Solved

W2K3 Terminal Server

Posted on 2009-05-17
10
295 Views
Last Modified: 2013-11-21
Hello, I may be on the wrong track on this one but any help would be greatly appreciated. I basically want to deliver a standard desktop including a few MS apps, Office, IE, etc to 10 - 15 Client workstations. I'm looking to use thin client workstations and connect to a muscular terminal server. Am I able to do so or should I abandon the idea? I am also concerned about standard domain users using a Remote Desktop session to a server and any implications that may have. Funds are limited so it's this or nothing. Any advice and setup tips? Been through the Microsoft whitepapers and followed them as much as possible.

So, My question(s) is, Can it be done? Can I have 10 or 15 users using this as their primary method of access? Is it secure? Any step by step guides from server side setup through to client side considerations? Was terminal server designed for this type of use?

Many Thanks, Aelara.
0
Comment
Question by:Aelara
  • 6
  • 3
10 Comments
 
LVL 4

Expert Comment

by:jschweg
ID: 24408439
You are most certainly able to do so, what you are describing is exactly what Terminal Services is meant and designed to do.

Probably the most important factor in the success of your project is hardware. Obviously you need enough hardware (processing power and memory), to accomodate your user sessions. Do you have hardware specs on the box you will be using?

I also assume that this server will be dedicated to TS? A big mistake is to run TS on a server that already has other important functions in your domain.


0
 
LVL 4

Expert Comment

by:jschweg
ID: 24408461
Concerning your thoughts on security, TS is a very secure environment assuming it is managed well. Everything you would normally address on and end user machine, you would address on a Terminal Server in a similar manner.

Ensure that MS security patches are kept up to date

That you have an AV solution in place (most AV solutions usually have either special versions, or special install instructions for TS)

That none of the users are logging in with any sort of administrative permissions and all have restricted user accounts

That you run the terminal server in full security mode (rather than relaxed security mode), assuming you don't have any legacy applications that need it

That the HOST machines they are using to connect to the terminal server are secure and locked down in the same manner. No sense going through all of this trouble if your network is infected by an insecure host machine
0
 
LVL 4

Expert Comment

by:jschweg
ID: 24408469
Not sure if you saw this one already, but this is an excellent white paper:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=402a0cd1-9e4d-4007-8eaf-c30623e71250&displayLang=en
0
 

Author Comment

by:Aelara
ID: 24409800
Thanks for the info ishweq, I'll look at the whitepaper later today. Once Terminal server has been added as a role and security implemented, do I just install the Apps I would like users to have access to? Do I need to create a profile?

Thanks Aelara
0
 

Author Comment

by:Aelara
ID: 24410911
Hello again, It's all up and running and test use so far looks good. I am working through the lock down whitepaper to ensure max security. If working at full potential, what are the limitations of TS compared to citrix?

Thanks Aelara.
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 4

Expert Comment

by:jschweg
ID: 24414821
For what you are doing, terminal server should be perfect. I wouldn't see any need to incur extra costs for Citrix. Here is a blog entry that pretty much sums it up:

http://www.brianmadden.com/blogs/brianmadden/archive/2005/09/20/do-you-need-citrix-or-is-terminal-server-enough.aspx




0
 

Author Comment

by:Aelara
ID: 24420799
Thank you, One last question, Can i white list access to the terminal server by IP address? Although I can specify users, groups and computers within AD we are using HP thin client stations which do not register/appear as AD objects. Hence I need to specify that only a bank of IP addresses will be able to establish a remote session with the terminal server. All other connections will be refused. Can it be done?

Thanks, Aelara.
0
 
LVL 4

Expert Comment

by:jschweg
ID: 24421746
There isn't any way to do this in direct relation to Terminal Server, however you can filter the ip addresses on your firewall to only allow the hosts you want to allow (You would filter on port 3389).

If you don't have a firewall in place that you can make these changes, you can use the Windows Firewall in Control Panel to do your ip level filtering there.
0
 
LVL 4

Accepted Solution

by:
jschweg earned 500 total points
ID: 24421785
Probably a better option than using the windows firewall is to just create an IP Security policy for the network connection:

http://support.microsoft.com/kb/816521


0
 
LVL 2

Expert Comment

by:Serio27
ID: 24422023

In regards to installing apps...  I would recommend that you make sure no one else is logged in to the server when you install apps.

The command "change logon" will help keep everyone off the server while you are installing apps. It will also keep you from logging back on to the server if you are disconnected. So, use with caution.

Once done, you can use the add new programs option from add/remove programs or use the command "change user" from the command prompt.

Either way, I would get familiar with both of these commands to install apps on the server.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
This video discusses moving either the default database or any database to a new volume.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now