W2K3 Terminal Server

Hello, I may be on the wrong track on this one but any help would be greatly appreciated. I basically want to deliver a standard desktop including a few MS apps, Office, IE, etc to 10 - 15 Client workstations. I'm looking to use thin client workstations and connect to a muscular terminal server. Am I able to do so or should I abandon the idea? I am also concerned about standard domain users using a Remote Desktop session to a server and any implications that may have. Funds are limited so it's this or nothing. Any advice and setup tips? Been through the Microsoft whitepapers and followed them as much as possible.

So, My question(s) is, Can it be done? Can I have 10 or 15 users using this as their primary method of access? Is it secure? Any step by step guides from server side setup through to client side considerations? Was terminal server designed for this type of use?

Many Thanks, Aelara.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

jschwegConnect With a Mentor Commented:
Probably a better option than using the windows firewall is to just create an IP Security policy for the network connection:


You are most certainly able to do so, what you are describing is exactly what Terminal Services is meant and designed to do.

Probably the most important factor in the success of your project is hardware. Obviously you need enough hardware (processing power and memory), to accomodate your user sessions. Do you have hardware specs on the box you will be using?

I also assume that this server will be dedicated to TS? A big mistake is to run TS on a server that already has other important functions in your domain.

Concerning your thoughts on security, TS is a very secure environment assuming it is managed well. Everything you would normally address on and end user machine, you would address on a Terminal Server in a similar manner.

Ensure that MS security patches are kept up to date

That you have an AV solution in place (most AV solutions usually have either special versions, or special install instructions for TS)

That none of the users are logging in with any sort of administrative permissions and all have restricted user accounts

That you run the terminal server in full security mode (rather than relaxed security mode), assuming you don't have any legacy applications that need it

That the HOST machines they are using to connect to the terminal server are secure and locked down in the same manner. No sense going through all of this trouble if your network is infected by an insecure host machine
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Not sure if you saw this one already, but this is an excellent white paper:

AelaraAuthor Commented:
Thanks for the info ishweq, I'll look at the whitepaper later today. Once Terminal server has been added as a role and security implemented, do I just install the Apps I would like users to have access to? Do I need to create a profile?

Thanks Aelara
AelaraAuthor Commented:
Hello again, It's all up and running and test use so far looks good. I am working through the lock down whitepaper to ensure max security. If working at full potential, what are the limitations of TS compared to citrix?

Thanks Aelara.
For what you are doing, terminal server should be perfect. I wouldn't see any need to incur extra costs for Citrix. Here is a blog entry that pretty much sums it up:


AelaraAuthor Commented:
Thank you, One last question, Can i white list access to the terminal server by IP address? Although I can specify users, groups and computers within AD we are using HP thin client stations which do not register/appear as AD objects. Hence I need to specify that only a bank of IP addresses will be able to establish a remote session with the terminal server. All other connections will be refused. Can it be done?

Thanks, Aelara.
There isn't any way to do this in direct relation to Terminal Server, however you can filter the ip addresses on your firewall to only allow the hosts you want to allow (You would filter on port 3389).

If you don't have a firewall in place that you can make these changes, you can use the Windows Firewall in Control Panel to do your ip level filtering there.

In regards to installing apps...  I would recommend that you make sure no one else is logged in to the server when you install apps.

The command "change logon" will help keep everyone off the server while you are installing apps. It will also keep you from logging back on to the server if you are disconnected. So, use with caution.

Once done, you can use the add new programs option from add/remove programs or use the command "change user" from the command prompt.

Either way, I would get familiar with both of these commands to install apps on the server.
All Courses

From novice to tech pro — start learning today.