Attack Surface
The Terminal Services server role provides technologies for client computers to access desktop sessions or specific applications running on the terminal server. To determine the attack surface of this server role, you need to identify the following.
Installed files. The files that are installed as part of the Terminal Services server role.
Running services. The services that are installed as part of the Terminal Services server role.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. The firewall rules that the Terminal Services server role uses.
The details of the attack surface for the Terminal Services role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the Terminal Services tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your Terminal Services server role configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Terminal Services option on the Select Role Services page of the Add Roles Wizard.
From a security perspective, the Terminal Services role has the greatest attack surface and requires more configuration settings than the other role services that this security guide discusses. However, only the TS Gateway role service has specific configuration changes that relate to security. There are no additional steps to secure the TS Licensing, TS Session Broker, and TS Web Access role services.
Configuration Checklists
There are two main areas to focus on when securing your terminal servers:
Securing connections to the terminal servers.
Securing the TS Gateway.
The standard internal network terminal server scenario only requires you to install the Terminal Services server role. This installation adds TCP port 3389 to the server's listening port list, which enables client computers to establish RDP remote desktop sessions with the server. Succeeding sections in this chapter provide more information about each of the recommendations in the following lists.
Securing Connections to the Terminal Servers
The following table summarizes the recommended security configuration tasks for hardening servers performing the Terminal Services role. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 11.1 Terminal Server Configuration Checklist
|
Configuration tasks
|
|
Configure the network level authentication.
|
|
Enable Single Sign-On for Terminal Services.
|
|
Enable secure use of saved credentials with Windows Vista RDP clients.
|
|
Change the default RDP port.
|
|
Use smart cards with Terminal Services.
|
|
Use the NTFS file system.
|
|
Use TS Easy Print exclusively.
|
|
Partition user data on a dedicated disk.
|
|
Create specialized OUs for terminal servers.
|
|
Set Group Policy settings for the terminal servers.
|
|
Set Group Policy settings for the remote desktops.
|
|
Restrict users to specific programs.
|
|
Limit terminal server security auditing.
|
Configure the Network Level Authentication
Network Level Authentication is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. Network Level Authentication includes the following advantages:
It requires fewer server resources initially. The server uses a limited number of resources before authenticating the user, rather than starting a full Remote Desktop connection as in previous versions.
It can help provide better security by reducing the risk of DoS attacks.
To use Network Level Authentication, you must meet the following requirements:
The client computer must use Remote Desktop Connection (RDC) 6.0 or later.
The client computer must run an operating system, such as Windows Vista, that supports Credential Security Support Provider (CredSSP).
The terminal server must run Windows Server 2008.
You can configure a terminal server to only support connections from client computers running Network Level Authentication. You can set the Network Level Authentication setting for a terminal server in the following ways:
Use Server Manager to install the Terminal Server role service through the Add Roles Wizard on the Specify Authentication Method for Terminal Server page.
On the Remote tab in the System Properties dialog box on a terminal server.
If the Allow connections from computers running any version of Remote Desktop (less secure) setting is not selected and is dimmed, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and applied to the terminal server.
To configure the Network Level Authentication setting by using the Remote tab in the System Properties dialog box on a terminal server, see the "Terminal Services" section of the Windows Server 2008 page of the TechNet Library.
On the General tab of the Properties dialog box for a connection in the Terminal Services Configuration tool by selecting the check box for the Allow connections only from computers running Remote Desktop with Network Level Authentication setting.
If the check box for this setting is selected and the setting is dimmed, the Group Policy setting for Require user authentication for remote connections by using Network Level Authentication has been enabled and applied to the terminal server.
By applying the Group Policy setting for Require user authentication for remote connections by using Network Level Authentication.
This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security. You can configure this setting by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).
Note This Group Policy setting takes precedence over the setting configured in Terminal Services Configuration or on the Remote tab.
To determine whether a computer is running a version of RDC that supports Network Level Authentication, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Network Level Authentication supported" in the About Remote Desktop Connection dialog box.
For more information about security and Terminal Services, see the Terminal Services page of the Microsoft® TechNet Library.
For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference.
The majority of terminal server users are likely to require the user interface (UI) on the terminal server to be consistent with the UI on their desktop computers. For example, if your users run Windows Vista on their computers, you will need to install the same desktop user experience on the terminal server to provide them with the same UI while running remote desktop sessions.
Enable Single Sign-On for Terminal Services
Single sign-on (SSO) is an authentication method that allows users with a domain account to log on once using a password or smart card, and then gain access to remote servers without being asked for their credentials again.
To implement SSO in Terminal Services, you must meet the following requirements:
Use can use SSO for remote connections in either of the following scenarios:
Support users logging on from a computer running Windows Vista to a terminal server running Windows Server 2008.
Support users logging on from one server running Windows Server 2008 to another server running Windows Server 2008.
User accounts must have appropriate rights to log on to both the terminal server and the client computer running Windows Vista.
The client computer and terminal server must be joined to a domain.
Configuration Tasks
To configure the recommended settings for your terminal server, complete the following tasks:
Configure authentication on the terminal server.
Configure the computer running Windows Vista to allow default credentials to be used for logging on to the specified terminal server.
Membership in the local Administrators group, or equivalent, is the minimum requirement to complete this procedure.
To configure authentication on the terminal server
Click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and then click Properties.
On the General tab, verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0).
On the Log on Settings tab, ensure that the Always prompt for password check box is not selected, and then click OK.
To allow default credential usage for single sign-on
On the Windows Vista-based computer, click Start, and then in the Start Search box, type gpedit.msc and press ENTER.
Expand Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation.
Double-click Allow Delegating Default Credentials.
In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, in the Enter the item to be added box, type termsrv/ followed by the name of the terminal server (for example, termsrv/Server1), click OK, and then click OK again.
Membership in the local Administrators group, or equivalent, is the minimum requirement to complete this procedure. To review details about using the appropriate accounts and group memberships, see the Why you should not run your computer as an administrator page of the TechNet Library.
For more information about security and Terminal Services, see the Terminal Services page of the TechNet Library.
|
