Re: Terminal Services and SBS 2003
- From: "Gregg Hill" <bogus@xxxxxxxxxxx>
- Date: Sun, 29 May 2005 01:26:17 -0700
Susan,
I just finished reading your site at
http://msmvps.com/bradley/archive/2004/05/31/7401.aspx. Most of your
arguments, two of which you repeat below, seem to indicate that you are
unsure of how to secure a Terminal Server properly. Otherwise, you would not
continuously repeat the "It's the true equivalent of someone using your
domain controller as a workstation" and "you want your stupid users that
infect your workstations with malware on your domain controller?"
statements.
On your site, several people claim that a DC cannot be locked down for use
as a TS. That is patently false. I have done it both on standard non-SBS
2000 and 2003 domain controllers (small companies with only one server).
Normal TS users get a blank desktop with only one or two applications that
are permitted to run. Domain Admins who log in via TS get the same desktop
they would get if they logged in locally, without any restrictions.
SBS 2003 aside (because it cannot run in TS application mode), a properly
secured TS, even if it is on a domain controller, is absolutely NOT " the
true equivalent of someone using your domain controller as a workstation" as
you claim. Letting them use the DC as a workstation would mean giving them
access to the full Start Menu, Programs, etc. Any user of a TS that I have
configured CANNOT infect my TS with malware, because they are not allowed to
run any applications that use the Internet. When my normal users log into a
TS, even if it is a DC, they get a blank desktop with only one or two
applications that are permitted to run. Their Start Menu consists of letting
them log off, plus the chosen applications I have allowed. There are no
other links for them to try to start other applications. That is in no way
the "true equivalent" of letting them use the DC as a workstation, where
users have access to their full menus and can run whatever applications they
desire.
That said, I prefer TS on a separate server for performance reasons, but
even then, it is locked down for normal users, and NO ONE gets to run
Internet Explorer from a TS session unless they can figure out how I killed
it, and they would have to be a knowledgeable domain admin to do that.
Unless there is something I have missed in my lock-down settings, having TS
in application mode on a domain controller is no less secure than having it
on a member server, provided that users do not have physical access to the
domain controllers (locked room).
Gregg Hill
"Susan Bradley" <sbradcpa@xxxxxxxxxxx> wrote in message
news:ucOs$98YFHA.2400@xxxxxxxxxxxxxxxxxxxxxxx
> It's the true equivalent of somoene using your domain controller as a
> workstation.. you want your stupid users that infect your workstations
> with malware on your domain controller?
>
> You want sucky apps like Quickbooks on your server?
>
> I rest my case.
>
> Gregg Hill wrote:
>
>> Sorry. I meant TS on a DC in general. I know it cannot be used on SBS
>> 2003.
>>
>> Gregg Hill
>>
>>
>> "KKI Technologies" <KKITechnologies@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message news:16831567-3EF7-4BBC-8A26-3670030D15F2@xxxxxxxxxxxxxxxx
>>
>>>Probably the big thing is that this feature has been removed from SBS
>>>2003.
>>>
>>>"Gregg Hill" wrote:
>>>
>>>
>>>>Hello!
>>>>
>>>>I have seen over and over again people recommend that a DC never have TS
>>>>running in application mode, but usually without the reasons to avoid
>>>>it.
>>>>Why not a DC in app mode? I am not discounting the advice or arguing
>>>>with
>>>>it. I am just curious as to the reasons why not so I can better explain
>>>>the
>>>>need for a separate TS box.
>>>>
>>>>Thanks!
>>>>
>>>>Gregg Hill
>>>>
>>>>
>>>>"SuperGumby [SBS MVP]" <not@xxxxxxxxxxx> wrote in message
>>>>news:ODQi0ToUFHA.928@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>>>The SBS itself, cannot, and should not, have Application Mode TS
>>>>>enabled.
>>>>>Microsoft did us a humongous favour and made it difficult to do so,
>>>>>_NO_
>>>>>DC should be an App Mode TS.
>>>>>
>>>>>SBS can act as TS Licensing server for your AD, it does so in exactly
>>>>>the
>>>>>same manner as any other 2003 TS License Server (almost).
>>>>>
>>>>>"Corona" <Corona@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>news:C7CCE574-D6A4-4205-9AD5-F9A6641F5847@xxxxxxxxxxxxxxxx
>>>>>
>>>>>>Can you use Terminal Services in SBS 2003, and if so, are there any
>>>>>>limitations on licesning?
>>>>>>
>>>>>>Thank you.
>>>>>
>>>>>
>>>>
>>>>
>>
.
- References:
- Terminal Services and SBS 2003
- From: Corona
- Re: Terminal Services and SBS 2003
- From: SuperGumby [SBS MVP]
- Re: Terminal Services and SBS 2003
- From: Gregg Hill
- Re: Terminal Services and SBS 2003
- From: KKI Technologies
- Re: Terminal Services and SBS 2003
- From: Gregg Hill
- Re: Terminal Services and SBS 2003
- From: Susan Bradley
- Terminal Services and SBS 2003
- Prev by Date: Re: SP1. Is this a beta release or just a bad joke ?
- Next by Date: Re: SP1. Is this a beta release or just a bad joke ?
- Previous by thread: Re: Terminal Services and SBS 2003
- Next by thread: Re: Terminal Services and SBS 2003
- Index(es):
Relevant Pages
|
