How far is too far? If you can throw a wad of paper — from your desk — at all your end users, chances are your organization doesn’t need “remote” connectivity. However, to administer and maintain servers two states away, Terminal Services (TS) provides a great alternative to booking a flight.
Microsoft has included TS, a thin-client remote connectivity tool, with every server operating system since Windows NT. Client devices can connect to the terminal server across the network and interact with the desktop as if they were physically sitting in front of the server. TS can also host an application centrally. Rather than installing and maintaining an application on hundreds of desktops or having to upgrade to meet the necessary system requirements, an application can be installed on a server and end users can access the application through Terminal Services, thus simplifying the maintenance and updating process.
Take Vend Service, for example, which manages logistics and deliveries of vending-machine goods across the southeast United States. Over the past 43 years, the company has grown from its roots in Rome, Ga., to a second warehouse in Ocala, Fla. The Vend Service environment currently contains four servers running Windows Server 2003 and 32 desktops using Windows XP Professional. The two sites are connected by a point-to-point T1 pipeline. With two sites separated by more than 400 miles, Vend Service relies on TS for remote connectivity to administer and maintain their servers, says IT manager Chad Culbreth.
By connecting to their Georgia-based servers via TS, Culbreth can log into the company’s servers and make modifications, update policies, check logs and perform other administrative tasks on the systems in Florida. Culbreth can apply patches or update applications remotely rather than travel. “Not only can I control our whole network from my desk, but our remote office can now connect to our terminal server to work in our software program,” he says.
Vend Service also uses TS to centrally host applications that remote end users access. There are a variety of benefits to this approach. First, it is much simpler to install and maintain a single copy of an application, particularly if that application is installed on a server that can be monitored and maintained remotely using TS. When vulnerabilities are discovered or updates are released, IT personnel need to implement changes on only one server, rather than deploy changes to every desktop within the environment.
Another benefit: Organizations can use new software without having to replace or upgrade every desktop in the environment. New applications may require a newer operating system or more processing power, RAM or hard drive space than what is available on the organization’s standard-issue desktop. Updating every desktop can be expensive. But with TS, a server that meets the software requirements and has the bandwidth and horsepower to handle multiple simultaneous connections can be used centrally to host resource-hungry applications, giving users access through their legacy desktops.
At Vend Service, there are several remote users who access Microsoft Dynamics NAV (Navision) enterprise resource planning software. “You can’t use Navision over the T1 connection because the program uses the local machine as well as the server to do the calculations,” Culbreth says.
Leveraging Terminal Services, remote users are able to log into the centrally hosted application across the T1 and use the software as if it were installed on their own computer. In addition to the benefits mentioned earlier, hosting the application in a single, central location also simplifies backing up critical data and makes disaster recovery more efficient.
Culbreth is currently considering migrating these remote end users from Windows XP to Mac OS X desktops, from which they can run either Windows in a virtual computing environment, such as Parallels, and use their existing Terminal Services connectivity; or use the Apple version of the Remote Desktop Connection utility supplied by Microsoft to access the Microsoft NAV software.
Tweaking Terminal Services for Security
Terminal Services and Remote Desktop Connection are great tools that can help administrators and users to be more productive, but allowing remote connections to server resources is a double-edged sword. Configuring Terminal Services settings to restrict access to authorized user accounts or computers and encrypting the terminal server remote sessions provide some protection. However, to be truly secure, there are some additional steps you should take.
• Never run Terminal Services from a domain controller. With the exception of the default sessions allowed for administrative purposes, Terminal Services should not be enabled on domain controllers. If you allow users to connect remotely to a domain controller to run an application, you have already lowered your defenses. A malicious user, or an attacker, may be able to elevate their privileges to access other areas of the domain controller. This is true on any server, but an attacker with control of a domain controller can wreak more havoc than an attacker with control of an application server.
• Require a virtual private network tunnel for terminal server connections over the Internet. TS can encrypt terminal server sessions, but there is no authentication to verify the identity of the user. Encryption may be subject to man-in-the-middle attacks that could enable an attacker to hijack the session and access network resources. The VPN tunnel requires that the user supply valid credentials and provides stronger security by ensuring that the data goes only to its intended destination. If you do encrypt, the General Preferences tab settings in TS offer four levels of encryption — Low, Client-Compatible, High and FIPS Compliant — to secure the session data traveling between the terminal server and the remote client.
• Use two-factor authentication. Whether or not you require a VPN connection, you should also consider requiring two-factor authentication for end users or devices that connect to the network remotely. Attackers can exploit weak passwords, use keystroke-logging utilities, or simply “shoulder-surf” to obtain user credentials to log on to the network. Requiring two-factor authentication will help ensure that unauthorized end users cannot gain access to your network.
• Set time limits for sessions. Along with limiting the number of concurrent users, it is also wise to establish some time limits for sessions, particularly sessions that are idle or disconnected. If you allow only a certain number of users to log in remotely at a time, you want to ensure that unused sessions aren’t taking up connections needlessly. There are three ways to limit sessions in TS: Establish a timeframe for shutting down disconnected sessions (End a Disconnected Session); establish a timeframe for sessions to expire so that users don’t stay connected indefinitely (Active Session Limit); and disconnect end users who have moved on to other tasks but have left the session open (Idle Session Limit).
Windows Server 2003 allows up to two remote connections with its initial license. This should be sufficient for a small organization with only one or two administrators and no need to host any applications through Terminal Services. But if you wish to have more than two remote connections, either for additional administrators or for hosting an application, you will need to buy the appropriate licensing.
The client utility, Remote Desktop Connection, is available for most versions of the Windows operating system, including Windows Mobile. Microsoft has also developed a Remote Desktop Connection utility for use with Apple's Mac operating system.
Microsoft provides two types of Client Access Licenses (CAL): Device and User.