Macro 32 Ramblings

Mind Archive

No Comments on Windows 2008 RDC/TS QuickNotes comments

January 9, 2012Upuaut

Windows 2008 RDC/TS QuickNotes

RDC also sports a host of new improvements in the types of devices it can bring from the remote server to the local client. Some of those improvements include:

  • Maximum screen resolution increase to 4096×2048
  • Maximum color depth increase to 32-bit color
  • Support for ClearType fonts (called “font smoothing”)
  • Support for connected USB and other peripheral devices
  • Support for Single Sign-On
  • Support for spanning multiple horizontally-connected monitors using the “/span” switch
  • Enhanced security using Network Location Awareness (we’ll discuss this further in the next post)
  • Ability to use client-side themes in remoted sessions
  • SSL-based security using TS Gateway (we’ll also talk about this in a later post)

Reversing Bad Security

From a security perspective, the original RDC’s design was actually backwards from what is considered good security.

Think about how you connect to a pre-W2008 Terminal Server. You enter the name of the server and a connection is initiated to its logon screen. Then, once you hit that logon screen you begin the process to authenticate. From a security perspective, this isn’t a good idea. By doing it in this manner, you’re actually accessing a server prior to authenticating to it. This is the reverse of how nearly all other network services provide authentication security.

NLA, or Network Level Authentication with RDC 6.0, reverses the order in which a client attempts to connect. If you’ve used the new client, you’ve probably noticed how it asks for your username and password before it takes you to the logon screen. If you’re attempting to connect to a pre-W2008 server, a failure in that initial logon will fail back to the old login process. But where this new feature shines is when connecting to Windows Vista and W2008 servers with NLA configured. Here, that failback authentication can be prevented from ever occurring. This prevents the bad guys from gaining console access to your server without a successful authentication.

You can set up Network Level Authentication in Vista and W2008 by right clicking on Computer and choosing Properties, then selecting Remote Settings. Under Remote Desktop, ensure Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).

Accessing the Console
Every previous version of Terminal Server — and indeed every previous version of Windows — reserved “Session ID 0” as the connection used when the user is directly on the console of the machine. Reserving this session in this way was easy for software installations that pushed error messages to the console session. But it also added the potential for misuse as a vector for exploit. In W2008, “Session ID 0” is no longer a session that can be used by normal users. Instead, it is the session where system services reside. By limiting session connections in this way, the security profile of the Terminal Server is enhanced.

What is different, though, about making this change is that what administrators used to think of as the “console session” can now be tied to any session ID number. The command

mstsc.exe {servername} /console

can be used to connect the user to session ID 0 for those older O/S versions. Using the same switch with Vista and W2008, RDC 6.0 will now automatically connect to the correct console session.

Where this comes in particularly handy is when servers run out of licenses. Using RDC to connect to the console session doesn’t consume a TS CAL. So, in addition to being able to install software through terminal services directly on the console, you can also use this feature to remotely troubleshoot a Terminal Server that has stopped accepting new connections.

Because of how this change in connections to Session ID 0 has been done, there is one major difference between how W2003 and W2008 handle the acceptance of incoming connections: You get one fewer concurrent connection.

W2008 supports a total of two rather than three concurrent connections in Remote Administration mode. With W2003, a server would support two TermServ connections in addition to the console connection. With W2008, a server will only accept two concurrent connections, no matter if they’re at the console or via TermServices.

This seems like bad news at first blush, but there’s a bit of good news to go with it. With W2008 the third user who attempts to connect now gets an opportunity to kick off another user. Once the third user connects, they’ll be asked if they want to disconnect one of the other users instead of our old error message, “The terminal server has exceeded the maximum number of allowed connections.”

From: http://redmondmag.com/Articles/2007/12/14/Above-the-Rest-Windows-2008s-Terminal-Services-Client.aspx