Security Enhancements

In Windows 2000, to give a user access to connect to a terminal server, you must modify the permissions on the RDP Connection Configuration of each terminal. This usually means creating a group (or groups) and granting them the appropriate access on each and every terminal server. In Windows Server 2003, this is already done for you. By default, a local group called Remote Desktop Users has User Access and Guest Access permissions to the terminal server. By simply adding users or groups to this local group, you can grant users access to log on to the terminal server. Of course, you can still manually modify the individual server configuration settings to get more granular control. To get further centralized control, you can manage the membership of the Remote Desktop Users group using the Restricted Groups group policy at the domain level.

As with Windows 2000, when installing terminal services (Application Server Mode), you are given the option for compatibility level. This adjusts the permissions on Registry keys, system files, and so on. With Windows 2000, the choice is between Permissions Compatible with Windows 2000 Users and Permissions Compatible with Terminal Server 4.0 Users. With Window .NET 2003, the choice is between Full Security or Relaxed Security. It is, of course, recommended that you use the Windows .NET compatibility mode to provide a more secure environment.

By default, Windows Server 2003 terminal servers attempt to encrypt client sessions with 128-bit (RC4) bidirectional encryption. Whether the terminal server will respond to clients that don't support 128-bit encryption can be configured with the Set Client Connection Encryption Level group policy setting. After it's enabled, the options are Client Compatible or High Level. High Level accepts connections only from clients that support 128-bit encryption; Client Compatible allows connections with whatever encryption algorithm the client supports. By specifying 128-bit security, you can ensure that the communications between client and terminal server are secure.

In addition to configuring the encryption level the terminal server will use, you can also use group policy to configure the RPC session security. The RPC Security Policy\Secure Server (Require Security) group policy settings allows RPC connections only with trusted clients and only over authenticated and encrypted sessions. This prevents unauthorized machines (outside your organization) from even establishing a connection.

Additionally, you can configure the server (via group policy or the Terminal Server Connection Configuration) to always prompt clients for a password on connection. This is available in Windows 2000 (but not as a group policy) and prevents users from being able to connect to the terminal server via passwords stored in the client settings. This therefore helps to secure the terminal services environment by forcing users to type in a password to authenticate.

The RDP 5.1 protocol adds another enhancement to make authentication to the terminal server more secure: smart card redirection support. This feature enables the terminal server to use the local machine's smart card reader. By redirecting the local smart card reader to the terminal server, a remote user can log on to the terminal server by inserting a smart card (in the local card reader) and typing in the PIN. The smart card reader verifies that the PIN matches the PIN stored on the card and then transmits the digital certificate for the user ID to be authenticated against the domain. This is a more secure form of authentication because the user's ID and password are never transmitted on the network and the physical card must be inserted.

Another new security feature for terminal server is the ability to use Software Restriction Policies. Although not specifically a terminal server enhancement, the new Software Restriction Policies section of group policy can be used to protect the terminal server environment. Software Restriction Policies can be used to specify whether certain file types are allowed to run, as well as to specify certain levels of permissions for various Registry keys.


Software Restriction Policies replaces AppSec, the Application Security tool from NT 4.0 Terminal Server or the Windows 2000 Resource Kit.

  • For more information on Software Restriction Policies, see "New Group Policies," p. 93.