terminal services configuration

I have terminal services runningon a 2000 server. In application mode. I notice that my test user login (not an admin) is able to shut down the server. How do I turn that off, I do not want users to be able to shut off the server!!

I wouod appreciate any comments on typical setups for terminal services. I am new to it, only used remote admin mode before.

Does running TS add a big hit to the server performance - if only 1-3 people use it a day? Is it usually put on a different server than one that is also used as a fileserver and primary domain controller?

Anyhow, I really want to set the permissions for using some of the windows functions - like 'shut down' - so I can limit who can do that on this server - while in a terminal services session.

Thanks for the help


Troy
troyhicksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kelo501Commented:
Troy,

I will come back to preventing the user from shutting it down later.

1st  Yes it is a best and common practice to have your TS on its own machine.

2nd  Yes every session can take alot of your resources.  best way to see this is one task manager and view proformace tab when you have you normal load and then again with remote users logged on.  Should be a big change.

3rd If your users are comming in from outside of your network, IE WAN or Internet connection, there are very real security concerns.  Any mistake in security on the server or firewall could be very dangerous to start.  Having the machine exposed be a Domain Controller is even a greater risk.  In my opinion...  It is  a complete mistake, that you would be hard pressed to explain if something did go wrong.

Here is a link to info on the correct set up of a server for TS.
http://support.microsoft.com/default.aspx?scid=kb;en-us;260370

Good luck and move your TS to another server as soon as you can.

Kelo

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
troyhicksAuthor Commented:
ok, thanks. I will (at first) only have one user (a former IT consultant) using the TS. I want to be sure that shutdown is turned off, looks like that may not be possible without turning it off locally on the server. I assume using GPEDIT.MSC
is the only way to keep shut down off. And that there is not a way to turn it off for only remote users - I tried a few ways and it did not work for me yet.

What is the security risks specifically? Besides having a point open for someone to attempt to connect? Is TS full of holes?

Man, I would love to mofe the TS to another server - these guys lost their password to the firewall, so it is going to be hard to move the forwarding point. I dont mind reconfiguring a firewall, but this one is doing vpn and so I have to get it right the first time - it is a sonic wall.

Have you found a way to keep the shutdown off?

And is the security risks you have in mind mostly just due to an avenue of approach being made available? Don't you have to live with that if you use TS?

Thanks for the comments
0
troyhicksAuthor Commented:
I used gpedit.msc and turned off the shutdown and added logoff to the start menu. Now when you term serv in as admin, you can shut down - but normal users cannot.

Thanks for the info. Graded as C because of only partial answers.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.