Microsoft’s Windows Terminal Services protection

Microsoft’s Windows Terminal Services Remote Desktop, which is based on Terminal Services, provide an easy, convenient way for administrators to implement thin computing within an organization or for users to connect to their desktops from a remote computer and run applications or access files.

But what about security? What are the security issues involved in using terminal services/remote desktop? Is it safe to use this type of remote connection to work on confidential or sensitive data? In this article, we will take a look at Windows Terminal Services/Remote Desktop security and the steps you can take to make your terminal server and terminal sessions more secure.

Are Terminal Services Vulnerable?

Access and security are always at odds in the networking world. Any feature or technology that provides a new way for authorized users to access a system remotely will also present a potential way for unauthorized users to gain access. Because Terminal Services is used in administrative mode in Windows (and Remote Desktop is used in Windows Server ) to allow administrators to perform such tasks as creating user accounts and setting permissions, changing system configurations, and other highly sensitive tasks, it is logical to question the security of a terminal services session.

Your terminal server is vulnerable to the same exploits that can be used against any Windows server, so it is important first to ensure that all current security updates and patches have been applied. Security vulnerabilities specifically related to Windows Terminal Services have also been reported. For example, SecuriTeam describes a vulnerability that can cause Group Policy to not be applied to terminal users if the number of user licenses installed is less than the number of current connections.

Using terminal services across the Internet will require that you open port 3389, used by the Remote Desktop Protocol (RDP), on your firewall. Every additional port that is opened exposes the network to the possibility of exploit. An RDP-TCP connection is configured for the terminal server’s network adapter, to allow users to connect.

Securing Terminal Services Communications

How, then, can you take advantage of the convenience of Windows Terminal Services and still protect your systems? First, make sure that terminal services is not installed (or enabled) on systems if you don’t want those systems to be accessed remotely. This includes Remote Desktop on Windows Professional computers. On Windows Server and Server , TS is not installed by default. The Remote Desktop feature is installed on Windows Pro and Windows Server , but is disabled by default (Windows Home and Windows Pro do not include the Remote Desktop service). It’s still a good idea to check, especially if you were not the one who installed the operating system, to make sure these services are not enabled on machines that don’t need them.

NOTE: It’s important to distinguish between the Remote Desktop Service and the Remote Desktop Connection client software. The latter is included on Home and Windows Pro and can be installed on Windows computers and some third party operating systems, as well. The client software does not present a security risk.

To disable or enable the Remote Desktop service on a Windows or Windows Server computer, perform the following steps:

Click Start | Control Panel and select the System applet.
Click the Remote tab.
Under Remote Desktop, make sure the Allow users to connect remotely to this computer checkbox is unchecked.
What if you do want to make a system available for remote access through terminal services/Remote Desktop? What can you do to secure that system as much as possible? In the next sections, we will show you some ways.

Configuring the Terminal Server

A Windows terminal server can be installed in one of two modes: administrative or application server. In administrative mode, only users with administrative accounts can access the terminal server and only two such connections are allowed simultaneously. Such users will be able to make configuration changes to the terminal server, so it’s absolutely imperative that you start your security plan by ensuring that administrative rights are not given to users who should not have them.

If you want regular users to access the terminal server to run applications (a “thin client” solution), then you must install terminal services in application server mode. You can then assign terminal services permissions to users and groups to control how they are able to access the terminal server.

Securing the RDP-TCP Connection

You can configure the properties of the terminal server’s RDP-TCP connection to provide better protection. For example:

Restrict the number of client sessions that can remain active on the server (making it easier to keep track of who is connected)
Set session time limits (helping to ensure that sessions are not left unattended and active for long periods)
Restrict reconnections of a disconnected session to the client computer from which the user originally connected, if the Citrix ICA client software is used
Configure encryption levels
Set permissions for users and groups on the terminal server

Using Encryption

You can use encryption to protect the data that travels between the terminal server and the terminal services client. If you fear unauthorized interception of the data as it travels between the two, you should enable encryption. RSA RC4 encryption is used; encryption can be set to one of the following three levels:

High: encrypts both the data sent from client to server and the data sent from server to client using a 128 bit key.
Medium: encrypts both the data sent from client to server and the data sent from server to client using a 56 bit key if the client is a Windows or above client, or a 40 bit key if the client is an earlier version.
Low: encrypts only the data sent from client to server, using either a 56 or 40 bit key, depending on the client version. Useful to protect usernames and passwords sent from client to server.
To change the encryption level, you must be an administrator. In Programs | Administrative Tools, select Terminal Services Configuration and perform these steps:

In the left console pane, select Connections.
In the right details pane, right click RDP-TCP and select Properties.
Click the General tab.
Under Encryption level, select the desired level in the drop down box and click OK.
Rights and Permissions

Now let’s look at rights and permissions in regard to using Windows terminal services. Users, groups and computers can be added to the permissions list via the Permissions tab of the RDP-TCP connection’s properties. Click Add and select the user, group or computer name.

There are three basic permissions that can be granted:

Full Control (given to administrators and the system; allows logging on the terminal server, modifying the connection parameters, connecting to a session, getting session info, resetting or ending a session, logging off other users, remotely controlling other users’ sessions, sending messages to other users, and disconnecting sessions.
User Access (given to ordinary users; allows logging onto the terminal server, getting session info, connecting to a session or sending messages to other user sessions).
Guest Access (for restricted users; allows logging onto the terminal server).

Per-User Terminal Services Settings

You can configure a number of per-user terminal services settings for each user via Active Directory Users and Computers. You need to be a domain administrator; open the ADUC administrative tool and perform the following:

In the left pane, expand the domain name and click the Users folder.
In the right pane, right click the name of the user and select Properties.
Click the Terminal Services Profile tab.
Check or uncheck the Allow logon to terminal server checkbox at the bottom to control whether or not the user can access the terminal server.
You can create a profile and set a path to a terminal services home directory using this tab.

Using the Sessions tab, you can set terminal session timeout limits for a particular user, control what happens when the session limit is reached or the connection is broken, and determine whether the user can reconnect to a session via any client computer or only the original one.

The Remote Control tab is used to configure whether a user’s sessions can be viewed and controlled remotely by administrators and if so, whether the user’s permission will be required.

The Environment tab can be used to set a startup environment for the user. A particular program can be started when the user logs onto the terminal server, and you can specify whether client devices will be connected at logon.

Summary

Any remote connection opens up a system to some vulnerabilities, but Windows terminal services includes configuration options that give administrators the ability to better secure terminal sessions. In this article, we have discussed several methods by which you can make terminal services available to users without compromising your network’s or system’s security.