Locking down terminal services
This is the list of Group Policy and registry changes I like to make for terminal services environment:
GROUP POLICY CHANGES – to force, run GPUPDATE from command line, then log out and back in to test.
Computer Configuration
Administrative Templates
Windows Components
Terminal Services
Remove Windows Security Item from Start Menu – enabled
Remove Disconnect option from Shut Down dialog – enabled
Windows Update
Configure automatic updates – disabled
Windows Messenger
Do not start windows messenger initially – enabled
User Configuration
Administrative Templates
Start Menu and Taskbar
Add Logoff to the Start Menu – enabled
Remove and prevent access to the Shut Down command – enabled
Turn off personalized menus – enabled
Turn off notification area clenup – enabled
Do not display any custom toolbars in the taskbae – enabled
Remove Set Program Access and Defaults from Start Menu – enabled
Desktop
Active Desktop
Enabled Active Desktop – enabled
Prohibit Changes – enabled
Active Desktop Wallpaper – path to wallpaper file, and style (e.g. C:\DELL\wallpaper.jpg, wallpaper style: stretch)
Remove Desktop Cleanup Wizard – enabled
REGISTRY CHANGES
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Add following Value: NoDisconnect (REG_DWORD) 0x1 = Hide Disconnect menu item
How to lock down a Windows 2003 or Windows 2000 Terminal Server
Here is the Microsoft KB entry for terminal session security.
Server 2003 – Terminal Server Client Access Licensing setup – eOpen
1. Find license on your eOpen website portal, noting especially the Authorization and License codes.
2. Install terminal services licensing server, preferably on a 2003 server that is not a domain controller or a terminal server.
3. Administrative Tools – terminal services licensing
4. Click on server name. Choose activate, and install licenses.
5. Choose license program: Open License
6. Enter your authorization number in the agreement number field.
7. Enter your license number in the unmarked field below it. Hit next and you should be good to go.
IPP printing with Linux and Windows
How to make Windows use CUPS IPP
This worked really well to get Windows Server 2003 to use a HP Laserjet printer local to a Ubuntu feisty machine. My OSX machine saw it right away once I turned on the printer sharing on in CUPS. Windows took a little more trickery.
Powered by ScribeFire.
Importing Contacts into Outlook
Outlook handles individual vCards (2.1, not 3.0) just fine, but importing a batch can be a problem. Here is a procedure for getting an Apple Address Book into Outlook, via the Windows Address Book. This is tested with OSX 10.4.8 and Outlook XP on a terminal server session on Server 2003. Other versions are probably similar.
- Apple Address Book: Preferences > vCard Format> Click 2.1 format, and close the preferences window
- Highlight the contacts to export and choose File> Export vCard… Choose a location. It will export one combined file.
- Copy the file to the computer you’re importing from
- Go to Start: Program Files: Accessories: Address Book
- In Address Book, go to File > Import > Business Card (vCard)… and select your vCard 2.1 file. Address book will now import all the records from the file. You’ll have to OK each as it imports each one, but you can just sit hitting the ENTER key so it’s actually pretty quick.
- Fire up Outlook and pretend you’re importing addresses from Outlook Express. Go to File > Import and Export, choose “Import Internet Mail and Addresses” as the action, then “Outlook Express 4.x, 5.x, 6.x” as the source and untick “Import Mail” and “Import Rules”. Make sure you can view invisble files. Specify \\<computer>>\Documents and Settings\<<user>>\Application Data\Microsoft\Address Book\<<user>>.wab. Choose Outlook Contacts Folder as the destination and tell it what you want to do with duplicates. Click Finish and Outlook will automatically import all the address you imported into Address Book into your Outlook Contacts folder.
(Detailed instructions here.).
This was adapted from an entry at njivy.org.
Printing from DOS within a thin client session
This assumes you are already able to print with your thin clients in Server 2003 terminal server sessions, and need to add printing for a DOS application. DOS will see the remote printer as LPT1.
- Share the printer from the terminal server and give it a legal DOS name. (e.g. TEST1)
- Create a batch file in the user’s startup menu, startup folder. (e.g. DOSPRINT.CMD)
NET USE LPT1: /delete
NET USE LPT1:\\SERVERNAME\TEST1 /PERSISTENT:YES
When the user logs in the printer should now be mapped every time. This worked perfectly for users with Okitdata dot matrix printers connected to the parallel ports of ThinStation computers connecting to Windows Server 2003 over the internet.
MS SQL Server local file backup problem resolved
I recently ran across a problem twice with backup maintenance plans in Microsoft SQL Server (2000+). The following error started to appear when the file backup job started to run:
… – Message: The job failed. Unable to determine if the owner (DOMAIN\Administrator) of job DB Backup Job for DB Maintenance Plan 'DB Maintenance Plan1' has server access (reason: Could not obtain information about Windows NT group/user 'DOMAIN\Administrator'/ [SQLSTATE 42000] (Error 8198)).
There seemed to be lots of people with the same problem but no solutions offered. Here's the solution that worked for us:
- Go to Administrative Tools -> Services. Click on SQLSERVERAGENT and select Properties from the Action menu. Click on the Log On tab. Select Local System Account. Click on the General Tab. Select Startup Type: Automatic and hit OK.
- In Enterprise Manager, go to Maintenance, and click on SQL Server Agent. Select Properties from the Action menu. Click on the Connection. Select Use Windows Authentication and hit OK (You may need to stop and restart the SQL Server service at this point).
- In Enterprise Manager, click on the name of the local server and select Edit SQL Server Registration properties… Select Use SQL Server Authentication (we used sa), and hit OK.
- Delete the existing database plan and create a new one.
Remote Desktop Client
Here are some handy links to download the Remote Desktop Client (RDC) from Microsoft:
Note The Remote Desktop Connection software is pre-installed with Windows XP. To run it, click Start, click All Programs, click Accessories, click Communications, and then click Remote Desktop Connection. This software package can also be found on the Windows XP Professional and Windows XP Home Edition product CDs and can be installed on any supported Windows platform. To install from the CD, insert the disc into the target machine's CD-ROM drive, select Perform Additional Tasks, and then click Install Remote Desktop Connection.For previous versions of windows the installer can be downloaded from here.
For Mac OS X, the installer can be downloaded from here.
For linux, you can use rdesktop.
Group policy objects
Here are some group policy settings that solved some problems on a windows 2003 terminal server:
add local servers to:
User Configuration\Windows Settings\Internet explorer Maintenance\Security zones and Content rating\Local intranet
(kb article 815141)
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Automatic Reconnection: Enabled
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection\Allow audio redirection: Enabled