Terminal Service on Domain Controller?

  • Thread starter Thread starter John Smith
  • Start date Start date
J

John Smith

Should Terminal Service be installed on a DC?

Also, How do I prevent users from accesing other
applications on the Server?

Thanks
 
The Terminal Services FAQ
http://www.microsoft.com/windows2000/community/centers/terminal/terminal_faq.mspx
is a great place to get answers to both these questions:

Q. I want to deploy Terminal Server on my domain controller. How do I
give users access?

A. While Microsoft does not recommend this practice, as it compromises
security on the domain controller, you can find information in Domain
Controllers Require the "Log on Locally" Group Policy Object for
Terminal Services Client Connections (Q247989)
http://support.microsoft.com/default.aspx?scid=kb;en-us;q247989 in the
Microsoft Knowledge Base.


Q. How do I "lock down" my terminal server?

A. For Windows 2000 Server, see David Mackey's Securing Windows 2000
Terminal Services white paper.
http://www.microsoft.com/technet/tr...echnol/win2kts/maintain/optimize/secw2kts.asp

For Windows Server 2003 and Windows XP, you can restrict what software
users can run on the server. See Using Software Restriction Policies
to Protect Against Unauthorized Software
http://www.microsoft.com/windowsxp/pro/techinfo/administration/restrictionpolicies/
and Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/...ff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en


Should Terminal Service be installed on a DC?

Also, How do I prevent users from accesing other
applications on the Server?

Thanks

This posting is provided "AS IS" with no warranties, and confers no rights
 
In general it is easier to secure servers if you segregate
their roles. You should see the better reliability from
your servers, and easier troubleshooting as well.
Terminal servers require a fair amount of administration
in the form of application updates, reboots, etc.
Generally I try to keep my domain controllers up except
for application of service packs and hotfixes. However,
if your needs dictate it, it is possible to run a DC as a
terminal server.

As for access to other applications there are many
different ways to restrict access to applications.
Modification of permissions, using Citrix to publish
applications, or THOR from http://www.tricerat.com/ are
just a few.

Paul
 
reality, small companies cannot afford a 2nd server for remote access just
to appease best practices. It should be secured well. I designed and use
AppLauncher for locking down access to apps and it is used by hospitals,
banks, resorts, and Burger King. Much cheaper alternative to Citrix which
is what I used to sell.
 
Back
Top