In-Depth

Above the Rest: Windows 2008's Terminal Services Client

One shining gem you can't ignore in the new Windows Server 2008 OS -- one which might compel you to upgrade -- is the implementation of Terminal Services.

• By Greg Shields
• 12/14/2007

But before we start talking about what's new and exciting in the server-side of Terminal Services, we need to spend a little talk talking about its client and the new functionality already available within. The new Remote Desktop Client version 6.0 actually isn't all that new, having been released with Windows Vista. But, there are a few features of RDC 6.0 you may not be aware of.

New Client = New Features
Other than the obvious facelift to its graphical interface, RDC has gotten quite a bit more useful. In the previous version, the ActiveX and full-client instances were two separate tools with two separate installations. Now with RDC 6.0, these two functionalities have been merged. Integrating the web-based client version with the full client version means administrators no longer need to consider separate installation and management of two different tools. The integration of these two tool sets means that.RDP files on file shares as well as web-based hosting of published desktops and applications are now supported from the same client installation.

RDC also sports a host of new improvements in the types of devices it can bring from the remote server to the local client. Some of those improvements include:

• Maximum screen resolution increase to 4096x2048
• Maximum color depth increase to 32-bit color
• Support for ClearType fonts (called "font smoothing")
• Support for connected USB and other peripheral devices
• Support for Single Sign-On
• Support for spanning multiple horizontally-connected monitors using the "/span" switch
• Enhanced security using Network Location Awareness (we'll discuss this further in the next post)
• Ability to use client-side themes in remoted sessions
• SSL-based security using TS Gateway (we'll also talk about this in a later post)

Each of these new visual and security-based improvements makes RDC 6.0 a compelling upgrade, even before Server 2008 makes its debut.

Reversing Bad Security
From a security perspective, the original RDC's design was actually backwards from what is considered good security.

Think about how you connect to a pre-W2008 Terminal Server. You enter the name of the server and a connection is initiated to its logon screen. Then, once you hit that logon screen you begin the process to authenticate. From a security perspective, this isn't a good idea. By doing it in this manner, you're actually accessing a server prior to authenticating to it. This is the reverse of how nearly all other network services provide authentication security.

NLA, or Network Level Authentication with RDC 6.0, reverses the order in which a client attempts to connect. If you've used the new client, you've probably noticed how it asks for your username and password before it takes you to the logon screen. If you're attempting to connect to a pre-W2008 server, a failure in that initial logon will fail back to the old login process. But where this new feature shines is when connecting to Windows Vista and W2008 servers with NLA configured. Here, that failback authentication can be prevented from ever occurring. This prevents the bad guys from gaining console access to your server without a successful authentication.

You can set up Network Level Authentication in Vista and W2008 by right clicking on Computer and choosing Properties, then selecting Remote Settings. Under Remote Desktop, ensure Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).

Accessing the Console
Every previous version of Terminal Server -- and indeed every previous version of Windows -- reserved "Session ID 0" as the connection used when the user is directly on the console of the machine. Reserving this session in this way was easy for software installations that pushed error messages to the console session. But it also added the potential for misuse as a vector for exploit. In W2008, "Session ID 0" is no longer a session that can be used by normal users. Instead, it is the session where system services reside. By limiting session connections in this way, the security profile of the Terminal Server is enhanced.

What is different, though, about making this change is that what administrators used to think of as the "console session" can now be tied to any session ID number. The command

mstsc.exe {servername} /console

can be used to connect the user to session ID 0 for those older O/S versions. Using the same switch with Vista and W2008, RDC 6.0 will now automatically connect to the correct console session.

Where this comes in particularly handy is when servers run out of licenses. Using RDC to connect to the console session doesn't consume a TS CAL. So, in addition to being able to install software through terminal services directly on the console, you can also use this feature to remotely troubleshoot a Terminal Server that has stopped accepting new connections.

Because of how this change in connections to Session ID 0 has been done, there is one major difference between how W2003 and W2008 handle the acceptance of incoming connections: You get one fewer concurrent connection.

W2008 supports a total of two rather than three concurrent connections in Remote Administration mode. With W2003, a server would support two TermServ connections in addition to the console connection. With W2008, a server will only accept two concurrent connections, no matter if they're at the console or via TermServices.

This seems like bad news at first blush, but there's a bit of good news to go with it. With W2008 the third user who attempts to connect now gets an opportunity to kick off another user. Once the third user connects, they'll be asked if they want to disconnect one of the other users instead of our old error message, "The terminal server has exceeded the maximum number of allowed connections."

All of these features are currently supported with the new RDC, which comes native with Vista. But for those of us with XP SP2 clients on the network, a free download from Microsoft is available that will allow you can take advantage of these feature upgrades as well. Download the upgrade to RDC 6.0 here.

Next time: the server-side of Windows 2008 Terminal Services.

(This article is adapted from "Terminal Services in Windows Server 2008," by Greg Shields at the Realtime Windows Server Community. To read the original version of this piece, click here.)