THE OFFICIAL BLOG OF THE SBS "DIVA"

"Only this mode is available because Windows Small Business Server 2003 always runs on a domain controller, and if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data."

The Terminal Server component is not available in the Windows Components Wizard in Windows Small Business Server 2003:   http://support.microsoft.com/default.aspx?scid=kb;en-us;828056&Product=sbserv2003

There are time I wonder if we truly do want security around here.  Oh sure we say we do, we argue that Microsoft needs to be more secure, but when it really comes down to it, do we?  I mean do we really?  Do we really and truly want to embrace security, evaluate the risks and be more secure?  SBS 2000 did a dumb stupid thing that never should have been done in the first place.  It allowed people to set it up with Terminal server in application mode on a domain controller.  When Microsoft made the Security push for SBS 2003 there were two things that the security folks at Microsoft just couldn't let it do anymore.  The first was modem sharing.  The second was TS in application mode.  So off they went.  Good riddance in my book.  The things that we thought were secure before are not secure now.

But it amazes me that I get emails from folks holding off on installing XP sp2 because they've heard it blocks attachments that 'normal' people want and it makes their email unusuable.  I get folks asking for pictures back in Outlook 2003.  I get folks asking to stop the annoying 'Outlook would like to access your address book, is this okay?“.  People say they want security...but do they?  I mean do we really and truly want it?

Take least privilege for example.  When working right you would have to give admin credentials to those times that you need something working in an admin like mode, downloading approved software for example.  But even in the latest SuSe desktop, there's a little box to 'remember the admin password' so the user isn't bothered anymore by the prompting.

And then there's the blog post on here that even to this day gets postings and followups.  The Terminal Server in application mode post.  The one where many consultants there say that they 'can' make TS secure and I'm there screeching like an emotional banshee saying “Are you insane?“

Now you could argue that the platform of SBS 2003 breaks the 'best practices' anyway so why should be we so concerned about TS anyway.  And I would say that I hope that someday natively in the program each compartment of SBS, each application would be 'sandboxed' so that they wouldn't affect the other parts.  Now I'm sure Dana would probably say that sticking applications as we do on the server [like Sharepoint and what not] opens us up for risk too.  I'll agree.  But all of you that are arguing so hard that you can do what it takes to secure a server even if it's TS in app mode have missed a few points.

Security

First and foremost, let's review what “I” had to do to my member server to set it up in TS mode. 

• I had to take off the Michael Howard “Secure by default” Enhanced IE lock down that blocks active X and what not.  Surfing at a server in this day and age of malware is totally insane.  Robert Hensing's even talked about domain controllers being nailed by trojans with the admin surfing at the server.  What's the way to clean up a trojan?  Flatten it. Yeah, like I really want to do that to my server.
• I had to turn on themes so the desktops would look like XP.  Okay minor thing, right?  But nonetheless it introduces another service that might introduce a vulnerability. [yeah like I also want to let people use a hacked UItheme on my DC]
• I'm allowing users to log into the domain controller and use it as if it were a workstation.  The last thing I want is end users downloading anything willy nilly on my domain controller. 
• Remember I live in SB1386/AB1950 country, better known as 'notification' territory out here, where if something happens to my server I'm licking stamps and sending out postcards saying “Hi there, we've had a slight problem here“.  If I have a “Hensincident” [aka Robert Hensing], you'd better have the electrical paddles out giving my heart an electronic shock because I'm having a heart attack for certain. 
• Do I think that allowing TS in application mode should be allowed on 'normal' Windows 2003 Server if it were a domain controller?  Heck no, and if I were in charge of the universe there would be a code block on that too.  Make a server a domain controller and TS in app mode should be code blocked out.  I think it's pretty obvious that when the choice comes between business and security ...guess which one is going to win.

Scalability

• We already have a lot of stuff going on that server box.  As you know I already had to throttle my SBSmonitoring instance and Exchange is already used to doing what it wants with memory and now you are going to hang how many folks off of that domain controller and have them use it?  The best desktop experience for that end user is on a member server doing those functions.  Read the scaling document on TS.  I don't really want to start yanking memory away from my DC functions.

Consultants out there?  Please listen to me.  You are guiding your customers here.  They depend and rely on your expertise and your guidance.  They trust you to recommend a solution that not only is secure but legal and supported.  Wanting to run Terminal server in application mode on a SBS box endangers your customer, your client.  It's not a good business reason to do this when you can add a second server/member server with only the cost of the Operating system [remember the cals for that box are covered by the SBS box].  Then for the TS Cals, which you will need anyway, any XP Pro you had in the office prior to 4/23/2003 have a redeemable TS cal.

Put users on a member server where they belong.  Scale this right and those owners and users will have a good computing experience.  If you need one or two remote sessions, buy a couple of desktops.  And hey, if you bought the SBS on Open licensing and/or SA, remember that even though I hate XP homes, you can buy XP homes, then get Open licenses for XP Pro and kick them up.

Scale it the right way.

Secure it the right way.

Your customers trust you.

Microsoft is stepping up to the plate.

Will you?