[There's a reason that Yoda is the unofficial mascot of SBS.  Size indeed matters not.] Terminal Server in Application mode - why can't SBS 2003 do it? - THE OFFICIAL BLOG OF THE SBS DIVA
Mon, May 31 2004 10:50 bradley

Terminal Server in Application mode - why can't SBS 2003 do it?

In the newsgroups today, a person updated his SBS 2000 and was prompted that the TS in application mode would be removed during the upgrade.  He went through the upgrade and then posted back in the newsgroups asking how to turn on Application mode again.......

Well... it can't be turned back on again..... and we should not have been allowed to do it in the first place. 

Let's determine why shall we?

Okay first and foremost, would you agree that allowing your employees to sit at your server and use it as a workstation is a good idea?  Probably not right?  Well that's what you are doing when you do TS in application mode.  You are allowing people to log onto that server, use possibly “leaky“ applications that may require you to reboot the server, and in general, expanding greatly the threat vectors on that server.

Take for example - Internet Explorer.  You have to remove the Enhanced IE security [go into add/remove programs to remove this on a normal server].  Michael Howard [MS Security dude] talks about the threat modeling that they did on Windows 2003 server.  Near the end of the project they did a “threat model“ brainstorm and asked themselves what was a potential issue....and the threat that came back was surfing on that domain controller.  So the Security folks pushed through that Enhanced IE [you know that box that prompts you the web site you are wanting to go to is not in a trusted zone?].  Andrew Duthie talks about the settings on his blog.

Right now my security issues are the spybots and gunk that are going after Internet Explorer.  Just last night in talking “geek“ with my friends from LA that were up for a visit, Pierre talked about having to track down a browser hijack program [He wanted  to do it manually, but he could have used the CWshredder tool].  Now ask yourself, do you want to do that on your one and only domain controller?  Think of what you do to clean up your separate desktops. 

So the next time someone says “But it's dumb, I want my TS in application mode back!“ remember that we can't do things the way we used to.  That was then, this is now. 

Now, there is one way that this can be better.  Documentation and information. 

In one of the listserves I'm on we were chatting about the lack of documentation on this issue [and I'd add the lack of documentation of WHY we shouldn't do it]  Now granted, we women would argue that guys don't read, but I do agree with my fellow listmates that the information about the lack of TS in application mode should be WAY more obvious.  The information of how it is no longer supported or included and why it's not safe and secure to have it there in the first place needs to be way way more obvious.  In fact it should be part of the sales and marketing stuff because to me, it shows better than anything else that Microsoft is indeed “walking the walk, talking the talk“.  We asked them to make the products more secure.  They responded.  This should be a selling point that they are making it more secure, not a “What happened to TS?“ question in the newsgroup.

Documents that discuss TS in application mode removed .....

This KB   and read Page 44 in this document

Filed under:

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, June 15, 2004 10:24 AM by bradley

In other words, they're "Making it more secure by removing the insecure applications instead of fixing the insecure applications"

Way to go Microsoft!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, June 15, 2004 10:52 AM by bradley

Yeah...indeed way to go... because Terminal server is the equivalent of end users. Again, would you want end users sitting at your server using it for surfing and the gunk they do at their workstations? You cannot lock down a Terminal Server on a Domain Controller PERIOD.

Wake up people. We CANNOT do thing as we once did. It CANNOT be made secure.

# from SBS2003 FAQ

Thursday, June 17, 2004 11:29 PM by bradley

No. It is not possible to run Terminal Services in Application Server mode on
Windows Small Business Server 2003. This is a change from Small Business Server
2000. Running Terminal Services in Application Server mode on a domain controller
may present a security risk to your network. If you want to use Terminal Services
in Application Server mode, we recommend that you purchase an additional Windows
Server 2003 license and install an additional server running Windows Server into
the Windows Small Business Server 2003 domain. For more information, see "Deploying
Windows Server 2003 Terminal Server to Host User Desktops in a Windows Small
Business Server 2003 Environment" on the Product Documentation page
</windowsserver2003/sbs/techinfo/productdoc/alpha.mspx>.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, June 18, 2004 9:22 AM by bradley

I think it's great Microsoft is trying to deliver more secure products. I also think they are obviously expoiting the opportunity to require more spending on the part of the buyers! Sure the SBS 2003 Standard product is about $600 less than the SBS 2000, but you have to spend than amount again plus the cost of another computer to support a few lousy term server connections. The part I like best is, they left the term services licensing component on SBS 2003, so you can pay for and install unusable licenses.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, June 18, 2004 2:42 PM by bradley

That's for it to handle the licenses of the member server. Read the docs. Bottom line it's not secure dude. Never was, never will be. We asked them to be more secure. They delivered. And you are mad that they listened?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, June 23, 2004 6:51 AM by bradley

So, what if we actually *NEED* a terminal server? And PAID for licenses that it INSTALLED already and won't let us use?

Good thing we got the SBS for nearly nothing so we can shred the CD and toss it.

As for the 'It's not secure dude. Never was, Never will be.' I quote Chandler Bing: "ya THINK?!"

SBS was always a waste of money.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, June 23, 2004 8:22 AM by bradley

Well uninstall them and stick them on the separate TS box. If you think SBS is a waste of money you are a bit in the minority. There are many folks that are indeed seeing the cup 1/2 full and not the cup 1/2 empty.

TS should not even be allowed on "normal" Windows 2003 Server on a domain controller.

SBS is a frame of mind and a state of being. You either have it or you don't.
:-)

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, June 23, 2004 12:56 PM by bradley

OK, my frame of mind was very positive toward SBS until the removal of half the functionality. Every customer of mine that has small business server uses the terminal server feature on a daily basis, and it saves them thousands of dollars that would have to be spent on upgrading obsolete PC's. The term server allows them to keep their old PC's and work. What if a small business that has all thin clients wants to upgrade to SBS 2003 from 2000? Anyone have a calculator with enough digits to figure the cost of licensing???

Furthurmore, if you want to make a case for security and design issues, the Windows 2000 operations guide recommends having the domain controller, exchange server and term server on separate boxes, but that works just fine (and isn't necessary anyway). For the small amount of users SBS is designed to support there's not a reason in the world to disable the term server, except to help Microsoft's profit margins. After all, IT spending has been on the decline for years now, has it not?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, June 23, 2004 1:12 PM by bradley

One final thought about security: none of the security-related calls I have fielded from customers have been caused by terminal services. In fact, they have all been due to people running ISA server without an external hardware firewall. ISA is supposed to BE the firewall, but it is garbage and basically paves the way for getting your server cracked and blacklisted.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, June 23, 2004 1:27 PM by bradley

I've never seen a box running ISA that is fully patched get nailed. Typically the security issues are because they are not up to date on patches.

Sorry but I still disagree. TS on a DC is like having someone use the domain controller as a workstation. If that's how you want to run a network, that's your choice.

The reality is it was insane before.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, July 07, 2004 7:19 AM by bradley

If anyone is using microsoft products they are not concerned about security anyway. The customers i have that use SBS are between 10-30 employees, one of which is a factory that uses several thin clients in the plant for their applications to do work orders, shipping and that stuff. Its hat and dirty and pc's just will not last very long so they use max terms. We wrer planning to upgrade to SBS 2003 but without term support in app mode it's not gonna work. Anyway you can put the term user acounts in an ou and lock it down if you know what your doing.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, July 07, 2004 9:00 AM by bradley

Allen... there isn't a OS in the world that doesn't need patches and maintenance. Wake up and smell the vulnerability notifications, dude. Read the Security Res kit... would you want to have an employee sitting at that domain controller and surfing? Not to mention...you have to remove the Enhanced IE lockdown.

Sorry folks, you guys just don't get it. We can't do business as usual around here folks. Get over it.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, July 07, 2004 6:41 PM by bradley

great :-(

i have a client (behind a customised Linux firewall with content filtering), they have 5 users, small budget, old workstations and have bought a small HP Proliant SBS 2003 server and 5 Terminal Services Licenses and 5 office licenses, all they want to do is use a few small accounting apps and office 2003. The HP has redundant drives and they have a daily tape backup routine so I am not particular concerned about the staff using the SBS server as a TS. Now I have installed the licenses and activated the licensing server but cannot change Terminal Services Configuration to application mode (as per the microsoft documents listed in earlier posts). However, why does it let me install Terminal Services Licenses and have a Terminal Services Licensing server if I cant acctually use the server as a Terminal Server? Is there a workaround for this as the reasons listed for not running TS on SBS2003 are not applicable here, running Terminal Services on their SBS box is. If anyone can help please reply or e-mail me at josh@xanteq.com

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, July 09, 2004 7:01 PM by bradley


Let's see.... Where to start and with whom... Susan you win that prize. First let me asked you a? Do you understand that computers are nothing more then 1 and 0? In simpler terms (on, off switches). The reason I ask this is because with everybody crying about Microsoft security and with them listening. It is just going to make them build more [on, off switches] you know the ones we all hate called wizards! Thus having them take away more of the control from us ( You know something like big brother ) Hell maybe they should just have us as network administrators fill out a questionnaire in the beginning of the server setup and not give us the right to change anything after that. This way any dumb ass can do one.

Now with that said. Let me doing a little backing on my part. I am a network admin of 170 SBS 2000 Domains all over the U.S and what I have read about why Microsoft has taken away Application mode on SBS 2003 is just plane (BS!)
Now I know you are sitting there asking your self what gives me the right to say this. Well let me tell you what gives me the right.

1. All of my SBS 2000 servers are in TS application mode.
2. None have ever been restarted or shut off by the end user.
3. None have ever had pop up's
4 None have ever had a virus.
5. None have ever been broken into.
6. None have ever had a single setting changed by the end user.

Do you know why? IT'S CALL NETWORK ADMINISTRATION! You know the thing we get paid for. Let's stop asking somebody else to do are job, and do it are selves before it is so easy we are not needed! Oh, one more thing I loved this line you said (Bottom line it's not secure dude) Well dude it's not secured because you (the network admin) has not made it secured!

Mad consultant, I agree with everything you say except the ISA part. My servers all also use it as there main firewall. And again none have ever been broken into. I feel the software is only as good as the one who administrating it. I have seen many hardware firewalls setup wrong.





# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, July 09, 2004 7:19 PM by bradley

Pat it's not business as usual anymore. Look at what's going on the Internet right now.. SMTP auth attacks, unpatched IIS5 machines used to infect desktops. Guys... wake up and see the writing on the wall. Once upon a time we had an average of 300 days between patch release and exploit in the wild. Now it's less than a month.

There's no use arguing over this. There not putting it back because it flat out doesn't meet the Security threshold. End of story. They aren't putting it back.

You cannot do the steps that you are supposed to do to lock down TS on a SBS2003 box. Flat out cannot be done. Period.

You guys are not understanding the facts we can't do business as usual. Look at what is being done in XP sp2. The changes that are being made because we cannot run our machine "the way we are used to doing them"

The world demanded that Microsoft step up to the plate and be more secure. They delivered.

End of story.

SBS2003/VMware or Virtual Server running a virtual Win2k3 TS that can be made secure. That's "Network Administation" in this day and age.

Proactive and not reactive.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, July 30, 2004 12:30 AM by bradley

proactive is not putting an SBS server live to the web full stop, code red and code blue showed the validity of seperate external firewalling.


....Pat I'd be touching wood while posting that.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, July 30, 2004 8:58 AM by bradley

Proactive is patching. Code Red and Nimda proved the value of patching. If we would have patched in time, we would have been just fine.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, July 30, 2004 6:53 PM by bradley

our clients were all behind nix firewalls, didnt get touched by them :-)

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Monday, August 02, 2004 12:23 AM by bradley

If you had port 80 closed, nix firewalls or windows based firewalls, you wouldn't have been touched with code red/nimda period. If however PORT 80 WAS OPEN.. let me repeat that because it does not matter what firewall you are operating... if the port is open and listening and unpatched ... whether you had a Firewall built on ANY OS it would have gotten nailed with Code Red/Nimda.

Don't depend on "a firewall". You have to know what openings you have in the wall to protect your system.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Monday, August 23, 2004 1:36 PM by bradley

My Thoughts...

I was going to purchase SBS 2003 for a client, but due to the removal of TS Application mode I won't.

They were going to be using it as the main (only) server, the included 5 CAL's is enough, they have three employees in total ! It was going to replace Windows 2000 Server but using the same hardware.

They currently use TS on the 2000 Server and it IS secure as it's used by one user to access an accounting application from home in the evenings over an 3DES IPSec VPN. That user cannot surf the net through the Terminal Session, and to be honest would not want to when already connected to the net via broadband from home.

No way will they want to lay out for another server just so one user can use the application from home, in the evening, when no-one else is using the server. And who can blame them, they are a SMALL business, isn't this who SBS is supposed to be aimed at ?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, September 01, 2004 9:00 AM by bradley

I agree surfing your dc as a wkstn is a bad idea however for the smaller businesses SBS is a very attractive option.Using Terminal services on your DC isnt supported by microsoft for SBS and they also recomend that you have a seperate licensing server. I personally thank that you can secure the DC a little better for the SBS users over TS by the way of group policy's, I myself have done this to great success. The only thing that still stands is the simple fact of Flakey programs constantly crashing! Rebooting a server is a pain in the arse and annoys the best of people but I think you have to make a decision over cost vs the impact on the business! for a 10 User SBS setup I see no major problems as rebooting the server wont have too much of an impact.

But lets face it MS is crap! its very easy to use but very easily goes wrong! and is also very costly!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, September 01, 2004 9:18 AM by bradley

MS is crap? Very easily goes wrong? We are talking about Windows 2003 and XP right? I have more hardware issues than I do software. And you youself have pointed out it's the stupid APPLICATIONS that are the issues here.

Very costly? Have you tried firmwide patching of LInux with a free patching tool? Guess what there is no SUS for Linux.

http://www.forbes.com/2004/08/31/cz_dl_0831msft.html

“For years customers griped that Microsoft was gouging them. Now, thanks to IBM, Novell, and Red Hat, customers are learning what it is that Microsoft charges them for--upgrades, patches, research and development, indemnification, integration of disparate programs. Some, like the folks in Newham, are discovering that Microsoft isn't ripping them off at all.”

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, September 05, 2004 4:23 PM by bradley

Hi all - just a comment from the user side. My brother was sold SBS 2003 as part of a package to run 5 TS sessions servicing an MYOB enterprise package. Noone from MYOB to the vendor who sold him SBS2k3 licenses mentioned that you needed a second SBS license to run TS. After many attempts to make things work we discovered SBS2k3 was limited to 2 "remote administration" sessions. So 5 TS CALs were purchased and installed on the server - still no joy!

I'd just like to thank you for your discussion here - without which we would never have discovered where things were going wrong. Microsoft haven't made it clear anywhere I looked that you can't do it without a second SBS2k3 server, and the vendor who cheerfully sold him the initial licence then the additional TS CALs didn't seem to know either - MYOB certainly didnt mention it when they were pushing their product. SBS 2k3 even misleads you by saying that all you have to do to activate app mode is go to windows setup - doesn't say you cant do it on a DC. Neither was there any indication that additional seperate licenses were needed for TS when he purchased 2k3.

Can a SBS2k3 server be set up as a stand alone server and then have TS run on it without setting up another server? Or is membership in a domain a necessity for 2k3 server and/or TS for authentication?

Thanks for any info.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, September 05, 2004 4:30 PM by bradley

Ping me at sbradcpa-at-pacbell.net with the vendor name and contact info. We need to get this to the source of the mis-information out there.

No SBS cannot be set up as a standalone. It can't be set up at any time with TS in application mode.

When you say that "SBS misleads you" are you talking about the help menu inside?

SBS has to be a domain controller. SBS cannot do TS in application mode. Your vendor was totally wrong.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, September 05, 2004 8:16 PM by bradley

One more thing to think about --- If the server is "beefy" enough you can always consider Virtual server to run that "normal" Windows 2003 server.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 9:01 PM by bradley

The comments about it just being the way of the new world and live with it for better security is BS.

I can and have absolutely protected a domain controller in application mode on a full 2003 server from user misadventure. The oldest has been in for 12 months and has never caused greif.

Shock horror!!! Why would I enable application mode on a DC? Simple. Small environments and I couldn't do it with SBS. There could be no justification possible for having two MS servers in these particular environments.

Stop being slack ass lazy admins and do your job.

Its a MS money grab. They won't disable application mode on DC in full 2003 server because they know it will cost them money and bring too much bad will.

If MS were serious about security they would make some attempt at changing the culture of every user having admin rights by default.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 9:06 PM by bradley

Yo NDM ..they ARE dear. But right now it's stupid vendors that are holding us all back. Limited user rights is build into the foundation of Longhorn dear.

And go grab the Security Res kit and read that will ya, you may think you have it "locked down' but you are sorely mistaken my friend.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 9:48 PM by bradley

I would rather them let me dicide. I am big enough to weigh it all up I can secure it enough in these small environments that it does not cause me any grief.

I accept the points about things like coolweb search. The thing is, what I have set up is not intended for the terminal sessions to be a workstation replacement. Users can do stuff all. Access to IE is locked out. No access to my computer. No access to windows explorer. No right click context menus. No access to pretty much anything except two applications.

For those that want workstation replacement functionality in their terminals, I agree, it's nuts to have application mode on the DC.

As for Longhorn, its not here yet. MS have stuck to the culture of everyone being a super user for 20 years. They were a bit slow seeing the writing on the wall.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 9:50 PM by bradley

In defense of MS, I know it is a big ship to turn in relation to vendor and end user acceptance of not being "administrator" all the time, esp when it comes to the home and small business environment.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 9:59 PM by bradley

You still aren't seeing the big picture here.. it's still as if those end users are sitting at that server. TSGrinder and all that.... it's the domain controller for heavens sake. I would love to hire a pen tester to prove to you that you are risking way too much in this.

Ndm... wanna know something? I'M taking MY network users to user mode by Christmas. You think it takes time to move small business? Heck have you checked out how many large businesses are still running in local admin? It's RARE that I find a business running in user mode. I'm using incntl5/filemon/regmon and I'm whacking the registries.

Sorry but it's the users and applications we have to convince...not Microsoft. They are moving. It's US that are the ones resisting change!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 10:23 PM by bradley

My big picture is that I am would be happy for any of my users to sit down at the domain controller in these particular environments with the accounts they have for ts use. I do understand that this is effectively what I have done and I'm fine with it. Security is far better than when I walked in guaranteed.



Security is always weighing up acceptable risk. The risk is never zero. For what I have done the risk is absolutely acceptable.

I can get full admin access to any machine if I can get physical access. Physical access isn't that hard in most places if you were that way inclined.

Have a think about the small business environment. The servers have a lock on the front. I know that I can pick it with a paper clip withing a minute or so. Do I ask them to put it in a seperate monitored room, oh and the cleaners aren't allowed in there. It's a small business. How paranoid do you want me to be and how much money would you like them to spend?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 10:30 PM by bradley

Well given that I do put it in a room that is locked with a door at night so the cleaning crew can't get in there... yeah even us little firms need can be paranoid and still cheap.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 10:37 PM by bradley

So it all comes down to 19th century technology protecting 21st century tech. How good is the lock? Is the room alarmed? How good is the alarm? Is there video survelance? Does anyone review the survelance? Who has keys for the lock? Have any of the keys ever been in a position to allow duplication?

If you really want to be sure, then it costs time and money. I am happy with the security choices I have made. I would prefer that MS would allow me to make the choice. If they are serious about their position on it then they should do the same for all 2003 DCs, not just SBS.



# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 10:50 PM by bradley

Sorry but I'm so going to disagree with you and I"m not even agreeing to disagree here.

There are those who think that we shouldn't even ship with ISA in our bundle.

The "choice" to run TS in app mode on SBS was dumb. If we'd still have it, the public out there would be pointing to SBS as sign that Microsoft wasn't taking Security seriously in the small business marketplace. We'd be pointed to once again as being the "insecure" box for small business.


The entire building has an alarm, each workstation has a lock and I still worry about two California Securty laws on the books - SB1386 and AB1950 in my firm. I protect and defend client's social security numbers on my network.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, November 21, 2004 11:29 PM by bradley

P.S. if you think Microsoft isn't "getting" local admin - check out this post by Michael Howard - http://blogs.msdn.com/michael_howard/archive/2004/11/18/266033.aspx

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, November 23, 2004 2:55 PM by bradley

:-) So the public can now point out that 2003 server is a sign that MS wasn't taking security seriously in allowing app mode on a DC.

I know, I'm being difficult. SBS is more likely to be in the hands of noobs who make very inappropriate choices. The way it is marketed, business owners buy it to diy. All of the wizzards make them feel comfy. Hell, I've seen a suposed MS certified professional leave a site with all users terminal sessions with full domain admin privliges and absolutely no restrictions.

Still I would rather a TS install wizzard that pops up a big orange warning when selecting app mode and let me decide.


# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, November 23, 2004 3:07 PM by bradley

In a way I would agree with you. It should be banned from all domain controllers. It could be argued that they weren't taking it seriously.

Taking my SBS box up to full fighting power this week with all patches and tweaks was not for the weak hearted. I wouldn't want a DIYer to then attempt to run TS in app mode.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, November 26, 2004 4:46 AM by bradley

It just sucks....shurly there must be away around it? Reading the above it seems that 99% people realise after the product is purchased so I kind of guess it is not that clear! I even talked to tech at a large distributer before I brought....not a word!!
The fact that I lets you install the licensing comp as well! and helpfully pionts you to add/remove...

hell give me the warring ill take that but let me install the app!!I decide thanks...if im stupid only one person suffers!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, November 26, 2004 8:17 AM by bradley

I'm truly sorry to be rude and mean but what part of "this is insecure and dumb" do you guys out here not get?

You really want SBS 2k3 to be the platform that was "built for insecurity"?

------------------------------
Here is the listing of recommended steps to lock down a TS box
1. Apply the Notssid.inf security template to TS running permissions
compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.
3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.
To connect to a terminal server from the network, users must have the
Log On Locally user right assigned. If you implement application server
mode on a domain controller, nonadministrators must be assigned the Log
On Locally user right at the domain controller. Because this user right
is typically assigned in Group Policy, it enables users to log on at the
console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS
client and server
6. Choose the correct mode for your TS deployment [if you only need
remote administration, the only deploy that]
7. Install the latest service pack and security updates.

Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.

Page 393-394 Security Resource Kit.

Read this doc and see how much is done to lock down a TS server..... we
can't do this stuff in SBS land.
http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, November 30, 2004 1:21 PM by bradley

We have numerous thin clients for our users, and we are in the process of testing with 2003 server on our servers as TS. Are you guys saying this won't work?? This has been working for little bit now and we are about to move all our TS to 2003 server, but from what I read from your conversations, I should hold off and stick with 2000 TS. We currenly have 8 TS running right now, in application mode.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, November 30, 2004 5:49 PM by bradley

SBS 2003 cannot, will not do Terminal server in application mode.

Adding a member server to do TS in app mode will work.

# Oh Canada -- way to go guys!

Thursday, December 02, 2004 12:56 PM by TrackBack

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Monday, December 27, 2004 7:39 PM by bradley

Well, if you don't consider the "what if" scenario I would agree with this posting that running Terminal Services on SBS is a bad idea.

But...you shouldn't be allowed to? Did you ween your network skills on Microsoft's bad assumptions? After 15 years in this business, I am still astounded at the bad assumptions M$ makes in an attempt to "make it easier"!

Consider this real-world scenario. A small business (less that 5 employees) wants their users to be able to have an affordable remote access solution. One of the owners keeps the books, and would like to run Quickbooks from home and be able to easily print checks, etc. on her home system. They do not want to maintain their own e-mail server, nor do they care about a lot of the domain stuff (like centralized policy management) a full blown windows network gets you. Oh, an by the way, they are running XP Home on their 2 main systems...and M$ in their infinite wisdom decided that XP Home can't connect to a domain anyway!

Remote access...let's face it, Citrix or Terminal Services is about the best game out there when you want to give 2 - 3 users remote access ability with printing. Win SBS Server is about $200 less than Win Standard Server. No brainer -- buy SBS Server, don't bother loading up half the stuff...presto -- a very cost effective Terminal Server for remote users to run applications on! But NO -- M$ made the stupid assumption that you are going along with. Namely, everybody is going to deploy SBS in the way M$ envisioned -- as a fully functional server for controlling the domain, providing file and print services, and running e-mail. Of course you should not be running Terminal Services on a server deployed like this, so OF COURSE (stupid M$ assumption) there should never be any reason for somebody to deploy Terminal Services on SBS.

Come on Microsoft -- let the real Systems Administrators and Systems Engineers decide what should and should not be done. Write the white papers on it. Sell the education. Promote the certifications. But don't disable a useful feature just because it is used incorrectly by some people and not needed 95% of the time. The 5% does count.

I grew up in the real server world (mainframe, VAX, UNIX), then came kicking and screaming into Microsoft's lousy idea of what a server should be. They have come a long way the past 10 years, but with Server 2003 they are taking some big backward steps in the name of making things "easier" and "more secure".

Don't buy into their bad assumptions. Always remember that there are very few absolutes (like "don't run Terminal Services on a SBS server"). Each business has unique needs, and the needs of the business should dictate what technology is used and how that technology is deployed.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Monday, December 27, 2004 7:45 PM by bradley

Ever heard of Virtual server or VMware that would "sandbox that TS"?

Look around at internet browsing. You really and truly want your domain controller to have the enhanced IE uninstalled?

We "might" have been able to get away with this in the SBS 2000 days.... we SOooooooo cannot do this today folks.

You are kidding yourselves if you think otherwise.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, January 25, 2005 9:11 AM by bradley

my stomach is turning around when reading this discussion, especially your statements, susan...it's like in many many discussions i heard about many many other issues....
just mention you want to buy a car to drive fast with it on your private property, the manufacturer disables the 3rd and 4th gear, beacause he wants to be seen as a secure manufacturer, nobody should ever BE ABLE to come to death through a car accident - but so he is PROHIBITING you to do what YOU DECIDE to BE ABLE TO ! thats nearly against human rights principles :-)
some people do have accidents because they didnt learn to drive, or they make a mistake, but NOBODY should tell ANYONE when he is ALLOWED to BREATH !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, January 25, 2005 9:50 AM by bradley

I just built a TS box recently and there is no friggin' way I'm allowing or thinking or considering that TS in app mode on a domain controller is "your right to be stupid"

If you think you can make is secure.. go stand in the middle of a freeway and see how secure you are there without a car to protect you.

That's the equivalent.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, January 25, 2005 10:07 AM by bradley

the REAL equivalent is:
there's no question about my right to be stupid, there is only the question for MY right to be responsible for securing me ON MY OWN.
when i do everything right, it's not stupid, but it is not the right of MS to ALLOW or PROHIBIT the POSSIBILITY of being stupid - if i am stupid i also can set the SBS up to be an open and unsecured door, nobody can change that...
i would stand in a middle of the freeway without a protecting car if i would use win95 today :-) because you cannot drive it safely any more, but in this case the SBS is my car, and i have to drive it secure to be protected, BUT: again: I DRIVE the car !!

another funny inconsistence of MS arguments:
the first recommendation in windows server 2000 (there it was a REAL recommendation ONLY) was not to run TS on a DC because of performance issues - ever heard of performance issues when running VMware, susan ??

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, January 25, 2005 7:13 PM by bradley

Can't believe all the bickering back and forth.
The facts are:
1) It's a money grab
2) It's a money grab
3) It's a money grab
save your typing fingers and get on ...
we just got SCREWED by the SBS2003 TS Application Mode problem that is
not printed anywhere and also have citrix metaframe (5 licenses) sitting in the box, useless....I'm so fed up with MicroSoft !@#$$%^
can't believe how much $$$ they just cost us, cause we couldn't do
a simple internet demo in time !!! All we need was stand alone server (forget all the crap about security and domain blah, blah, blah) I've never heard(seen) so much crap posted in one place. Shame on most of you that simply just don't get it !!! I repeat $$$$

I will pay good money just to get even with MS on this one !!!!!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, January 26, 2005 2:46 PM by bradley

Buyer is not allowed to runs TS in application mode on SBS 2003

why is he/she allow to do this when buying

MS 2003 sever
exchange server
SQL server
ect.

and install this on one PC as a DC just like SBS but more expensive?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, January 26, 2005 2:56 PM by bradley

and I would argue that anyone who thinks TS on ANY DC can be secure is 'smokin something'.

It should be blocked from that setup as well.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, January 28, 2005 5:28 AM by bradley

@susan: AGAIN, you're missing the point !
this thread has not been created to read your repeating "anone who thinks..." and "cannot be secure"....
this thread asks: "WHY CAN'T SBS 2003 DO IT" !!!!????
good admins know how to make a user profile and a server secure, but here we discuss why we CANNOT do that, because of another man's decision !!
bye forever !

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, February 01, 2005 4:16 PM by bradley

on a side issue, does anyone know if MYOB Premier Enterprise will run, in TS, on SBS 2k or Windows Server 2k? according to MYOB it's only been tested on Windows Server 2k3, so the safe bet would to get this, but we all have XP PC's in the office and, unlike 2k3, I don't need to buy TS CAL's for these in Windows2k and SBS2k.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, February 05, 2005 6:57 AM by bradley

Hi All

I couldnt agree with Susan more.

I have never approved of the practice of installing/activating TS (App Mode) on a Domain Controller or running server apps such as Exchange or SQL. Performance issues notwithstanding, it is absolute madness letting users loose on a TS server without it being locked down. And the simple fact is that you can NOT lock down SBS the way it should be to support TS use.

I have just witnessed first-hand the havoc resultant of TS in Application Mode on a SBS 2000 box. My company has just been contracted to undo the mess created by an integration firm with silly engineers that thought it is a sound solution to run TS on SBS 2000. (By the look of this thread there are enough dim-witted engineers out there who do believe it is a good solution!) I am not even going to bore you with all the issues - lets just say users had a field day.

While I appreciate that most small to medium sized organisations have budget constraints, I also truly believe that these organisations (not having their own IT resources in-house) have to rely on responsible advice from consultants and external engineers. I therefore find it quite astounding that a large number of people who have posted to this thread are so cavalier in their approach to a secure environment. If I was a client I would want to steer well clear of cowboys making statements such as "forget all the crap about security and domain blah, blah, blah" and "if i am stupid i also can set the SBS up to be an open and unsecured door, nobody can change that..." and stupid "car and highway" analogies. These kinds of attitudes can cost a business far more than the expense of another box running Windows Server 2003 and TS.

Everybody claiming that they have hundreds of sites running TS on SBS2000 without any issues - CONGRATULATIONS! However, most of us do not have the time to babysit servers and ward off bad things 24 hours a day! Some of us have to rely on good engineering and deployment practices that makes sense from a security and administrative point of view.

Anyway, that was my 2 cents. I am now faced with undoing this mess...

Does anybody know what the impact on AD/Exchange etc will be if I deactivate TS on this SBS 2000 server?

Kind regards
John


# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, February 06, 2005 6:55 PM by bradley

Deactivating should be fine and MYOB can run on a TS.

And it's not a money grab...it's a security measure.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, February 09, 2005 2:07 AM by bradley

Mad Consultant, I too believe there must be a way to tweak SBS to let TS app mode work normally. Let's put our heads together?

questestrus@netzero.net

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, February 09, 2005 2:07 AM by bradley

Mad Consultant, I too believe there must be a way to tweak SBS to let TS app mode work normally. Let's put our heads together?

questestrus@netzero.net

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, February 09, 2005 2:11 AM by bradley

Yes, it's called a member server.

Guys..what part of the "we asked Microsoft to be more secure" memo did you miss?

Today you want insecurity... tomorrow when your domain controller is malware invested... let's talk.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, February 17, 2005 7:57 AM by bradley

So, what about the policy many people (like me) would implement that only allows users to run a single application, and automatically starts that single application when they log in, and logs them out when that application closes?

No, Microsoft is not making their world more secure for thoughtful administrators -- they're making themselves more money because of all the admins that made the investment for SBS, planning to use terminal services, who now HAVE TO justify to their companies the purchase of ANOTHER server when their "SBS Premium" doesn't do all the jobs it used to.

Microsoft thought they were losing a revenue stream, and found a way to plug up a hole. And the admin who you mentioned, can't go back because he's already spent the money on the broken product, and upgraded. He has no choice but to spend *even*more* money to get back to the same level of functionality. I'll bet that has happened a thousand times with this product alone.

And it is despicable that this change in licensing policy (and several other SBS limitations/handicaps) was not Clearly, BOLDLY indicated in the product summaries and comparisons on the Microsoft web site. I can't believe they haven't been successfully sued yet.

And if you stick by your spin argument that microsoft did us a favor by sneakily crippling their product with a change of license and features, then at least acknowledge that they did it by taking away the thoughtful, security-minded administrator's options. A good admin can't implement a reasonably secure application server remote user setup -- because now he can't implement

I deal about half with unix, linux, and opensource technologies. I deal about half with windows. I provide full-range IT services for small businesses and government. The windows projects always have:

1. skyrocketing costs because of licensing caveats like this, and lack of flexibility like this; and
2. they take twice as long when I need to do something other than how microsoft wants me to do it, or it can't be done at all. (E.g., when an elegant, simple solution will solve the problem, I can't do it with exchange -- it's disabled or not built into the product; but postfix does it in one hour of research, implementation, and testing.)

No, as Hans points out additional proofs against the security claim, this Microsoft decision was all about revenue by screwing locked-in administrators who weren't informed in their product research, who spent the money, who now have to spend the money TWICE to get the same functionality they had before.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, February 17, 2005 8:36 AM by bradley

Outlook Web Access
ISA
Exchange
ISS
SQL

Susan, as you said, "Now ask yourself, do you want to do that on your one and only domain controller?"

This issue never was about security. It was/is about more money, even if you have to screw the customer to do it -- what are they gonna' do? they're locked in.

"Near the end of the project they did a “threat model“ brainstorm and asked themselves what was a potential issue....and the threat that came back was surfing on that domain controller. So the Security folks pushed through that Enhanced IE..."

The threat you keep referring to is surfing from the DC. Well, what if I made it so my people can't surf *at*all* from the DC?

Nope, this issue isn't about security. It's about licensing (costs/revenues).

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, February 17, 2005 8:40 AM by bradley

Sorry folks...this is about Security. Letting people run TS in app mode on a domain controller is sitting them in front of the server and giving them the mouse.

Thank GOODNESS "I" set my security decisions for my firm and not you guys.

Customers... beware.... ask your consultant WHY they think TS on a DC is secure. Make them justify it to you why they are wanting you to introduce insecurity in your firm.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, February 19, 2005 3:24 AM by bradley

But the question is why can you install TS on a normal domain contoller and not on SBS 2003.

If mircosoft were serious about the secuirty they would make it possible to run TS applications alongside exchange ISA etc without comprimizing the server. Its not a very creative fix to just remove a useful feature because it is insecure. Surly if its useful it just needs to be improved so it is secure.

A small business which is what this product is aimed at may just have 5 employees now seveal employes want to work from home - the business cna't afford a very fast interent connection so they want to us TS on SBS.

They decide to buy a VPN router and implement IPSEC to ensure only there home computers can access the Server.

Web browsing is disabled on the server as its not needed for the TS clients - theres on the internet alread.

How is this setup insecure - its not no external access is allowed - normal users on the LAN could cause just as much damange. In a small business the users are TRUSTED more than in a large company as the director will personally know every employee.

Seriously why should a company of 5 people need two servers just to let people work form home on the odd occasion. Every other server envioment would allow you to do this on one server. A DC is not a big thing in small network its just - the server. If a small business just had one computer and used it for web browsing there would be the same dangers of spyway virus etc. I think it has to be a money thing - gd secuirty should not reduce funcionality.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, February 19, 2005 7:02 AM by bradley

It's called virtual server folks.... and for a firm of 5 or less.... uh.. Remote web workplace back to the desktop so that they can use the workstation from home?

You are saying "working from home on the odd occasion"... we use Remote Web workplace to remote back into my VERY OWN desktop [which honestly newbies to remote-dom love better anyway]. Have you forgotten about that? Either use their own workstation or buy a spare workstation folks... geeesh!

Hey I need to beta bug that so that "normal" server CANNOT be a TS on a DC...thanks for reminding me!

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, February 25, 2005 9:46 PM by bradley

Another point... SBS is really intended for the small office. The small office usually does not have a dedicated IT person, they typically work with a consultant. We all know the quality of the rank and file consultant out there that throws together an SBS network. As much as MS has made SBS a series of wizards it still takes experience and care to set it up correctly.

I personally support about 50 SBS 2000/2003 networks plus another 100 or so "normal" networks that are bigger or more complex than what SBS can handle.

I don't have the time and customers don't want to pay me for the time to spend hours and hours tweaking the registry permissions and creating group policies to make it "safe" to run a DC as an app mode TS server. It is different for each customer with the different apps. For light duty use we rely on the RWW feature and maybe setup an extra WS or 2 next to the server for additional TS users. I also use SUS on the networks and keep a working ghost image of each of the TS workstations. If one gets beat up by spyware or a virus we simply restore the ghost image and let SUS bring the workstation back up to snuff. Restoring the SBS server after it gets "snacked" is a lot more invasive and involves real downtime for the network.

In environments where we have thin clients I always have a dedicated TS server with or without Citrix as is appropriate for the client.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, March 06, 2005 2:57 AM by bradley

But sbs2003 if half the price of 2003 standard - so if you could have ts on sbs you could run on of the sbs machines as a ts and the other as domain controler - is that setup insecure?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Sunday, March 06, 2005 8:40 AM by bradley

You can't have two SBS machines in the same forest/domain structure. You 'CAN' have a Windows 2003 member server however

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, March 10, 2005 2:40 PM by bradley

Is there any other program out there besides terminal services that will allow you to run remote desktop on windows?

I know that is a dumb question, but I have to ask something.

I am baffled and diheartened by reading these posts. I have spent half my day trying to figure out why I cannot get my server in application mode. I have a small office like one of the guys above.

I am not worried about the four people who need to access it.

I mean...come on! I only need four people; and they only give me two!!!!


DANG IT!!!

Please tell me someone knows of a way for me to do this?

It's reasons like this that people do piracy! It just cost too much to do it the right way.

They are so freak'n money grubby.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, March 15, 2005 5:53 PM by bradley

You don't get it do you? You are putting you clients at risk. The environment that we used to live in that allowed us to do TS in app mode on our DCs is gone. Over. We live in a different world.

It amazes me that as computer professionals you are willing to expose your clients like this.

I sure hope you explain totally and fully to your client that you've put them in an unsupported and insecure position. Do you have them sign a waiver? Seems to me like they should fully understand before YOU accept this risk on their behalf.

Clients beware of consultants who make security decisions FOR YOU.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, March 18, 2005 5:47 AM by bradley

This whole SBCore thing is a nightmare for me.

I work from my home office. No one has access to my computers (3) but me. I bought a Dell PowerEdge server so that I could have built-in RAID. Dell sold me Server 2003.

Following some system corruption, and hours (and days) on the phone with MS and Dell, I learned that Dell's OEM Windows package does not allow for a repair install...you have to start fresh. No one told me this.

In one conversation, Dell thought I might have a bad set of install disks so sent me a new batch. Unfortunately, they sent me SBS rather than the full Server which I had paid for.

I thought it wouldn't make any difference so I did a clean install of SBS and let the system operate as a standalone server. I reinstalled all my apps and the system was running fine...until today. Now Windows shuts down every couple of hours and I lose all my work. The event viewer notifies one, after the fact, that I have 30 minutes before the server shuts down.

What a bunch of crap!!!

It looks like I have to get back on the phone to Dell and get another set of disks and reconfigure my whole system, again. In my opinion, from spending more than two weeks on this situation, neither Dell or Microsoft knows what the other is doing.

According to something I found on the Dell website, SBS will not run (in its full mode) on the PowerEdge 700. So I have to start over. This isn't about money. It's about confusion and lack of knowledge. I'm a simple consumer who might have purchased the wrong hardware and/or software. But when I ask professionals for their help in solving the problem, and pay for the service, and can't get a straight answer, I become frustrated and agitated.

I just want to run my machine without the loss of any more time or the expenditure of any more money. I don't think MS should have the right to shut down my machine in the middle of my work. This is just absurd.

If anyone can tell me how to fix this problem, please write me.

Thank you.

~rich richs@richsprague.com

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Monday, March 21, 2005 2:24 PM by bradley

Susan,

I'm getting mighty tired of all these people that want to use SBS as a terminal server in application mode for USERS to do as they wish with the system. I guess that these are the same people that would quite happily try to win a drag car race using a tractor and then go beat up on the tractor manufacturer cos the tractor was not fast enough. It's all about using the right tool for the job.

SBS2000 was only able to be used as a Terminal Server in application mode due to the fact that MS didn't think anyone would be stupid enough to do it. Then after the support issues of people actually doing it, the pain of the users etc, they decided that in SBS2003 to try to prevent it from occuring again.

PEOPLE it's not about MS trying to make more money. It's about MS trying to make SBS2003 do what it does REALLY well. All these fools out there are trying to take it backwards just to save a few bucks. Then when it does not work or there are problems they go and blame MS for it. WAKE UP PEOPLE. If you want everything for free - then how the heck will MS be in business tommorow to support you when it has a problem?

Sorry - I'm fed up with people complaining about this. If there is a business reason for having a terminal server then there is also $$$ to buy it. If there are no $$ to buy it then the business reason is invalid. Simple as that.

Wayne

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, March 24, 2005 9:05 PM by bradley

"If there is a business reason for having a terminal server then there is also $$$ to buy it. If there are no $$ to buy it then the business reason is invalid."

Wow. I've heard some statements in my day but that's one for the record books. By using that rationale, I can infer that if I can't afford something it's unnecessary anyway? What if my doctor said I need a dialysis machine but my insurance doesn't cover it? Is the doctor wrong, since I don't have enough $$? I suppose you also think things like "more expensive cars are better than cheaper ones" and "government officials have our best interest in mind at all times, because that's their job."

I try to keep my posts on topic but that is just too classic.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, March 26, 2005 1:14 PM by bradley

I have to agree with Mad Consultant and disagree with Wayne. Microsoft does nothing well. They just have the largest market share. Well, they market well, let's leave it at that.

Susan, you seem to be so bent out of shape about security... Why do you even run MS software? The best analogy I can think of is to compare MS security to swiss cheese. Until everyone ups and demands better things, they will never get better. Much like US automakers. It's funny how the absolute lack of thought in MS programming spurred a whole industry of hardware to protect your poor little MS machines from hackers. Don't let MS fool you into thinking their disabling of TS in SBS is a security feature. It's just they didn't want to spend the time to fix properly in the first place.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, March 26, 2005 1:27 PM by bradley

You know it's quite funny.... apparently people turn a blind eye to all the vulnerabilities in all software there is in the marketplace.

Show me an operating system, show me a browser, show me anything and it has flaws. Show me a car and I'll show you that we are stuck on gas guzzling monsters that make us dependent on foreign oil. How is comparing software to automobiles that on a daily basis cause world instability and pollution a comparable thing? US Automakers? I don't see ANY automaker making a complete break from the gas engine, do you?

I think sir, you need to read up on server hardening.

Thank GAWD I am a consumer of software and security that can make up my own mind and not have to deal with consultants that believe they can set up TS on a domain controller securely . I pity the customers out there that do rely on advice like this.

This is definitely a 'buyer beware marketplace' for sure.

NotWayneClient? I get the feeling the last time you looked at Windows software wasn't what they are working on today.

Personally folks, I'm getting tired of the religious wars.

Fact: TS is gone, get over it.
Fact: You put your client in an unsupported, unlicensed configuration if you start hacking.
Fact: Any operating system is secure, any operating system is insecure, and if you don't believe that one you will be faced with finding it out the hard way.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, March 26, 2005 9:14 PM by bradley

Never been hacked with lynx. But on another note, I never said anything was perfect. (I am using and XP desktop right now btw) I don't hate MS, but I have a open mind on other platforms. But it is very tough to do all your work outside of windows.

Actually Susan, I keep up on all OS's since PC DOS and most backend applications.

I wouldn't consider these things religious wars, that is a very bad comparison.

While any OS is insecure (actually every OS is) given time, it is just disgusting how many holes there are in Windows. They can do better and anyone who disagrees is not informed. The biggest thing they have going against them is they are #1 and a huge user base of idiots. The general user is so out of date on most issues they don't know how to keep things updated or secured. Hacking will always be less than 3 steps behind security (which is a good/bad thing).

My biggest beef with any large corporation is they lose innovation. They sit back and piss on the consumer until enough people speak out or gov't steps in. Just another reason why a little socialism now and then is a good thing. Don't get me wrong capitalism is a great thing, but unchecked capitalism just harms everyone.

Ok, enough side tracks, I stumbled on this page and probably will not visit again as it had no useful info for what I was looking for.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, March 29, 2005 8:56 AM by bradley

I'm very impressed with the length of this thread...a little disappointed with the amount of BS that's up there, considering each one of you would appear to be more knowledgeable than me...

I understand what each side is saying BUT I am curious as to the reason that a TS session can make a server vulnerable. Is it only the possibility of someone surfing from the DC or is there more to it?

Our server is sitting behind a firewall, with absolutely no exposure to the internet. You can't ping it. There is no VPN set up. (And no, I don't think it is impenetrable) If you physically sit at my server and log in as one of my co-workers (user rights only) you will only have access to the accounting software, no surfing, no email access.

Susan, if you are still reading this thread, I have read every single line here and I believe that your point is very clear, we can't go back. I also believe that you are quite knowledgeable, and I am very interested in your answer. An answer that explains how my set up would cause security vulnerability.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, March 29, 2005 6:09 PM by bradley

Are you sure..... have you checked that accounting app for it's flaws and warts [gawd some of our LOB apps are so creaky and insecure it's not funny. ]

Are you positive that you've ACL'd yourself? Audited the fileshare for perm permissions and what not?

You truly want creaky, insecure, resourse hogging, application that may need a reboot every now and then on your domain controller?

Now yes, yes, before someone says "but wait you already have apps on that server" true, but at least I have the knowledge that the SBSapps are monitored for security issues...can you say that about the application you are installing on that server? Lord knows my Quickbooks has never been put to the test of a true penetration testing exercise. How can you be sure of the security of the application you have loaded up?

Next you are doing the equivalent of letting someone use that server as a workstation. Again, for the vast majority of consultants out there, even for you when it sounds like you are trying to say that you do know ACLs and what not....can you truly say that you know how to harden a SBS box when there isn't even any documentation anywhere on this subject?

KB 828056 is enough for me: "Only this [admin] mode is available because Windows Small Business Server 2003 always runs on a domain controller, and if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data."

I have confidential client data on my box. 'nuff said.


# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Wednesday, April 06, 2005 1:14 PM by bradley

Dear Susan,
MS Quote: "if you run Terminal Server on a domain controller, you may risk the safety of the server and the safety of your organization's sensitive data."
KB 828056 is not enough for me, I would like to know how I would be risking the safety of the server and data. I could be risking risking this just by powering on a server, any server with any OS. It could be run over by a truck swirving off the road and into my office, lightning cold strike, a vendictive employee could sabotage it, someone could unknowingly configure the firewall incorrectly...you get the point right? Susan, just like you say someone should justify to their customers why they are putting them at risk, I would say someone should justify how this is protecting them, and from what exactly? I'm not disagreeing that it might be a bad idea, and Susan, if you reply to this, please don't repeat again that we are living in a different world... cause that's a pretty vague answer. So far the only specific thing it seems you've said is that it's protecting the server from malware, leaky applications and bad user decisions; all of which are manageable and possibly even preventable.
Quote: "I have confidential client data on my box. 'nuff said."
Is this box connected to the net, is it physically accessible by anyone besides you, do your clients connect to this data and use it, have you had the plumbing in the building inspected lately, etc, etc. You want your client data secure? Disconnect the harddrives, package it in antistatic wrap, inside some foam, ock it in a lockbox in a small safe the put the safe in a nuclear bunker inside fort knox. Good luck letting your clients access the data though... There always has to be some measure of acceptable risk, don't you think? Or can you really say your client data is 100% secure? If you can you're either quite naive or the most sought after IT manager/genuis/guru in the world.

Quote: "Clients beware of consultants who make security decisions FOR YOU"
Disabling TS in app mode on SBS2003 was done for security reasons right? It seems MS made a security decision for everyone buying this product by disabling this. It could be very true that it would be a huge security risk, but do you believe microsoft should make this decision? Remember WindowsME? All of a sudden users no longer had access to "real" DOS mode anymore, it was still there, Windows was still running on it, yet access was disabled. There might be good intentions behind it, but I firmly believe it should be the users choice to use it, enable it, whatever the feature might be. There are warnings on most microwave ovens these days about drying pets inside them, but people still have a choice, the microwave will still turn on if there's a pet inside. Of course this would be a really bad choice, most people in a situation like that however would be educated enough to know the pet would die and therefore make the correct decision. There's not yet a breathalizer in every car, so your car will still move even though you might not even be sober enough to walk. It's about choice, just because it might be a bad idea, don't just disable it. Next thing you know MS will buy up Intel and AMD and somebody there will think it's a bad idea to run anything but a MS OS on their CPUs...
Really though, all I want is a few specific reasons why you believe it's suicide to run TS in app mode on SBS2003. I've already heard we're in a different world, I've already heard it's a DC, I've already heard it's like letting your users use your server as their workstation and I've already heard about the malware risks and poorly designed apps. There must be something more being that you are so insistent on this? Or does it all just come down to disabling is easier than preventing or fixing problems regarding malware, user stupidity and poorly designed apps?

Invalid human, lol... then proof on the line underneath, other side of the page...nm, just entered the verify code wrong.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, April 15, 2005 5:05 AM by bradley

Susan, you regularly ask of we really want users to TS into a domain controller. Well, no. But what if we didn't buy SBS2003 as a DC? What if we don't want it to run as a DC? We have no choice on that one.

I have a SBS2003 machine that was comission ed to allow users to TS in. In my part of the world it was the cheaper option by far. I didn't check the fine print, however, so I'm stuck with a Dual XEON with 4GB RAM running an OS that was installed to allow users to TS into. I don't care about the DC, the we're a Netware company. I was looking for a cheaper solution to allow users from branch offices to connect to head office in a country where 128K of bandwidth costs more than you get paid each month. Sorry, I should qualify that, it costs more than you get paid IF you get paid really really well.

There are real, valid scenarios where people would want to allow people to TS in to a SBS2003 machine. If this were a true security issue then MS should have given us the choice. Sure, make us click 'yes' 10 times as it explains the implications to us, but give us the choice. I paid for the software, I paid fopr the CALs, let me use them how I want to use them. Inform me of the risks, but then let me make the choices.

And if it's disabled because SBS2003 is a scaled down version of Srv2003 (I.E. a money thing), then tell people up front. Clearly, without the need to read through hundreds or thousands of KB articles and FAQS. I'm busy, I don't have time to research MS marketing to decide what to buy. I usually supply Novell or Linux products, MS is done only when I have no other option.

Does that make me a Bad Supplier (TM)? Maybe you think it does. I don't, but I'll acknowledge that you're entitled to your opinion, unlike MS, who do not allow me to decide how I'm to use the software I purchased from them.

Regards,

Jason

P.S. As for the patching thing, SuSE Linux has had an online update facility forever, and Debian (and derivatives) have apt-get solutions that work very well too. There are viable, alternatives to MS. If you doubt that ask yourself why MS is spending so much money advertising against a product that it claims is vastly inferior. Better yet, read the Yankee report available on the MS website. Not the parts that MS quote in their marketing, the whole thing where it essentially says thet Linux is a better product. But you'd be stupid to take my word for it, so read the whole thing for yourself.

J

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, April 15, 2005 7:25 AM by bradley

If you, as consultants, cannot take what has been posted here and understand that
1. SBS is what it is [a domain controller - holding the FSMO roles] and as a fellow woman geek friend says -- don't you men READ? It's designed to be the root/main server/PDC. It's there that it has to be a PDC.
2. That thus now that we now it has to be a PDC that allowing end users, crappy applications, wacking registries, adjusting permissions, uninstalling the enhanced IE lockdown, running # users on the same box as your firm's crown jewels is exposing your firm to major risks.... then I cannot help you 'get security' anymore. It amazes me that the folks that are yelling for Microsoft to be more secure are seeming the same ones yelling for TS on a domain controller back in. Something has to give folks. They also took out modem sharing and didn't give you a choice on that one either. No, I take that back..they are giving you a choice..it's called "buy Windows 2003 server'. There.. it's your choice.
3. I've used Linux. Remember in two years you'll be unsupported, and I read the Didiot [as it's being called these days] report and I don't come to that conclusion. Right now it would cost me more time and energy ... why in the world would I move to a platform that I have no community for, no immediate 24/7 instant messenging resources to help me maintain my system, it would cost me much much more in time, money, energy and resources to maintain two such communities.
4. The business owner. At the end of the day this isn't a religion, this is a business decision. Many fellow business owners like myself like to have a onsite minor geek that does daily tasks.. it's way easier to do those tasks on a MS box than an 'alternative fill in the blank' that the uber geek only uses occasionally. We're 'small businesses'. Monoculture is a good thing down here.

You should have bought Windows 2003. This is "Small business server" and meant to be the first server in the firm.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, April 15, 2005 12:53 PM by bradley

It seems there are two groups here.

Group 1 believe we are able to take care of our own security. We'd like to be able to open doors we feel are safe, and close doors we feel are unsafe. We are paid to do these things, to understand the risks and manage them for our customers. Some of us do a really good job of managing the risks. So we want security, yes, but the security we want is the kind of security where we have choice. How many people here would choose not to install explorer on a server, period? Group 1 believes that we are responsible for the security of the machines we administer.

Group 2 appear to believe that if we have choices we will make unwise decisions. They argue that in order for us to be secure we must have our choices limited - we mustn't be given the opportunity to make mistakes. These people say that security is something intrinsic to the systems we work with, and that our control over these systems is (and must be) limited to what others feel is right for us. Group 2 base their beliefs on the principle that we need others to take responsibility not only for the systems they produce, but also our implementation of those systems.

It appears that this discussion is going nowhere simply because Group 1 is saying they would like to be able to implement a specific solution in a way that suits the business (and financial) drivers of the organisation they represent. Group 2 is stating that they are stupid to want to implement their solution in that way. They are, without knowing the requirements of the Group 1 members, judging their intelligence, technical ability and integrity, and painting them as being unethical, unintelligent and lacking in common sense.

The fact is that SBS cannot act as a standalone server, and it cannot act as a Application mode TS server, and I very much doubt that any debate here will change that. But this discussion is on WHY it can't happen. And I believe that if it was a purely security driven decision then there should have been a way to disable it. After all, using Group Policies I can allow my passwords to be ridiculously short, disable account lockouts, create easily guesable passwords on creation and dissalow users the ability to change them, how much of an extra PURELY SECURITY risk is TS on a DC, a DC which, I might add, is aimed both in technology and price at a market that has a smaller IT budget.

It has been my experience that the rabid supporters of MS software and OS products are the first to claim that supporting *nux is more expensive because of the specialist, expensively skilled technicians required to run the machines. They claim that *nix is difficult to use and understand. These people often state that using Windows is easier and that this is it's advantage. Yet these same people, when talking to the technicians with the 'specialised' 'expensive' skills required to operate difficult, complex *nix machines, often treat them as if they were intellectually inferior. By definition, people able to understand and operate difficult, complex, specialised equipment should be seen as being at least as competent as their Windows counterparts.

On the Linux side, I was unaware that I would be unsupported in 2 years, HOW will I be unsupported in 2 years?

Regards,

Jason

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, April 15, 2005 12:58 PM by bradley

My wife just pointed out that people will attempt to overcome this limitation by having users log in as administrator (only useful when 2 or less have to connect, I know). What will THAT do to security?

My wife is a CA, an accountant, the people who tend to run companies IS departments. This is how others WILL think.

Jason

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, April 15, 2005 1:16 PM by bradley

Camp 1 - your choice is Windows 2003 server. Simple. Everyone is missing the part of the sales brochure that says SBS is one of the server listings? For our price they make certain assumptions....security is one of them and the fact that not only will we have stupid end users but consultants that won't be able to properly tweak a domain controller for this type of connecitvity..let's face it... again go though that list of things that "I" did for my member server and you tell me how the risk is worth it versus just buying another side server or a couple of desktops to host RWW. End of story. If your wife can't see that users should not be remoting in as admins on that domain controller, then I've got a lot of education in my accounting space to make us the consumers of software more educated as to the risks out there. I am an Accounting by original traning and "I" can see that this is stupid to do.

2. As far as the two years... here's one specific example -- the announcement of a two year cycle for the Home market. See the Redhat to Fedora as well for another example that operating systems no matter what the kind should not be kept around indefinitely. Even they get it that we shouldn't be running OS's years after they've been released.


Dear suse-security-announce subscribers and SUSE LINUX users,

With the release of the SUSE Linux 9.2 FTP edition today, SUSE Security
announces that the SUSE Linux 8.1 version of our home user product will
be discontinued soon. Having provided security-relevant fixes for more
than two years, vulnerabilities found in SUSE Linux 8.1 after January
31st 2005 will not be fixed any more for this product.

As a consequence, the SUSE Linux 8.1 distribution directories on our ftp
server ftp.suse.com has been moved from /pub/suse/i386/8.1/ to the
/pub/suse/discontinued/ directory tree structure to free space on our
mirror sites for the SUSE Linux 9.2 FTP edition; the 8.1 directory in the
update tree /pub/suse/i386/update/8.1 will follow later in February/March
2005, as soon as all updates have been published.

The discontinuation of SUSE Linux 8.1 enables us to focus on the SUSE
LINUX distributions of a newer release date to ensure that our customers
can continuously take advantage of the quality that they are used to with
SUSE LINUX products.

This announcement holds true for SUSE Linux 8.1 only. As usual, SUSE will
continue to provide update packages for the following home users
distributions:

SUSE Linux 8.2
SUSE LINUX 9.0
SUSE LINUX 9.1
and
SUSE LINUX 9.2

for a two-year period after the release of the respective distribution.

Please note that the maintenance cycles of SUSE LINUX Enterprise Server
products and products based on the SUSE LINUX Enterprise Server operating system are not affected by this announcement. To learn more about SUSE LINUX business products, please visit http://www.novell.com/linux/suse/.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, April 26, 2005 9:03 AM by bradley

All very good points from what I have read here.
Though I must bag Microsoft on this issue.
I feel that the removal of TS from SBS in 2003 is wrong.
TS is a very useful and powerful tool that I am sad to see go from SBS.
Microsoft has good intentions here, but is being like an overprotective parent by removing a feature to eliminate a potential security issue.

I believe that education is key.
As a Systems Administrator you must understand what is secure and what isn't and use services appropriately to ensure that you minimise any threat.

If you use settings in AD and Group Policy to lock down SBS for use as a Terminal Server, you can ensure that users are limited to using one application on the TS. Then you are making effective use of the TS feature in SBS while minimising any risks.

I work as a Systems Engineer supporting multiple Small to Medium Businesses. I come across many clients that use TS on their SBS Server to use their accounting packages, etc. I simply ensure that I lock them down to ensure that if all they need is one app, that is all they can use.
To date I can honestly say I have not had a security incident following this approach.

Cheers

Rob

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, May 05, 2005 2:15 PM by bradley

When will people get this? Terminal Server ON SBS is just plain rotten idea. I've just spent the last two days cleaning up a new client we inherited from a guy who installed their SBS2000 server and then got users to user it as a terminal server. The amount of spyware and crap on the box was huge. They also had outlook running on the server and that then prevented the Exchange console from running properly, so we fixed the exchange console, which then broke outlook and in the end in order to keep the customers business running, we had to break the exchange console just so outlook would work again. This is ludicrous. The customer was the unwitting victim of a fool who configure it like this in the first place. The customer, in order to do business properly now needs to put in place a terminal server. He's built his business to rely on these features and now due to the incorrect configuration in the first place he has to suffer.

For those of you upgrading to SBS2003 - Microsoft does indeed say that TSV on SBS is bad - http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx is the link you need to look at.

Now I'll get back to helping the customer.
Wayne

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Thursday, May 26, 2005 10:49 AM by bradley

Hello. I was reading up on installing terminal services and found this blog. We basically have two SBS 2003 servers and want to run terminal services on our backup server. Sounds like I may find that I'm missing something once I get further into the process. Any advise would be appreciated. In short, Server1 is an SBS2003 server that functions as a PDC (or active directory) for the domain. Server2 is a member server that is always on standby just in case Server1 goes down. Basically Server2 is just sitting there doing nothing. I would like to use it as a terminal services box. As I understand, I should be able to install the TS licenses on Server1 and use Server2 as a TS server (hopefully in Application Mode). I guess I'm really wondering if SBS 2003 will allow me to run TS on Server2. Further, if this can be done, does anyone know the port numbers that would need to be forwarded on our router?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, May 27, 2005 12:27 AM by bradley

Brady Bunch? You can't have two SBS servers in the same domain and no SBS server can do TS in application mode.

No domain controller should be allowed to do TS in app mode and anyone who thinks that they 'should' be able to be allowed to do that is suddenly forgetting that we sat here and demanded Microsoft to be more secure and suddenly we want insecurity back.

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Friday, May 27, 2005 7:32 AM by bradley

My bad. I don't have two SBS 2003 servers. I have two 2003 Standard Ed. servers. So, I'm guessing I could put terminal services on the Server2 (the member server)?

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Tuesday, June 07, 2005 9:01 AM by bradley

Firstly, Congrats to all involved, on this threads 1st birthday. :)

Susan, just read the whole thread in one sitting and if I ever see you type the words "using the DC as a workstation" again, I will poke my eyes out with a stick of ram. ;-)

Obvious point no1) susan believes most vehemently that TS in app mode on a DC should never be allowed.
Obvious point no2) susan believes most vehemently that TS in app mode should be installed on a member server only.
Obvious point no3) susan believes most vehemently that anyone who believes they can lock down a dc running TS in app mode is delusional at best, and most likely incompetent.

I get all that, loud and clear. I'm not saying I agree, but I understand your argument.

BUT.... No-one in this blog entry has actually stated the physical reasons why SBS2003 cannot run in app mode. By that I mean, what is the setting, registry entry, configuration file etc that physically stops it from being able to be done? THAT is the question I thought was being addressed,given the title "- why can't SBS2003 do it?", not a philosophical 'discussion' on why it SHOULDN'T be done.

The overwhelming reality is that MS has made the change, and in the process has forced many Small Businesses that can only justify/afford 1 server, to remain on SBS2000 for the foreseeable future.

We can argue for the next year about whether it should or shouldn't be possible, I don't care, everyone is entitled to their opinion.

However, my thougts are, that to blanketly state that there are no circumstances under which TS in App mode should be possible on single server SBS domain is to deny the thousands of different scenarios faced by Small/Medium businesses. ie: not all of them want to use it for 'open slather' admin style access to a myriad of applications.

Believe it or not, some business decisions involve weighing up the risk vs the benefit.. for many Small Businesses the risk of running the DC in TS app mode is a calculated risk, worth the benefits gained.
Susan, you obviously believe that there are no circumstances where it is worth the risk. I respectfully disagree. Unless you know every scenario that every business is faced with, you cannot judge the risk/benefit ratio.

Thanks again to all for a very interesting thread.

Glen

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, June 11, 2005 2:15 AM by bradley

Dear all,

Here is another guy reading all the the lines.

I suggest Susan work for the M$ marketing if she didn't.

For my own understanding, Susan REPEATED 2 points:
1>Go for the Windows 2003 server if you want TS (App) on DC!!!
2> SBS2003 is (cheap) for small business and so not allowed to do so.

For what so called "2 year support issue", it's only a business decision which not related for Linux platform itself.
Simple. Could you use your ANALOG Mobile phone today if you have one? BTW, M$ did also stop its support for discontinuted product, right?

The fact is that M$ control everything. We SHOULD NOW not rely on M$ as much as possible. Go for the world with freedom!


Sorry for my poor english~

Regards,
Alpha

# re: Terminal Server in Application mode - why can't SBS 2003 do it?

Saturday, June 11, 2005 9:44 AM by bradley

I'm still shaking my head on this... this has nothing to do with marketing.

I'm a small business..a customer and it FLOORS me how you consultants will not even take one moment to think of the risks you are putting your client through?

What is the only way that I trust to clean a malware infected box?
Flatten it.

And when I set up my Terminal server on my member server to allow my end users to use it, I wacked off all the protections in Internet Explorer thereby risking malware on that box [and installing Firefox won't help either]

Now what happens to my domain controller when I get malware on there? How can I easily flatten it?

You call it freedom? Folks when are you going to get it through your heads that we cannot do what we once did. That the Internet is not this businesss friendly place.

This is your DOMAIN controller that you guys are so willing to risk it all for.

Sorry but if you want to go to another platform and put your crown jewels at risk... more power to you... just make sure you explain the risks FULLY to you client... because it's obvious to me that you guys are not doing the full risk analysis you need to do.