So you want to do Terminal Services on your SBS 2003 box do you?
First realize that we can ONLY do TS in admin mode for remote administration.
TS in application mode is no longer allowed
Let's examine why, shall we?
Here is the listing of recommended steps to lock down a TS box
1. Apply the Notssid.inf security template to TS running permissions
compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.
3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.
To connect to a terminal server from the network, users must have the
Log On Locally user right assigned. If you implement application server
mode on a domain controller, nonadministrators must be assigned the Log
On Locally user right at the domain controller. Because this user right
is typically assigned in Group Policy, it enables users to log on at the
console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS
client and server
6. Choose the correct mode for your TS deployment [if you only need
remote administration, the only deploy that]
7. Install the latest service pack and security updates.
Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.
Page 393-394 Security Resource Kit.
Read this doc and see how much is done to lock down a TS server..... we
can't do this stuff in SBS land.
Do you really want SBS 2k3 to be the platform of "INsecurity"?
Microsoft chose Security. Be glad they have your client's best interests at heart.