Re: Terminal services

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance



In news:63E606C3-2942-41C7-9C70-6C0ADFF744D1@xxxxxxxxxxxxx,
MCL <MCL@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
> I have a few follow up questions to your response.
>
> If you don't have a desktop in the office where are you logging into?

Into the Terminal Server.

> Right now we login directly to our desktops and I don't want anyone
> to have the abiltiy to login to the server directly.

They don't log into "the" server - not your domain controller, Exchange
server, SQL box, etc. TS requires a dedicated server. It shouldn't have any
other role on your network.

> Do they have a
> virtual desktop?

They'll get their usual profile just as though they were logging into their
own desktop. Just with really long arms. ;-)

>
> VPN, I know what it stands for but don't really know exactly what it
> is. Is it different than terminal services?

Yes. It's apples:oranges. VPN is one way you can secure *access* to the TS
box - if you don't want to expose the box directly to the Internet for
security reasons.
>
> Regarding the weak passwords, that is part of what I didn't
> understand when talking with our IT guy. My argument was the same as
> yours, that regardless of where you are connecting, the password is
> either strong or it isn't. He was saying something about the
> accounts in the SBS box being able to access more?? and that accounts
> in the TS box could be locked down more?? I really didn't follow
> what he was saying.

I'm not sure what he was saying. Joe logs in as Joe, regardless....and just
because you grant Joe access to RWW/Remote Desktop from the Internet it's
not any different from Joe logging into a Terminal Server from the Internet.
Strong passwords are a must anyway.

< Is there a legitimate securtiy issue that would
> warrant the additional box and the added expense?

It isn't really a matter of security, as far as I'm concerned. It's ease of
administration, it's centralization (you install all your apps *once* on the
TS box, so if you need to apply Office 2003 SP1, you do it once), and you
don't need Joe to have a workstation in the office sitting idle & waiting
for him to log in.

Remote Desktop to WinXP Pro is essentially "poor man's terminal server" -
it's great, it just isn't always enough.
>
>

> "Lanwench [MVP - Exchange]" wrote:
>
>>
>>
>> In news:883CC70A-5690-45E2-8B59-B698ACB72FFB@xxxxxxxxxxxxx,
>> MCL <MCL@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:
>>> I'm am prefacing my question by stating that I am not an IT person
>>> and have limited knowledge about this stuff and would appreciate
>>> that any responses are geared toward the layperson.
>>>
>>> We are running SBS2003 and are using terminal services to login to
>>> our individual workstations from remote locations. This was setup
>>> by our IT consultant. However, he told us that this is not a very
>>> secure way to do this (multiplte open ports in the firewall??, weak
>>> accounts??) and suggested that we get another server box to act as
>>> the terminal server which is networked into our SBS box.
>>>
>>> Another option was a Citrix solution for loging in from any PC using
>>> a web browser.
>>>
>>> What are the relevant security issues, if any? Comments about the
>>> Citrix solution?
>>>
>>> Thanks.
>>
>> In addition to the other replies -
>> Terminal Services is great, and if you have a lot of people who want
>> remote access, it's definitely the way to go. They don't need a
>> desktop in the office. You don't need Citrix, either - you can use
>> it, but you don't have to. You can control access to it via VPN or
>> not, as you choose.
>>
>> Re weak accounts - you need to address that, regardless. Force
>> complex passwords, 8-char minimum, regular changes (every 90 days
>> would be my minimum).


.

Relevant Pages

  • Re: Switching to native mode, when to, scared!
    ... > not a single trust had an issue. ... Ah, but you, Joe, no how to maintain NetBIOS ... > Joe Richards Microsoft MVP Windows Server Directory Services ... Users log into the NT domain, their accounts are then ...
    (microsoft.public.win2000.active_directory)
  • Re: terminal server that hands out licenese to other servers..
    ... I've worked in a lot of place but have never had a reason to allow 10 admins on one server at time. ... Microsoft MVP - Terminal Server ... Does that mean you have to install all terminal services in "application mode" on all servers that will need more than two connections? ... To provide licenses for the user connections, install the Terminal Server Licensing component on a domain controller and use the Terminal Server Licensing administration tool to activate your licenses. ...
    (microsoft.public.windows.terminal_services)
  • Re: cant connect to TS after install sp1 on SBS
    ... Deploying Windows Server 2003 Terminal Server to Host User Desktops ... Microsoft ISA Server 2004 Documentation ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Server with SBS 2K3
    ... All of these problems only occur on the Terminal Server, there are others, ... > Microsoft CSS Online Newsgroup Support ... > |> policy and the local policy of the terminal server. ...
    (microsoft.public.windows.server.sbs)
  • RE: terminal server licensing issue.
    ... First, Cris is correct, we recommend to install the terminal server ... the SBS domain is different from the standard windows ... | did this the server started telling me I have a license issue. ...
    (microsoft.public.windows.server.sbs)