2 days to build a server
that a bunch of people had to use. Now I have to clean
up. btw, I did try to only give them the right to log on
locally, but it still didn't let them log on. Since I
didn't have any time left for troubleshooting, I had to
give them admin rights and hope for the best.
 
Best to read before deploying, but you've figured out that it's not as simple as putting in a CD and selecting install. If this is Windows Server 2003 the users must be members of the Local "Remote Desktop Users" Group, or have implicit permission to the RDP-Tcp connection in the Terminal Services Configuration MSC.

In Windows 2000 you must give users the Logon Locally Right, however in XP & 2003 this is no longer required unless it's a 2003 Domain Controller.

These groups are the best place to learn what you need to know as the most common problems are asked over and over and over............. The Windows Server 2003 Help is quite detailed about what you need to make TS Hum.

Patrick Rouse
Microsoft MVP - Terminal Server
 
Back
Top