How to Harden Windows Server 2008 Terminal Services
Chapter 11 of the Windows Server 2008 Security Guide: Hardening Terminal Services is now live on TechNet.
The details of the attack surface for the Terminal Services role(s) are included in the Windows Server 2008 Attack Surface Reference workbook included in the Guide. The Terminal Services role has the greatest attack surface and requires more configuration settings than the other role services discussed in the Guide. However, only the TS Gateway role service has specific security configuration changes. There are no additional steps to secure the TS Licensing, TS Session Broker, and TS Web Access role services.
Table 11.1 summarizes the recommended security configuration tasks for hardening servers performing the Terminal Services role, including:
- Configure the network level authentication.
- Enable Single Sign-On for Terminal Services.
- Enable secure use of saved credentials with Windows Vista RDP clients.
- Change the default RDP port.
- Use smart cards with Terminal Services.
- Use the NTFS file system.
- Use TS Easy Print exclusively.
- Partition user data on a dedicated disk.
- Create specialized OUs for terminal servers.
- Set Group Policy settings for the terminal servers.
- Set Group Policy settings for the remote desktops.
- Restrict users to specific programs.
- Limit terminal server security auditing.
The Windows Server 2008 Security Guide is designed to further enhance the security of the servers in your organization by taking full advantage of the new
and improved security technologies and features in Windows Server 2008. Use the guidance to create, test, and deploy your security baseline quickly and reliably, harden your server workloads, and evaluate security setting recommendations to meet the requirements of your environment.
Along with the online version above, the Windows Server 2008 Security Guide is also available as a download and includes the following components:
- Executive Overview. A summary for business and technical managers that briefly explains how you can use the guidance and the tool for this Solution Accelerator.
- Security Guide. Recommended guidelines and best practices in a series of chapters that offer detailed guidance on how to harden servers running Windows Server 2008 that handle different workloads, including those for Active Directory Domain Services (AD DS), DHCP, DNS, Web, File, Print, Active Directory Certificate Services (AD CS), Network Policy and Access Services, and Terminal Services.
- Security Settings Recommendation Appendix. A comprehensive technical reference that explains every prescribed security setting in the security guide.
- Security Settings Workbook. A resource that lists all prescribed settings for each of the preconfigured security baselines provided by the guide.
- Attack Surface Reference Workbook. A resource that lists the changes that installed server roles introduce in Windows Server 2008.
- GPOAccelerator. A tool that you can use to automatically create Group Policy objects (GPOs) recommended by the guide, which is available as a separate download. To learn more about the GPOAccelerator and download the tool, click here.