Locking Down Windows Terminal Services
There is no magic wand that can lock down your Windows Terminal Servers, but there are many built-in tools provided by Microsoft that do a pretty good job. When the built-in tools are not appropriate or sufficient there are many freeware and commercial 3rd party utilities to do the job.
Built-in tools, settings and lockdown tactics
The number one thing one can do to protect a terminal server from being intentionally or unintentionally tampered with is to limit the number of user accounts that are members of the local administrators security group. If a user is a member of this group, there is absolutely nothing that can be done to prevent this person from altering the system configuration. If there are administrative users that use the terminal servers outside of doing system maintenance, it's best practice that they do their normal work with a non-administrative account and logon as an administrator or use the runas cmd to perform tasks that require administrative rights or permissions.
Appropriate assignment of NTFS Permissions is a critical configuration step, luckily the default settings in Windows Server 2003 are fairly solid. If you're using Windows 2000 Server or want to audit the NTFS Permissions on a Windows Server 2003 Terminal Server, the following are the settings that I would start with on a "new system build":
%SystemDrive% - Authenticated Users = "Read and Execute"
%SystemDrive% - Administrators = "Full Control"
%SystemDrive% - System = "Full Control"
%SystemDrive% - Creator Owner = "Full Control"
%ProgramFiles% - Authenticated Users = "Read and Execute"
%ProgramFiles% - Administrators = "Full Control"
%ProgramFiles% - System = "Full Control"
%ProgramFiles% - Creator Owner = "Full Control"
I can NOT stress enough that making system wide changes to the NTFS Permissions on a production system is very likely to have unintended side effects like system instability and inoperable programs. Start with a clean install of a system, lock down the file system and relax the permissions on a per file or per directory basis when needed to allow a specific application to operate when executed by a limited user account.
Restricting access to applications with NTFS Permissions is very effective, but only if you know which applications you want to deny access. It just so happens restricting access to applications or files via NTFS ACLs is very easy, simply alter the ACL so the user's account or a group the account is a member of is not listed in the ACL. If the security group cannot be removed, once can create a new group, add specific users to the group and DENY Read Permission to the Group on the ACL of the file or Directory.
The system registry has Access Control Lists similar to the NTFS File System. One can restrict users or groups from being able to read or alter specific keys or entries in the Windows Registry. Do NOT go perusing the Windows Registry, blindly making changes that you think will lock down your system. Doing so will likely cause the system to function improperly. Make a backup of the registry before making any changes.
The Terminal Server Service has its own security settings that impact the stability of the system. These settings can be found in the Terminal Server Configuration Administrative Tool (tscc.msc) and some are also in Group Policy at Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services. The most important of all settings in tscc.msc is the Permission Compatibility which should always be set to "Full Security" (Windows Server 2003), or to "Windows 2000 Users" (Windows 2000 Server). If you use the "Permissions compatible with Terminal Server 4.0 Users" (Windows 2000 Server) or "Relaxed Security" (Windows Server 2003), each user logging on is added to the TSUser Security Group, which has permissions and rights of the Power Users Group.
Group Policy is a very effective method of restricting access to files, the Windows Registry and features of applications and the Operating System. One fundamental problem with relying on Group Policy as the only method of system lock down is that there is usually more than one way to perform any task in the OS or a Windows Application. Using a Loopback Policy to lock down a Windows Terminal Server is a standard configuration step any time you have access to create GPOs and manage Active Directory. You can refer to my previous article to set up a loopback policy, but the following settings are particularly useful when locking down a Terminal Server:
- Enable "Delete Cached Copies of Roaming Profiles". Since the Roaming Profile does not propagate the user's Temp Directory, enabling this policy will usually delete that anything the user downloaded unintentionally. This policy deletes the user's local profile at logoff once it's been successfully unloaded and copied to the roaming location.
- Enable "Empty Temporary Internet File Cache when browser is closed". This will reduce the storage required for local profiles and deletes many spyware installers that were unintentionally downloaded by the end user.
- Hide these specific drives in My Computer
- Prevent access to these drives from My Computer
Install the User Profile Hive Cleanup Service, which helps to ensure user sessions are completely terminated when a user logs off. Without this service, user profiles are often not unloaded successfully which causes the copy to the roaming profile location and DeleteRoamingCache setting to fail
Define and enforce a strong password policy. This is kind of a no brainer, but without a strong password policy, your system can easily by compromised.
Freeware Lockdown Utilities
Fabrice Cornet of FCConsult.be provides an excellent, database driven system lockdown utility called BrsSuite.
2X Software Ltd. offers a freeware product called SecureRDP which can filter connections by RDP Client Version, MAC Address…
Login Consultants, NL maintains a utility called the Flex Profile Kit, which applies settings from an OPS File (Office Profile Setting) to a Mandatory User Profile.
Commercial 3rd Party Programs
Appsense Application Manager is designed to restrict access to authorized applications, stop spyware, malware, trojans… Application Manager is part of the Appsense Management Suite.
Appsense Environment Manager is a desktop lockdown utility and is part of the Appsense Management Suite.
Provision Networks Manage-IT is a GUI Based Product that allows administrators that do not have access to use Group Policy to lock down the user’s profile settings. Manage-IT is also a module of Provision Virtual Access Suite.
RES Powerfuse is a workspace management solution that allows administrators to streamline, configure, secure and monitor the end user’s environment.
TriCerat Simplify Lockdown offers a replacement shell for explorer.exe and a GUI Driven utility to lockdown the user’s operating environment.
To provide the most secure remote access, keep Terminal Servers in the private network, behind a firewall and access these machines via a reverse proxy or SSL VPN Device placed in a DMZ. In these configurations, users do not interact directly with any of the terminal servers, which adds an additional layer of security. Commonly used products that fit in this category are:
- 2X LoadBalancer
- AEP Networks Netilla Security Platform
- Citrix Access Gateway and Advanced Access Control
- Citrix Presentation Server with Citrix Secure Gateway 3.0
- Provision Networks VAS with Secure-IT SSL Gateway
It is worth noting that the next release of Windows Server, Windows Server 2008, includes an SSL Terminal Server Gateway, that works in much the same way as the Exchange Server RPC over HTTPS feature.
Windows comes with many built-in tools and settings to secure Windows Terminal Servers, but which ones you can use depends on your organizational structure and expertise with each tool. If you can’t or don’t want to one or all of the Microsoft tools, there are plenty of companies making polished lockdown solutions, and even some offering very good freeware utilties.