Securing Application and Terminal Servers

Application and Terminal Servers Security Issues

Organizations use Application servers to make data available on the network. For instance, the application server role makes Web applications and distributed applications available to users. A Web server usually contains a copy of a World Wide Web site and can also host Web based applications. Application servers can also run database and e-mail servers.

Defining a standard security strategy for application servers is usually not possible because each application could indeed have its own specific security requirements. One common security configuration though is that the NTFS file system should be utilized to protect data on the system volume. All hard disks storing applications should be NTFS formatted hard disks.

Terminal Server provides the following main features:

• Terminal Services can operate as an application server that remote clients can connect to, and run sessions from. In this case, the Terminal Services server runs the applications. The Terminal Services service on a Windows Server 2003 creates a virtual Windows Server 2003 computer for the user, and all the actual processing is handled by the server.
• The Remote Assistance feature enables a user at one computer to request assistance from a user at a different computer. The Remote Desktop for Administration (RDA) feature of Windows Server 2003 enables remote Windows Server 2003 server administration over a TCP/IP connection.

When Terminal Services is running in Terminal Server mode, your terminal services clients can access applications on the Terminal Services server. This means that you have to install applications on your Terminal Services server. You should install all applications on an NTFS partition. Permissions can be set for applications when they are installed on NTFS partitions.

The security modes supported by Terminal servers are:

• Full Security; this is default mode for Windows 2000 and Windows Server 2003 that enables applications to run in the context of the user. Whenever feasible, it is recommended that you use this mode.
• Relaxed Security; used when legacy applications exist. This mode enables users to modify files and Registry settings which are not usually allowed in the Full Security mode.

You can use the Terminal Services Configuration tool to change the existing security mode configured, and to configure settings for all connections to the Terminal server. The Terminal Services Configuration tool is automatically installed when you first install Terminal Services.

To view or change the security mode on your Terminal server,

1. Click Start, Administrative Tools, and click Terminal Services Configuration
2. The Terminal Services Configuration tool opens.
3. Click the Server Settings node in the left pane.
4. The Results pane lists the server configuration settings which you can configure.
5. Right-click the server setting which you want to modify, and select Properties from the shortcut menu.
6. Proceed to change the security mode setting.

To secure communication between the Terminal server and client, you can configure an encryption level. By configuring a level of encryption, you are further securing Terminal servers because all data passed between the client and the Terminal server is encrypted.

The different levels of encryption which you can configure for Terminal server connections are listed below:

• FIPS Compliant: This encryption level uses the Federal Information Processing Standard (FIPS) encryption algorithms to encrypt data in both directions. 3DES encryption and SHA1 is used for hashing
• High: Data is encrypted in both directions using the maximum encryption key which is 128-bit encryption. This is the default level of encryption configured, and could not possibly be supported by all clients. Clients that do not support 128-bit encryption will not be able to connect to the Terminal server.
• Client Compatible: This level of encryption uses the strongest encryption which the client can support.
• Low: The Low encryption level uses a standard encryption key to encrypt data sent from the client to the Terminal server. However, data sent by the Terminal server to the client is not encrypted. Clients that do not support 56-bit encryption will not be able to establish a connection with the Terminal server.

To configure a level of encryption to secure Terminal server and client communication;

1. Click Start, Administrative Tools, and click Terminal Services Configuration
2. Click the Connections node in the left pane.
3. To change the properties of any of the listed connections, right-click the connection, and then click Properties on the shortcut menu.
4. The Properties dialog box of the connection opens.
5. Specify the desired level of encryption on the General tab.
6. If you want to ensure that Windows authentication is used for Terminal Services connections, enable the Use Standard Windows Authentication checkbox.
7. Click OK.