To anyone who truly beleives that running Terminal Server in Application mode on our SBS 2003 domain controller can be made secure and could ever be secure, I am reminded of a joke that Dr. Jesper J said and has been repeated in SBSland.... “what are you smokin' and why aren't you sharing?”
Today, in addition to screwing up the user versus cal in Terminal server I loaded up more applications on it. I loaded up Office application on my Terminal server [keeping in mind that normally we tell folks to NEVER install any applications like Office on a server.] I flipped the “Themes” service to automatic and started it so that the desktops could “look” like Windows XP. I uninstalled [but only for the users] the Enhanced IE active X blocking. I basically lowered and totally introduced threat vectors all over the place. All the hard work done by Michael Howard and his team to protect that server from the stupid user, I totally ripped out everything that his team did. I still haven't even grabbed the security resource kit to apply the recommend guidance.
How can anyone honestly and truly think that they can in turn ACL and permission themselves back to the lowered attack surface that the Microsoft server team built.
I enabled services, I installed software [which reminds me need to Shavlik that box again because that's “unpatched Office 2003 as it's fresh off the CDrom”, I'm letting a user “drive” that box instead of normally how my domain controller runs, left alone to do it's job, with most of the time having me remote in from my desktop and not even walk over to the console.
Sorry all you folks who think that they have the skill to lock down a domain controller enough so that it can be run in TS in application mode, I just so totally disagree with you folks.
You want to introduce too much risk, Way too much risk. Remember, where I'm at, in California I must make reasonable Security precautions to protect my data. If you think that running Terminal Server in application mode on our domain controller was ever reasonable.... “how about sharin' what you are smokin'“?
I will post once again what I've ranted about in the newsgroups before:
1. Apply the Notssid.inf security template to TS running permissions compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.To connect to a terminal server from the network, users must have the Log On Locally user right assigned. If you implement application server mode on a domain controller, nonadministrators must be assigned the Log On Locally user right at the domain controller. Because this user right is typically assigned in Group Policy, it enables users to log on at the console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS client and server
6. Choose the correct mode for your TS deployment [if you only need remote administration, the only deploy that]
7. Install the latest service pack and security updates.
Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.
Page 393-394 Security Resource Kit.
Read this doc and see how much is done to lock down a TS server..... we can't do this stuff in SBS land.
At least not on our domain controllers anyway.