IntroductionBasic Security RecommendationsDuring installation, choose the Full Security OptionHow to configure the security mode for your terminal serverUse Group Policy to lock down your terminal servers and client computersUse the highest level of encryption your organization can supportUse the Remote Desktop Users group to grant access to end-usersUsing Software Restriction Policies to Protect Against Unauthorized SoftwareUse Secure Configuration Settings for your RDP ConnectionsEnable the Internet Connection FirewallUse strong passwords throughout your organizationKeep virus scanners up to dateKeep all software patches up to dateUse encryption to secure connections using Remote Desktop Web ConnectionDo not install Terminal Server on a Domain ControllerEnhanced Security OptionsConsider Using a FirewallUse Restricted groups policy to manage the Remote Desktops User Group at the domain or OU levelTo edit Restricted Groups policyConsider Using Smart Cards for Strong AuthenticationConsider Using a VPN tunnel to Secure Terminal Services connections over the InternetConsider Using IPSec Policy to Secure Terminal Server Communications over your networkHow to Create the IPSec Filter List for Terminal Services CommunicationsHow to create and enable IPSec policy to secure Terminal Server communicationsHow to make sure that clients respond to the Terminal Server's requests for securityUnderstanding the logon processThe Higher Security Logon ProcessRelated LinksRDP - Terminal Server Security ContentsIntroduction...........................................................................................2Basic Security Recommendations...................................................2During installation, choose the Full Security Option..............................3How to configure the security mode for your terminal server...........4Use Group Policy to lock down your terminal servers and client computers.............................................................................................................. 4Use the highest level of encryption your organization can support.......4Use the Remote Desktop Users group to grant access to end-users......7Using Software Restriction Policies to Protect Against Unauthorized Software................................................................................................8Use Secure Configuration Settings for your RDP Connections...............8Enable the Internet Connection Firewall..............................................12Use strong passwords throughout your organization...........................12Keep virus scanners up to date...........................................................12Keep all software patches up to date...................................................12ITSY 2400 – Operating System Security (Lecture Handout) Prof. Michael P. Harris Page 1 of33Remote Desktop Protocol (Terminal Server) SecurityPage 2 of 33Use encryption to secure connections using Remote Desktop Web Connection..........................................................................................13Do not install Terminal Server on a Domain Controller........................14ITSY 2400 – Operating System Security (Lecture Handout) Prof. Michael P. HarrisRemote Desktop Protocol (Terminal Server) SecurityPage 3 of 33Enhanced Security Options................................................................14Consider Using a Firewall.....................................................................14Use Restricted groups policy to manage the Remote Desktops User Group at the domain or OU level....................................................................15To edit Restricted Groups policy.....................................................15Consider Using Smart Cards for Strong Authentication........................16Consider Using a VPN tunnel to Secure Terminal Services connections over the Internet.................................................................................16Consider Using IPSec Policy to Secure Terminal Server Communications over your network...............................................................................17How to Create the IPSec Filter List for Terminal Services Communications.............................................................................18How to create and enable IPSec policy to secure Terminal Server communications.............................................................................18How to make sure that clients respond to the Terminal Server's requests for security.....................................................................................19Understanding the logon process................................................19The Higher Security Logon Process......................................................23Related Links.......................................................................................25Introduction The Terminal Server component of the Microsoft Windows Server 2003 family of operating systems builds on the solid foundation provided by the application server mode in Windows 2000 Terminal Services (Terminal Services Application Server Mode for Windows Server 2003 is named Windows Server 2003 Terminal Server.) Terminal Server is a technology that lets users execute Microsoft Windows-compatible applications on a remote Windows Server 2003-based server computer. In a Terminal Server-based computing environment, all application execution and data processing occur on the server computer. Terminal Server is often the optimal deployment method for a wide variety of scenarios including providing secure remote access, connecting branch offices to centralized resources, isolating credentials, centralizing administration, bridging networks, deploying applications via web browser and more. You should consider using Terminal Server when the application requires a large backend database, significant bandwidth, or frequent updates, changes, and additions. To learn more about specific features and benefits, be sure to visit the Terminal Services home page at: http://go.microsoft.com/fwlink/?LinkId=17284.ITSY 2400 – Operating System Security (Lecture Handout) Prof. Michael P. HarrisRemote Desktop Protocol (Terminal Server) SecurityPage 4 of 33Terminal Server is especially useful for deployments with users in remote locations or where users have relatively poor (high latency) network performance. Depending on the network links between the user and the