Re: Securing Microsoft Windows 2000 Terminal Services with Terminal S ervices Advanced Client (TSAC) enabled

From: jklemenc@fnal.gov
Date: 04/12/02 

To: "Chatfield, Randy" <Randy.Chatfield@wipp.ws>
From: jklemenc@fnal.gov
Date: Thu, 11 Apr 2002 17:02:22 -0500

<snipped from another TS discussion a few months ago>:

Without having a domain structure, you can implement a local machine policy
via the Local Computer Policy snap-in to the MMC application (if you have a
W2K domain, simply use a GPO). This local policy has one caveat though: it
is applied to the entire local machine, including the Adminstrator. There
is a work-around, however:
1) Create another administrator class user
2) Remove the main admin account from the Users group
2) Set the local machine policies via the Local Computer Policy snap-in to
MMC
3) Open the properties for the hidden folder: WINNT\System32\GroupPolicy
      3a) Select the Security tab
      3b) Add the admin equivilent account you created to the access list.
Grant full control over the directory
      3c) Add the main administrator account to the access list. Grant only
List and Write privledges (de-select Read)
      3d) Remove the Administrators group and Authenticated Users group
from the listing
      3e) Add the Users (or Domain Users) or whatever group contains your
users that will use the Terminal Server (you do have a restrictive group
that only allows certain people to logon locally to the Terminal Server,
right?)
      3f) Uncheck the checkbox: Allow inhertiable permissions....
      3g) Click the Advanced button and check the checkbox: Reset
permissions on all child objects.....

What this actually does is apply your local computer/user policy to the
entire machine (including the local admin). By creating a second Admin
class account, and changing the access-rights to the GroupPolicy directory,
you are prohibiting the regular Administrator account from reading the
local User Policy directory, hence not being able to apply the policy
template. Now, if you want to run the MMC snap-in again to change the local
policy, you will need to logon as the regular Admin account, then perform a
RunAs on the MMC.EXE and give the other admin account login/password that
still has access to the GroupPolicy directory (if you logon as this admin
instead, you will be inflicted with the user policy you defined, which may
prohibit you from running this application).

Some other security tricks for the Terminal Server:
- Go through the directories and revoke the appropriate User Rights in the
Permissions settings

- Rename the original Administrator account to something else and remove
the description for it. Create a dummy Administrator account with the
original description, disable such account/set difficult random
password/dont allow password change, and place such account in the Guests
groups, and remove from all other groups.

- Create a LegalNoticeText registry key that states the typical Authorized
Use Only blurbage that is displayed before a user log's on

- Change the registry keys to not display the last logged on user, and set
the number of cached logons to 0

These keys (and other pertaining keys) can be found in the follwoing
Registry locations:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

    - (system policy)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- For the WinLogon procedure

It may also be helpful to disable the unneed services and disable the Null
Enumeration and Admin Shares. A decent set of services that should be
enabled are:
(These depend on the purpose of your Terminal Server, but is a good
starting point)
Service Startup Method
--------------------------------------------------------------------------------------------------------------
COM+ Event System Manual
DNS Client Automatic
Event Log Automatic
IPSEC Policy Agent Automatic
Logical Disk Manager Automatic
Network Connections Manual
Plug and Play Automatic
Print Spooler Service Automatic*
Protected Storage Automatic
Remote Procedure Call (RPC) Automatic
Remote Registry Service Automatic**
RunAs Service Automatic
Security Accounts Manager Automatic
Server Automatic
System Event Notification Automatic
TCP/IP NetBIOS Helper Service Automatic
Windows Installer Manual
Windows Management Instrumentation Driver Extensions Manual
Workstation Automatic

* Print Spooler is used to talk to printers. If you never print from the
Terminal Server, you can leave it as Manual, but you will NOT be able to
even look at the properties of a printer.

** Remote Registry service is required to perform MMC and Control Panel
configurations. It is recommened to leave it in Manual mode, and start it
before you perform Admin tasks, then stop it afterwards.

Also, set some of the 'harmful' services to Disabled:
DHCP
Intersite Messaging
Routing & RAS
Task Scheduler

As for locking down browsing and such, simply look through the Group Policy
Editor. You will find most of what you are looking for. If you are looking
for an application to automatically launch on the Terminal Server when a
user logs in, there are a few ways to do that. If the user is to retain a
TS session when the app closes, simply put it in StartUp. If you want the
TS session to close when the user exists the app running on the Terminal
Server, there are parameters you can feed into the ActiveX control. Look
through the help file that came with the TSAC control/examples.

Joe

                                                                                                                                           
                      "Chatfield,
                      Randy" To: focus-ms@securityfocus.com
                      <Randy.Chatfield@ cc:
                      wipp.ws> Subject: Securing Microsoft Windows 2000 Terminal Services with Terminal S ervices
                                                Advanced Client (TSAC) enabled
                      04/11/2002 04:10
                      PM
                                                                                                                                           
                                                                                                                                           

I would appreciate any recommendations for securing Microsoft Windows 2000
Terminal Services with the Terminal Services Advanced Client enabled.

What I would like to do is restrict access to Internet Explorer, lock down
user profiles, remove certain menu items globally for all users, and
restrict the users ability to scan the local system drives.

Ideally, I would like connections to the terminal server to allow an
application to be executed from the web interface upon the default web page
load, and only allow desktop sessions to be initiated from natively
installed terminal services client software.

Thanks in advance,

Randy L. Chatfield
Senior Analyst - ETSG
Randy.Chatfield@WIPP.WS
Carlsbad, New Mexico 88220