Remote Desktop Services troubleshooting

Security

This page is about securing a Remote Desktop Services environment. For general security information (Security Bulletins, encryption, virus and spyware prevention, etc), choose the appropriate items in the menu on the left.

The basic steps to create a locked down Terminal Server:

• use NTFS and Registry permissions to keep users out of sensitive areas of the file system and the registry.
  A standard installation of Windows 2003 doesn't need any modification. On Windows 2000 Server, modify the NTFS permissions as follows:

     %SystemDrive%, %SystemRoot%, %ProgramFiles% 
        and %SystemRoot%\system32 :       
     System - Full Control
     Administrators - Full Control
     Authenticated Users - Read & Execute
  

  Also make sure that users have only Read permissions on these keys:

     
     HKLM\Software\Microsoft\Windows\CurrentVersion\Run
     HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
     HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  

• do not install the RD Session Host role (a.k.a. Terminal Server role) on a Domain Controller
• during the installation of Terminal Services, choose "Full Security" compatibility mode (on 2003) or "Permissions compatible with Windows 2000 Users" (on W2K)
• create a restrictive GPO (see KB 278295), using loopback processing (see KB 231287)
• grant users access to the Terminal Server by making them members of the Remote Desktop Users group (2003 only)
• choose the highest encryption level possible
• do not give users elevated user rights when an application doesn't work for normal users.
  Instead, download Process Monitor. Run it as Administrator on the console of the Terminal Server (when no user is connected), start a TS session as a normal user and try to run the application. Process Monitor will show you all "access denied" errors that occur, so that you can give your users the necessary permissions on a file-to file or Registry subkey basis.
• do not assume that configuring an "Initial application" (rdp) or publishing an application (ica) prevents users from accessing the full desktop of the server (see CTX991230)
  
  If you need more granular control on an application basis, consider a 3rd party utility to enhance security.

More info + guidelines

• Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks
• Configuring Remote Desktop certificates
• 816594 - HOW TO: Secure Communication Between a Client and Server with Terminal Services
• 278295 - How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session
• 243554 - Explanation of RDP-TCP Permissions in Windows 2000
• 231289 - Using Group Policy Objects to hide specified drives
• Using Software Restriction Policies to Protect Against Unauthorized Software
• 823659 - Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
• Understanding and Using NTFS Permissions on Citrix and Terminal Servers - by Jeff Pitsch
• Understanding Terminal Server's Permissions Compatibility Options - by Jeff Pitsch
• CTX991230 - Terminal Server Desktop, Explorer.exe, Launches from a Published Application - applies to RDP connections as well
• CTX108784 - Preventing Explorer.exe from Launching in Shell Mode
• 2348692 - File system navigation cannot be restricted by RemoteApp configuration

Windows 2008 specific

• WS2008: Network Level Authentication and Encryption
• 951608 - Description of the Credential Security Service Provider (CredSSP) in Windows XP Service Pack 3
• Changes to Terminal Service Security Related Group Policy Settings in Windows Vista and Longhorn Server - by Brien M. Posey
• 969972 - You encounter a slow application startup or a slow logon on a computer that is running Windows Server 2008 or Windows Vista after you apply software restriction policies
• Creating Kerberos Identity for RD Session Host Farms
• Windows Server 2008 R2: AppLocker

Windows 2003 specific

• Download the Windows Server 2003 Terminal Server Security White Paper
• 298372 - Permissions Mode Behavior Under Terminal Services
• 837954 - Difference in the user right "Deny log on locally" between Windows 2000 and Windows 2003
• 278433 - Accessing Terminal Services Using New User Rights Options
• Locking Down Windows Server 2003 Terminal Server Sessions
• 324036 - HOW TO: Use Software Restriction Policies in Windows Server 2003
• 895433 - How to configure a Windows Server 2003 terminal server to use TLS for server authentication - requires SP1
• 942841 - A Windows Server 2003-based computer cannot make an SSL connection or a TLS connection to the out-of-band interface on an Intel Active Management Technology (AMT)-enabled computer
• How to secure remote desktop connections using TLS/SSL based authentication - by Martin Kiaer
• 816521 - HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003
• 815141 - Internet Explorer Enhanced Security Configuration Changes the Browsing Experience
• How can I prevent my users from redirecting their local disk drives?

XP specific

• 944939 - The first logon to a Windows XP-based computer through terminal services is not denied even though the user is not a member of the Remote Desktop Users group

Citrix specific

• CTX105215 - MetaFrame Presentation Server Client for Win32 debugging functionality could be misused
• CTX108354 - Vulnerability in Program Neighborhood client could result in arbitrary code execution

• PolicyMaker™ Application Security - a Group Policy extension that allows to attach permission levels to applications