Security of Terminal Services (maintaining, configuring)

Given an existing system running apps with Terminal Services, what are the security concerns, and what is best way to address them?

This is more relevant to auditing and managing configuration of existing system than seeking alternatives.

Am more interested in real world experience and behavior than simple theory, but I could always use a few more links to good documents or websites currently dealing with same issues.
LVL 24
SunBowAsked:
Who is Participating?
 
edmonds_robertCommented:
The main security concern is the fact that with terminal services, the user is logging on locally to the server.  So they have the same permissions on files on that server as if they had come in to your computer room, sat down at the server and logged in.  You MUST ensure proper file level security.  What I have done in the past is created very strict policies on the server, letting them have access to only what is absolutely necessary.  For example, I have totally eliminated any desktop icons, given them a custom start menu, etc. so they have only what I want them to have.  I would look at Citrix if you have the money.  It lets you take terminal services much farther, letting you publish applications to desktops automatically, running apps in web browsers and many other advanced features depending on which version you purchase.  Hope I have have helped at least a little.
0
 
SunBowAuthor Commented:
Nice. Plan. But, say I have an admin who claims to have sort of done all that. Now I want you to review my company, and let me know how well we've all done. Or rather, more realistic, prepare for that review of another. Web access is important, as legacy applications are moving there, to leverage use of browser to remotely access centralized store, while TS provides the commonality of client.

[this is rather a man-in-middle question. say, one person configured, a security team is going to ask a third party (someone I know) about some details. Looking to prepare the man-in-middle, unwary 3rd party, for what to expect; assume this is more an audit type question than one of planning or design or implementation]

How best to ascertain, to assess some vulnerability, or what have you.  But perhaps you have something there, in not leaving too much, in assumptions, to those who manage applications

(as fyi, we did do citrix on NT, before. but that is another topic)
0
 
SunBowAuthor Commented:
Notice:
I intend to close this, as it is not progressing, and I no longer have pressing need. To date, the other parties are not getting too specific on terminal services per se, but are spinning wheels on old issues regarding site security. The site's been hardened again and again, continually. So I consider first comment as sufficient.

I likely have further questions as this develops, but will likely run them in another TA, such as networking. For anyone else having interest or potential contribution wanting a notif, just add a simple "listening" remark below, and I'll drop a link here if it develops.
0
 
SunBowAuthor Commented:
I'd like to think there's a better 'answer' to be had, for this database, (unsure that it warrants A on own) but it may be sufficient, I got none better, and if nothing else, I've benefitted from edmonds_robert elsewhere.

Closing.
0
 
NEA123Commented:
Hi,

You wanted a link - this is what we do

www.neanco.com

Pervasive security - will also fix your terminal services security issue.

Take a look.

/NEA
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.