Choose the appropriate permission levels for Windows Server 2003 Terminal Services
Takeaway: When installing Terminal Services on Windows Server 2003, you have two security options: Relaxed Security or Full Security. While the right choice may appear to be obvious, this isn't always the case. In this Windows Server 2003 tip, Scott Lowe discusses the differences between these two options, and he explains why you might need to choose the Relaxed Security option.
When you install Terminal Services on a Windows Server 2003 server in your data center, you have the option to either select the Relaxed Security setting or choose the Full Security option for your clients. While the answer may appear to be a simple one, it's important to consider your organization's specific applications before clicking that Full Security option.
First of all, make sure you understand the Terminal Services language. In this case, relaxed doesn't necessarily mean lax—it's actually shorthand for Windows NT Server 4.0, Terminal Server Edition Permissions Compatibility Mode (Relaxed Security). Your other option, Full Security, actually stands for Windows 2000/Windows Server 2003 Permissions Mode.
If you select the Relaxed Security option, users connecting to the terminal server can modify certain system files (such as those located in the SYSTEM32 directory) as well as registry keys. Windows 2000 and Windows Server 2003 restrict user access to these areas to boost security and stability.
You might wonder why you would ever want to allow users to access such important system areas. However, some earlier programs won't operate unless the user has access to certain registry keys and the SYSTEM32 folder, and Terminal Services' Relaxed Security setting allows the support of these applications.
The good news is that these programs are all generally pretty old. The even better news is that the Relaxed Security setting precludes you from having to grant users Administrator privileges on the system. But even though it's better than giving users admin rights, it still creates a major security hole.
So, whenever possible, choose the Full Security option to lock down your terminal server. If you're not sure if a particular application will work, try running it under the Full Security setting first. If that doesn't work, you'll likely need to use the Relaxed Security option. However, to better protect your network, segregate such applications by putting them on their own terminal server.
Miss a tip?
Check out the Windows Server 2003 Archive, and catch up on the most recent tips from this newsletter.
Stay on top of the latest WS2K3 tips and tricks with our free Windows Server 2003 newsletter, delivered each Wednesday. Automatically sign up today!
Print/View all Posts Comments on this article
 How does this compare to NT4 and 2000/XP workstation OS's?ShellyA227 | 08/03/05 |
  I'm a bit rusty on this, but......YetAnotherAdmin | 08/04/05 |
| i am using windows 2003 server and my networking is disabledraghusatram@... | 06/05/07 |
SponsoredWhite Papers, Webcasts, and Downloads
- Defrag Myth Busters - What You Should Know Diskeeper
- Enhancing Desktop and Laptop Security Performance with Disk Defragmentation Diskeeper
- New Release - Diskeeper 2008 with InvisiTasking: It's Smart. It's Transparent. It Will Take Your PC from Zero to Sixty--Automatically! Diskeeper
- The Shortcut Guide to Managing Disk Fragmentation - Chapter 1 Diskeeper
- Live Webcast: Simplified IT with Software-as-a-Service (SaaS) ZDNet
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
