Prepare GPOs for Terminal Services
There are 80 Group Policy Object settings for Terminal Services. They fall into several different categories that control many of the settings for users, PCs, and servers when connecting to remote applications.
As you can see, most every TS setting can be managed through GPOs. Like the user folder information outlined in file sharing services, user Terminal Service information is no longer entered in the user account properties in ADDS because if you do it there, you must do it on a per-user basis. User parameters are now set through the user configuration of a GPO. Server and PC settings are set through the computer configuration of a GPO. Table 9-4 outlines the settings you should apply to each section.
TIP: If you use GPO settings to control the behavior of your TS sessions, you will not need to configure them in either the user account properties or in Terminal Server Configuration Manager. You will also ensure that all systems are configured in exactly the same manner.TABLE-4 Terminal Services GPO Settings
| Location | Settings | Applied to... | Comments |
|---|---|---|---|
| Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Remote Desktop Connection Client | Allow .rdp files from unknown publishers | PC | Disable to provide a more secure TS environment. |
| Allow .rdp files from valid publishers and users' default .rdp settings | PC | Enable to provide a more secure TS environment. | |
| Configure server authentication for client | PC | Enable: Do not connect if authentication fails Ensures the TS server is the authorized. | |
| Do not allow passwords to be saved | Makes connections easier because passwords are stored in the .rdp file. | ||
| Prompt for credentials on the client computer | Keep default setting. | ||
| Specify Secure Hash Algorithm Version 1.0 (SHA1) thumbprints of certificates representing trusted .rdp publishers | PC | Enable and include certificate thumbprints if you enabled valid publishers previously. | |
| Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Connections | Allow reconnection from original client only | Server | Disable if you want to use Session Broker for fault tolerance. |
| Allow remote restart of unlisted programs | Server | Disable if you want to control the programs users can run when linked to the Remote Desktop. | |
| Allow users to connect emotely using Terminal Services | PC | Enable to allow Remote Desktop. | |
| Automatic reconnection | PC | Enable. | |
| Configure keep-alive connection interval | Server | Enable to synchronize the client and the server connection state. | |
| Deny logoff of an administrator logged in to the console session | Keep default setting. | ||
| Limit number of connections | Server | Could be used to monitor server loads. | |
| Restrict Terminal Services users to a single remote session | PC | Enable to control resource use on servers. | |
| Set rules for remote control of Terminal Services user sessions | Server | Enable full remote control with user's permissions. | |
| Terminal Server | Device and Resource Redirection | Allow audio redirection | Server | Enable to limit bandwidth use. |
| Allow time zone redirection | Server | If required in multiple time zones. | |
| Do not allow Clipboard redirection | Keep default setting. | ||
| Do not allow COM port redirection | Keep default setting. | ||
| Do not allow drive redirection | Keep default setting. | ||
| Do not allow Local Printer Terminal (LPT) port redirection | Keep default setting. | ||
| Do not allow smart card device redirection | Keep default setting. | ||
| Do not allow supported Plug and Play device redirection | Keep default setting. | ||
| Terminal Server | Licensing | Hide notifications about TS licensing problems that affect the terminal server | Keep default setting. | |
| Set the Terminal Services licensing mode | Keep default setting. | ||
| Use the specified Terminal Services license servers | Keep default setting. | ||
| Terminal Server | Printer Redirection | Do not allow client printer redirection | Keep default setting. | |
| Do not set default client printer to be default printer in a session | Keep default setting. | ||
| Redirect only the default client printer | PC | Enable to avoid potential printer error messages on the server when print drivers are not available. | |
| Specify terminal server fallback printer driver behavior | Keep default setting. | ||
| Use Terminal Services Easy Print driver first | Keep default setting. | ||
| Terminal Server | Profiles | Set path for TS roaming profiles | Server | Enable. Create a share for user profiles and home folders, and map it. |
| Set TS user home directory | Server | Enable. Create a share for user profiles and home folders, and map it. | |
| Use mandatory profiles on the terminal server | Server | Use only if you have a strict environment. | |
| Terminal Server | Remote Session Environment | Always show desktop on connection | Keep default setting. Not required if you use RemoteApps. | |
| Enforce removal of Remote Desktop wallpaper | Keep default setting. Not required if you use RemoteApps. | ||
| Limit maximum color depth | Keep default setting. Not required if you use RemoteApps. | ||
| Remove Disconnect option from Shut Down dialog box | Keep default setting. | ||
| Remove Windows Security item from Start menu | Keep default setting. Not required if you use RemoteApps. | ||
| Start a program on connection | Keep default setting. Not required if you use RemoteApps. | ||
| Keep default setting. Not required if you use RemoteApps. | Always prompt for password upon connection | Server | Use only if you have a highly secure environment or for protected applications. |
| Do not allow local administrators to customize permissions | Keep default setting. | ||
| Require secure Remote Procedure Call (RPC) | Server | Enable to secure communications. | |
| Require use of specific security layer for Remote Desktop Protocol (RDP) connections | Server | Enable. SSL (TLS 1.0) will provide the most secure connection. | |
| Require user authentication using RDP 6.0 for remote connections | Server | Enable only if all your clients use Vista. | |
| Server authentication certificate template | Server | Enable along with the SSL security layer in previous setting. | |
| Set client connection encryption level | Server | Keep default setting. Encryption is set to high by default. | |
| Terminal Server | Session Time Limits | Set a time limit for active but idle Terminal Services sessions | Server | Enable and set to 60 minutes. Long idle times can use server resources when no one is actually working. |
| Set a time limit for active Terminal Services sessions | Keep default setting. | ||
| Set a time limit for disconnected sessions | Server | Enable and set to 30 minutes. Long disconnected times can use server resources when no one is actually connected. | |
| Terminate session when time limits are reached | Keep default setting. | ||
| Terminal Server | Temporary Folders | Do not delete temp folder upon exit | Keep default setting. | |
| Do not use temporary folders per session | Keep default setting. | ||
| Terminal Server | TS Session Broker | Join TS Session Broker | Server | Enable to support high availability. |
| TS Session Broker farm name | Server | Enable and list farm name. | |
| TS Session Broker load balancing | Server | Enable to make best resource usage of the TS farm. | |
| TS Session Broker Server | Server | Enable and list server name. | |
| Use IP address redirection | Keep default setting. | ||
| Computer Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | TS Licensing | License server security group | Server | Enable. Create a security group containing all TS server computer accounts, and list it here. This ensures that licenses only go to authorized TS servers. |
| Prevent license upgrade | Keep default setting. Only required when you have a mix of server operating systems running TS. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Remote Desktop Client | User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Remote Desktop Client | Set at the PC level. | |
| Allow .rdp files from valid publishers and users' default .rdp settings | Set at the PC level. | ||
| Do not allow passwords to be saved | Set at the PC level. | ||
| Specify SHA1 thumbprints of certificates representing trusted .rdp publishers | Set at the PC level. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Connections | Allow reconnection from original client only | Keep default setting if you have users roaming from PC to PC. | |
| Set rules for remote control of Terminal Services user sessions | Set at the PC level. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Device and Resource Redirection | Allow time zone redirection | Set at the PC level. | |
| Do not allow Clipboard redirection | Keep default setting, unless you are sharing a secure application with confidential data. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Printer Redirection | Redirect only the default client printer | Set at the PC level. | |
| Use Terminal Services Easy Print driver first | Keep default setting. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Remote Session Environment | Always show desktop on connection | Set at the PC level. | |
| Enforce removal of Remote Desktop wallpaper | Set at the PC level. | ||
| Start a program on connection | Set at the PC level. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Session Time Limits | Set a time limit for a ctive but idle Terminal Services sessions | Set at the PC level. | |
| Set a time limit for active Terminal Services sessions | Set at the PC level. | ||
| Set a time limit for disconnected sessions | Set at the PC level. | ||
| Terminate session when time limits are reached | Set at the PC level. | ||
| User Configuration | Policies | Administrative Templates | Windows Components | Terminal Services | TS Gateway | Enable connection through TS Gateway | User | Enable only for specific user groups that connect from external sessions. |
| Set TS Gateway authentication method | User | Enable and use locally logged on credentials for single sign-on. | |
| Set TS Gateway server address | User | Enable and list TS Gateway server address. |
NOTE: While many of the load-balancing settings for Terminal Services required at least the Enterprise edition of Windows Server 2003 to function, they only require the Standard edition in WS08.
GPO settings for WS08 are set at three levels:
- Server
- PC
- User
The Server settings should be applied to a GPO that is targeted to the Virtual Service Offerings | Terminal Services Servers OU, which contains all of the computer accounts for your TS servers. The PC settings should be set to a global PC GPO that will affect all PCs. The User settings should be assigned to a special GPO that affects all users, but is filtered through a security group that contains users that access TS servers remotely.
CAUTION: Remember that Group Policy only affects users and PCs that are members of your domain. Keep this in mind, especially for the settings for the TS Gateway. If users connect to remote applications from public systems, these GPO settings will not affect them.
In this tutorial:
- Application-Oriented Servers
- Build Application Servers
- Application Development Support
- Application Server Types
- Prepare Web Servers (Dedicated or Application)
- The IIS 7 Feature Set
- Install the Application or Dedicated Web Server Role
- Work with Application Support Services
- Prepare Terminal Servers
- Install and Configure Terminal Services
- Determine the Application Model and Install Applications
- Prepare GPOs for Terminal Services
- Deploy Terminal Services Applications
- Deploy Through TS Web Access
- Create Highly Available Terminal Services
- Collaboration Servers
- Control Access to WSS Central Administration
- Prepare Windows Streaming Media Servers
- Design the Virtual Service Offerings OU Structure