Home > Articles > Operating Systems, Server > Microsoft Servers

  • Print
  • + Share This
This chapter is from the book

Connection Authorization

While user authentication deals with verification of a user's identity, connection authorization deals with regulating what server resources a validated user is authorized to access. For example, you may have 500 users in your organization, all of which have access to resources in the Windows domain (printers, file servers, and so on) but only 100 of which require access to log on to and function within the Terminal Server environment. While it may appear easier from an administrative standpoint to simply allow all users access to the Terminal Server environment, this invariably results in users not supposed to be logged on to the environment in fact being logged on, either intentionally or by accident. In addition to the obvious security concerns this can raise is the issue of license and server resource consumption. If you have implemented a Terminal Server environment to support 100 concurrent users, you had better be certain that you have the mechanisms in place to ensure these resources are available for the intended users.

In the "Administrative Delegation" section earlier in this chapter, I discussed use of local security groups to delegate user permissions on a Terminal Server. We now leverage the local group configuration discussed in that section to manage the connection authorization for a Terminal Server. All properties for Terminal Server connections, including security, are managed through the Terminal Services Configuration application in the Administrative Tools folder on the Start menu. Figure 16.12 shows the Terminal Services Configuration application for a Windows 2000 Terminal Server supporting both RDP and ICA connections. The Windows 2003 Terminal Services Configuration tool has the exact same interface.

Figure 16.12Figure 16.12 The Windows 2000 Terminal Services Configuration application.

Connectivity permissions for a Terminal Server are managed through the Permissions tab, found on the Properties page for each of the listed connection types, as shown in Figure 16.13. As with other access control lists in Windows, this tab lets you specify what groups have connectivity access to the Terminal Server and what specific privileges they possess. Table 16.3 shows both the default and recommended connectivity permissions for the RDP and ICA protocols. As you can see in the table, the default connection permissions differ slightly between the Windows 2000 (RDP 5.0) and 2003 (RDP 5.2) protocols.

Figure 16.13Figure 16.13 The default Windows Server 2003 RDP permission properties.

Windows Terminal Server 2003 utilizes three group/user objects not found in Windows 2000:

  • LOCAL SERVICE—This is a special built-in user account that has the same privileges as a member of the local Users group. This account has very limited access to network resources, presenting only null session information with no user credentials when prompted by a remote system. This account exists to make it easier for an administrator to grant limited privileges to services that require only local access on a server. By default this account has permissions to send text messages to all RDP protocol users on a server.

  • NETWORK SERVICE—This built-in account also has privileges equivalent to a member of the local Users group. Where this account differs from the LOCAL SERVICE account is in the network privileges it has been granted. When prompted by a remote system for network credentials, this account sends the computer's account credentials.

  • Remote Desktop Users—By default, a user requires membership in this local group in order to log on to a Windows 2003 Terminal Server. The appropriate connection privileges and local user rights are all preconfigured for members of this group.

  • The main reason for creation of this group was to improve default security of a Terminal Server by negating the assumption that all members of the local Users group should be granted access to log on to a Terminal Server session. A common security problem in the Windows 2000 Terminal Server environment occurred immediately after the server was added into a domain, because a byproduct of domain membership is that the domain Users group is automatically added to the computer's local Users group. This resulted in granting all domain users connectivity privileges necessary to be able to log on to the Terminal Server remotely. An administrator needed to be aware of this situation and modify the connectivity permissions accordingly in order to negate this potential security issue.

Table 16.3 Default and Recommended Terminal Server Connection Permissions

Default RDP Settings (Windows 2000 and 2003)

Default ICA Settings (MetaFrame XP)

Account/Group

Access

Account/Group

Access

Administrators (local)

Full Control

Administrators (local)

Full Control

SYSTEM

Full Control

Everyone

Guest Access

Users (local) (W2K only)

User Access
Guest Access

Guests (local)

Guest Access

LOCAL SERVICE (W2K3 only)

Special—Message only

SYSTEM

Full Control

NETWORK SERVICE (W2K3 only)

Special—Message only

Users (local)

User Access
Guest Access

Remote Desktop Users (local) (W2K3 only)

User Access
Guest Access

 

 

Administrators (local)

Full Control

Administrators (local)

Full Control

SYSTEM

Full Control

SYSTEM

Full Control

Users (local)

User Access
Guest Access

Remote Desktop Users (local)

User Access
Guest Access

Terminal Server Operators (local)

User Access
Guest Access
Special
Allow Reset
Allow Remote Control
Allow Disconnect

Terminal Server Operators (local)

User Access
Guest Access
Special
Allow Remote Control
Allow Logoff
Allow Disconnect

Terminal Server User Support (local)

User Access
Guest Access
Special
Allow Reset
Allow Remote Control
Allow Disconnect

Terminal Server User Support (local)

User Access
Guest Access
Special
Allow Remote Control
Allow Logoff
Allow Disconnect

 

 

LOCAL SERVICE

Special—Message only

 

 

NETWORK SERVICE

Special—Message only


When configuring the RDP connection permissions, you do not need to modify the default entries, but if you plan to utilize the local Terminal Server User Support and Server Operators groups discussed earlier in this chapter, you should configure their appropriate connectivity privileges. In Table 16.3 I configured these two groups with the same permissions, but you can make the User Support permissions more restrictive if desired.

Both these groups have been assigned the same User and Guest Access privileges assigned to normal Terminal Server users, but special privileges have been added to elevate their access for specific functions. The individual permissions are assigned by clicking the Advanced button on the Permissions tab and then highlighting and editing the desired permission entry, as shown in Figure 16.14. When the additional permissions are assigned, they grant the following privileges:

  • Reset (Windows 2000 only)—This attribute grants the user the ability to reset any RDP connection to the server. A reset forces the connection to be terminated and the resources allocated to be immediately freed. Unlike the execution of the Logoff command (controlled using the Logoff privilege; see the third point in this list), this does not send the Windows logoff message to the session's running applications, allowing them to terminate. If a user has an application open and their connection is reset, any unsaved data is likely lost.

  • Remote Control—This attribute grants the user the ability to remotely control (or shadow) another user's session. The specific remote control permissions are discussed in Chapters 19 and 20, where I discuss connection-specific settings for both the RDP and ICA clients.

  • Logoff—This attribute lets a user log off another user's session just as if that target user had themselves selected Logoff from the Start menu. All running applications receive the Windows logoff message, allowing them an opportunity to cleanly shut themselves down before the user's session is terminated.

  • Disconnect—Instead of being logged off, a user can also be disconnected. This simply terminates the presentation connection between the client and the server but leaves the running desktop session active on the Terminal Server. Any running applications continue to run and be available if the user reconnects before the session is terminated by an administrator or automatically logged off by the system. Maintaining disconnected sessions on a server for long periods of time is usually discouraged because maintaining the state information consumes additional server resources.

Unlike the default RDP permissions, the default ICA permissions are not as secure, providing connectivity permission entries for both the Guests and Everyone groups in addition to the local Administrators, SYSTEM, and local Users. These privileges are not secure and at the very least should be modified to remove the Guests and Everyone groups.

Figure 16.14Figure 16.14 Permission entries for the Terminal Server User Support group on a Windows 2003 Terminal Server.

TIP

If a presentation protocol (RDP or ICA) is not going to be used in your environment, then one way to further secure the environment is to disable or completely remove the unused protocol entry. Removing a presentation protocol is not a permanent thing; in fact it can be re-added at any time if the requirements ever change. Another option is to further restrict the unused protocol by limiting access to only Administrators and SYSTEM. This makes the protocol available if an administrator ever requires it, while ensuring that users cannot use it to gain unauthorized (or uncontrolled) access to the environment.

For example, a common configuration when implementing Citrix MetaFrame is to make RDP connections available but limit their access to only two to four administrative accounts. This type of access can be valuable for an administrator, particularly if there are issues connecting using the ICA protocol.

In addition to the presentation protocols, when reviewing connection security other forms of potentially available connectivity should be examined. The number of running services should be minimized to limit the number of open ports on the server. The fewer network ports that are open, the fewer points of entry that are exposed. In Chapter 11, "Terminal Services Configuration and Tuning," I discussed stopping unnecessary services on a Terminal Server.

  • + Share This
  • 🔖 Save To Your Account