Best Practice Ezine #72 Terminal Services – Industrial Espionage

Best Practice Ezine.  Computer Performance. Advertise

Terminal Services for Windows 2003

Last week I introduced concepts for Terminal Services and its thin clients.  Last week I introduced concepts for Terminal Services and its thin clients. This week my challenge is to surprise administrators that are more experienced, by showing them at least one new feature for Terminal Services.  I also have a tale of industrial espionage from Barking Eddie.

A World Within a World

In ezine 71, I spoke of Terminal Service clients each having a compartment on the server.  In this issue, I would like to introduce the idea of Terminal Service occupying a separate world within its Windows Server 2003.  I assume that you have already installed Terminal Services via the Add or Remove Programs interface. Let me elaborate on what to look out for next.

  1. Terminal Services has its own snap-in Administrative tools.  In fact, there are three snap-ins, one each for Configuration, Manager, and Licensing.  The Configuration snap-in has the richest selection of settings.  It’s well worth investigating the eight tabs under the RDP-Tcp connection.  In addition don’t neglect the Server Settings, my favourite setting is: Restrict each user to one session.
  2. As ever, Microsoft provides two ways of doing configuring.  In the case of configuration most of the RDP-Tcp menus have equivalent Group Policy settings.  There is one set policies for the User and another set for the Machine. 
    Tip: configure the Computer side of Terminal Services Group Policies in preference to the User settings. 
    One policy you definitely need is to prevent ordinary users from seeing a Shut Down button.  You don’t want some Psycho user downing the server when they think they are shutting down their client machine.
  3. When you configure accounts in Active Directory Users and Computers look out for a separate Terminal Server tab.  Did you realize that there was a separate users Profile box for Terminal Services?
  4. Did you know that Terminal Services supported a web based Remote Desktop Client, rather like Outlook Web Access (OWA)?  If not then you are in for a pleasant surprise when you type http:// yourTS/tsweb/ in your browser.  (Where yourTS is the name of your Terminal Server.)  All that is required is for you to agree to an install of an ActiveX control on the client machine.

See Windows Server 2012 Remote Desktop

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

Barking Eddie – Industrial Espionage Exploiting Terminal Server

Here is abridged version of an industrial espionage story as told by my old friend Barking Eddie (Barking because Eddie comes from Barking Essex).  Techie1 left pharmaceutical company A and joined rival company B.  Eddie said that Techie1 then used his old account to make a Terminal Server connection and so steal company A’s product secrets remotely.  TechieNew with Eddie’s help, used his Terminal Server skills to investigate this outrageous security breach.

What Eddie found was that several Terminal Server connections had been cut off abruptly, rather than logged off gracefully.  What you see sometimes in Terminal Server Manger is disconnected sessions, where people just close the Remote Desktop session rather than click the Log off button.  Eddie calls them ‘trapped users’, anyway the Client Name for these ‘trapped’ or disconnected sessions alerted TechieNew that someone was dialling-in from a rogue machine.  Incidentally, you can control disconnected users via group policies, but in this case, it was just as well they had not configured Group Policies in company A.

Barking Eddie is inclined to exaggerate, nevertheless I suspect that there is a grain of truth in account of what they did next.  Eddie told me once they realized they were being hacked, company A deliberately left documents with false information on their server.  The way Eddie told me, company A wrote reports indicating they had invented a new ingredient for their pharmaceutical product.  In fact, the ‘secret’ ingredient was nothing more than an emetic mixed with a laxative.

According to Eddie, company B then ‘stole’ this emetic / laxative ingredient via the Terminal Service connection and incorporated it into their product.  Soon company B’s customers complained and the subsequent outcry is rumoured to have put company B out of business.  This part is almost certainly an exaggeration, but it does make a good urban myth.

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker


I keep trying to avoid talking about Licensing, but people keep asking questions. 

I once tried to get around the License problem by reinstalling the Terminal Server service after about 80 days, I was hoping to get reset the timer and get another 90 / 120 days of temporary licensing.  Wrong, this sneaky move did not work, it seems the temporary licenses are held on the client so reinstalling did not make any difference.  Moreover, I noticed that temporary licenses cause a lot of network traffic.  Every 5 minutes the clients keep sending a packet saying ‘got any real licenses yet’.

Licensing of XP clients.  Windows 2000 does not require a CAL for XP whereas Windows Server 2003 does require a CAL even for an XP client.  This is a real shock for those with XP laptops who wish to use Terminal Server sessions when they connect to their various corporate networks.

To give you a clue of how complex Licensing, is Microsoft keep offering me a free place on a two-day course just to explain the ins and outs of Licensing.  Not my cup of tea, but if you want to know more, watch out for such a course.

Free Jokes – Will and Guy’s Humour

Each week Will and I add more jokes.  Naturally the Christmas section is popular just now.  If you want a zany idea for an office quiz with a difference – check out Barking Eddie’s quiz.  Also free downloads at Xmas Card Downloads.

See interesting cloud and virtualization articles

E 192 Google OS   • E 191 Cloud  • E 155 Cloud  •E 142 Virtualization  •Permissions Monitor

E 110 Emulation  •E 71 Terminal Services  •E 72 Terminal Services  •E 73 Google  • Ezines

E 61 Virtual PC  • Solarwinds Virtualization Manager  • Windows 8  • Windows Server 8