Terminal server Security Issues

[Bobby]

we have been selling a software with hardlocks. Each
station running the software must have a hardlock.

I just found out that someone successfully ran a 5
station network with TS with just a single hardlock. I am
still learning about the TS concepts. Can anyone give me
hints/solutions/website on how to stop or detect this ?

Also, is there any way we can easily set up a TS-
Workstation like a trial version(minimum cost) so I can
test my software ?

Thanks

Bobby

 

[Cláudio Rodrigues]

Terminal Services is part of Windows 2000/2003 and therefore if you have
this OS installed you have TS for free in case you want to test anything.
Secondly, just change your application to check if the Terminal Services
Service is running AND if it is set to 'Application Mode'. If it is do not
allow your application to run.
This will be good from one side but very bad in other cases. Your
application may be terrible to run over a WAN link for example and companies
may be willing to run your application from anywhere, even over the web and
in this case TS is the way to go. Preventing it from running on TS for sure
will fix your licensing concerns; but at the same time it will kill a big
potential market for you that would be allowing people to run your
application anytime from anywhere on any device. You should change your
application licensing to check how many users are running it (like checking
how many instances of your app are running on the TS) and preventing it to
run more than the number licensed (example 5 users).

These are my 2 cents as a developer...

--
Cláudio Rodrigues

Microsoft MVP
Windows Technologies - Terminal Services
http://www.terminal-services.net

 

[Ivan Leichtling [MSFT]]

Bobby -

For a test bed you will need some version of windows server, win2k or
higher. This can be run in remote administration mode without any
additional licenses and allows 2 concurrent administrative
connections.

In terms of learning about TS, check out the Terminal Services
Community Site:
http://www.microsoft.com/windows2000/community/centers/terminal/default.mspx

Also, check out MSDN for programming terminal servers.
http://msdn.microsoft.com/library/d...erv/termserv/terminal_services_start_page.asp

I'm just guessing wildly, but it seems that if you want to allow a
single terminal services user to use your application, then you'll
need some sort of mechanism by which the first user to run the
application 'reserves' the hardlock. If you want to disallow ALL
terminal service users, then there are simple ways to verify if you
are in a TS session or not.

we have been selling a software with hardlocks. Each
station running the software must have a hardlock.

I just found out that someone successfully ran a 5
station network with TS with just a single hardlock. I am
still learning about the TS concepts. Can anyone give me
hints/solutions/website on how to stop or detect this ?

Also, is there any way we can easily set up a TS-
Workstation like a trial version(minimum cost) so I can
test my software ?

Thanks

Bobby

This posting is provided "AS IS" with no warranties, and confers no rights

 

[Brad Pears]

Claudio, do you happen to have any sample VB code that can determine if the
TS service is running and whether you are in app or remote admin mode ?

Brad

 

[Brad Pears]

Ivan, Do you happen to have access to any VB code that can tell you if you
are in a TS session or not?

Brad

 

[Ivan Leichtling [MSFT]]

I appologize, but I'm not a VB developer. In C/C++ the following are
a few that work:

- GetSystemMetrics with the SM_REMOTESESSION parameter.
- GetCurrentProcessId then ProcessIdToSessionId then compare this to
WTSGetActiveConsoleSessionId

Ivan, Do you happen to have access to any VB code that can tell you if you
are in a TS session or not?

Brad

This posting is provided "AS IS" with no warranties, and confers no rights

 

[Vera Noest [MVP]]

I'm neither Cláudio nor Ivan, but you can check the following
registry key:

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\TSAppCompat

0 is Remote Admin, 1 is App Mode

Note that this key will let you see what mode the server is in.
You can not switch between the modes just by toggling the key.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup ---