Re: SBS 2003 and TS-App Mode

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 12:52:36 -0700

Copy and paste of just one of the times I've posted on this issue...

It's not secure... and now you are asking for insecurity back.

http://groups.google.com/groups?q=security+resource+kit+group:microsoft.public.windows.server.sbs&hl=en&lr=&c2coff=1&selm=uFZD4I3wDHA.2440%40TK2MSFTNGP12.phx.gbl&rnum=1

Oh heck no.. we do NOT do the steps to secure a TS ... you CANNOT do
them on a Domain controller. I'm going to be mean... show me any
network SBS or non SBS and we so do not know how to secure it out here.

Remember this IS the company that up until 2 years ago that chose
functionality over security and now you want functionality back.

I'm not surprised. John Q Public wants security but when they get it
wacked in their faces ...they want their Kazaa back...they want to play
games over the Internet and Chat... they want Wireless access that's
open and easy to use...they want TS on a domain controller back. We are
so not ready for the hard choices ahead. We ask Microsoft to be more
secure and then scream our heads off when pictures and html are turned
off in emails [Outlook 2k3]

You want security or you want functionality? Welcome to hard choices of
the future dear. We cannot have everything what we had in the past and
remain secure.

Just last month Linux source code servers got hacked and they had to
check md5 check sums to ensure integrity of the code. We don't live in
the era were we can do this stuff anymore. We cannot keep functionality
that we had 2 years ago. Heck I don't even use dial up on the Internet
without a firewall these days. I patch laptops before I let them go out
of the office. I update virus checkers on those suckers before they go
out in the field. I never worried about those laptops before. Now I'm
buying copies of PcCillian for all the people in my office and requiring
them to load it up.

Go read the Security Res kit page ..like 349 or something like that...
we cannot ... I repeat... we cannot lockdown TS on a domain controller.

ISA's vulnerabilities depend on what ports are open from the outside
dear. I cannot help it if the Dev team in Win2k3 didn't do the right
thing in their department and keep ANY domain controller from being a TS
box. The point is this IS the limitations we have and we have to live
with them. The SBS team DID do the right thing.

Security and functionality cannot co-habitate sometimes. This is one of
those times.

------------------------------
Here is the listing of recommended steps to lock down a TS box
1. Apply the Notssid.inf security template to TS running permissions
compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.
3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.
    To connect to a terminal server from the network, users must have the
Log On Locally user right assigned. If you implement application server
mode on a domain controller, nonadministrators must be assigned the Log
On Locally user right at the domain controller. Because this user right
is typically assigned in Group Policy, it enables users to log on at the
console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS
client and server
6. Choose the correct mode for your TS deployment [if you only need
remote administration, the only deploy that]
7. Install the latest service pack and security updates.

Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.

Page 393-394 Security Resource Kit.

Read this doc and see how much is done to lock down a TS server..... we
can't do this stuff in SBS land.
http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

> Yes indeed it was a flame because I'm tired of people thinking this is a
> marketing decision. It was a security decision, Tim. It's not secure.
>
> Having TS in app mode on your DC is like using your server as a
> workstation. I think most folks would say that's not too wise and yet
> we did TS in app mode on our SBS 2000 boxes. The security sitation has
> changed Tim, we cannot do the things we used to do.
>
> Security Res kit page 394 if I remember right lists how to protect a TS
> server... we cannot do those steps.
>
> www.techsoup.org
>
> You can get software for WAY much less than a normal business.
>
> I volunteer at a "not for profit" where the CEO makes ten times what I
> make. SOME not for profits make do with have...some have CEO's that
> suck the income out of them.
>
> You cannot make TS in app mode safe enough on a domain controller in
> today's insecure world.
>
> Tim wrote:
>
>> Well Susan, I'd call yourt meassage a flame and I don't know why I'm
>> replying but you need a little education. Non Profits make do with
>> what is at hand, that includes Windows 98 and Group Policies. There
>> is only so much money in our IT budget that we have to be very frugal
>> on all aspects. There is risk just getting out of bed in the
>> morning. There is never enough money to spend on IT and sometimes you
>> have to make decisions. My user base is secure. My implentation of
>> Group Policies is very restrictive. My employer knows the decisions,
>> risks and benefits of these practices and I'm not fired, I'm commened
>> for finding a balance and working within our boundries. The choice
>> for a deciated TS is not possible, there is no money. I resent MS
>> disabling this feature because they don't think we should do it.
>> That's intrusive and most likely made by marketing for obvious reasons.
>>
>> "Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>>
>>
>>> We asked Microsoft to make their OS more secure and now you want
>>> insecurity back.
>>>
>>> Boy if you were my IT pro I'd fire you on the spot for a security
>>> analysis like this.
>>>
>>> WE CANNOT PROTECT OUR DOMAIN CONTROLLER WHEN IT'S BEING USED AS A
>>> WORKSTATION and that's EXACTLY what TS in app mode does.
>>>
>>> You heard of Remote Desktop dude? How about putting on a Virtual Server
>>> and sticking another copy of Win2k3 for TS on that.
>>>
>>> You could have another Win2k3 as the TS server and support your remote
>>> users but instead you are going to make your Domain controller insecure.
>>>
>>> Yeah and that's Microsoft's fault.
>>>
>>> We asked them to be more secure. THEY stepped up to the plate.
>>>
>>> Now you are asking for insecurity back.
>>>
>>> Way to go dude. Just remind me to not have my business use your
>>> insecure business since you obviously don't care about security.
>>>
>>> Probably run Windows 98's as well don't you?
>>>
>>> Tim wrote:
>>>
>>>> I just found out MS disabled this. There are many things that are
>>>> questionable practices that we adminstartors do and not do. It is
>>>> our right to have that flexibility. The decison to disable
>>>> Application Mode in TS 2003 is heavy handed and completely
>>>> unhelpful. They cannot tell me the two users I need to have access
>>>> my TS are so dangerous that MS needs to protect me from myself.
>>>> This is unfortunate and completely the wrong.
>>>>
>>>> I've returned this OS to the OEM. We had to make the big decsion to
>>>> forgo the bundled SBS features and instead, support our remote
>>>> users. The remote users are more important. Once again, decsions
>>>> we make to make our business stronger and competative. Does
>>>> Microsoft want to control my internal operations too? NO THANK YOU!
>>>
>>>
>>> --
>>> http://www.sbslinks.com/really.htm
>>> http://www.msmvps.com/bradley
>>> http://www.threatcode.com
>>> [let's get vendors to step up to the plate too]
>>> https://www.ecora.com/ecora/jump/pm99.asp
>>>
>>>
> 

-- 
http://www.sbslinks.com/really.htm
http://www.msmvps.com/bradley
http://www.threatcode.com
[let's get vendors to step up to the plate too]
https://www.ecora.com/ecora/jump/pm99.asp

Relevant Pages

  • "An Asp.Net accident waiting to happen" - Draft article
    ... In a time where Security ... in shared hosting environments. ... technologies that allow the creation and deployment of secure ... IIS 6 web server and windows 2003 also provide some tools to deploy ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Word 2007 Missing User Level Securitty - ARRRGGGGHHHH What were they thinking?
    ... People who actually need object-level security should ... you seem to think that the File Server serves files to Jet? ... cannot be made secure .. ... record-based network database system. ...
    (microsoft.public.access.security)
  • Re: Microsoft Security & Configuration Tool (MSCT)
    ... > install into the server become problem. ... How to undo the security configuration that I had already applied ... basicsv.inf is the Domain Controller Security Policy, ...
    (microsoft.public.security)
  • Questions on secure remote access to Fedora Core 2
    ... I am somewhat new to Internet security solutions in general and Linux ... I am setting up a server with Fedora Core 2 (there are specific reasons ... What is the most secure method I can use to give these individuals access ... under ssh. ...
    (comp.os.linux.security)
  • Re: SBS2003 and Terminal Services....
    ... SA loads so low in the TCP stack to not be an issue and protects the box ... Apply the Notssid.inf security template to TS running permissions ... Do not enable application server mode on a domain controllers. ... On Locally user right at the domain controller. ...
    (microsoft.public.windows.server.sbs)