The Terminal Services Configuration console is the
main tool used to configure the Terminal Services role. The server
options available in this tool primarily affect the user’s environment
when connecting to the local terminal server. Other options available
in this tool, however, relate to server licensing and load balancing
features. After describing all the options and features configurable in
the Terminal Services Configuration console, this lesson describes
supplementary configuration options available in Group Policy for one
feature in particular: printer redirection.
Introducing the Terminal Services Configuration Console
The
Terminal Services Configuration (TSC) console is designed to control
settings that affect all users connecting to the terminal server or all
users connecting through certain connection types. For instance, you
can use the TSC console to set the encryption level of all Terminal
Services sessions, to configure the graphical resolution of sessions,
or to restrict all users to one session. The TSC console is shown in Figure 1.
The
TSC console provides two general areas for configuration: the
connection (RDP-Tcp) properties dialog box and the Edit Terminal Server
Settings area. The following sections describe the options available
through each of these configuration areas.
Configuring Connection (RDP-Tcp) Properties
Connection
properties are used to customize the behavior of all Terminal Services
sessions initiated through certain specific transport protocols (such
as RDP over TCP) or through specific network adapters on the terminal
server. By default, only one connection (named RDP-Tcp) is available
for configuration; the properties configured for this connection apply
to RDP sessions through all local network adapters. Beyond this default
connection, you can also create new connections that apply to
third-party transport protocols or to particular adapters.
For
environments using only the built-in functionality offered by Windows
Server 2008, the RDP-Tcp connection normally will serve as the only
connection, and the RDP-Tcp Properties dialog box provides key
configuration options for the entire server.
To
open the properties of the RDP-Tcp connection, in the TSC console
Connections area, right-click RDP-Tcp, and then click Properties. This
procedure opens the RDP-Tcp Properties dialog box, as shown in Figure 2.
The following section explains the configurable options available through each of the eight tabs.
General Tab
The
General tab enables you to modify settings in three security areas:
security layer, encryption level, and NLA. These three areas are
described in the following section.
Security Layer
All
RDP connections are encrypted automatically. Security layer settings
determine the type of encryption used for these Terminal Services
connections. Three options for the security level are available: RDP
Security Layer, SSL (TLS 1.0), and Negotiate.
The
RDP Security Layer option limits encryption to the native encryption
built into Remote Desktop protocol. The advantages of this option are
that it requires no additional configuration and that it offers a high
standard of performance. Its disadvantage is that it does not provide
terminal server authentication for all client types. Although RDP 6.0
can provide server authentication for clients running Windows Vista and
later, Terminal Services clients running Windows XP and earlier do not
support server authentication. If you want to enable RDP clients
running Windows XP to authenticate the terminal server before
establishing a connection, you have to configure SSL encryption.
The
SSL (TSL 1.0) option offers two advantages over RDP encryption. First,
it offers stronger encryption. Second, it offers the possibility of
server authentication for RDP client versions earlier than 6.0. SSL is,
therefore, a good option if you need to support terminal server
authentication for Windows XP clients. However, this option does have
some drawbacks. To begin with, SSL requires a computer certificate for
both encryption and authentication. By default, only a self-signed
certificate is used, which is equivalent to no authentication. To
improve security, you must obtain a valid computer certificate from a
trusted certification authority (CA), and you must store this
certificate in the computer account certificate store on the terminal
server. Another disadvantage of SSL is that its high encryption results
in slower performance compared to that of other RDP connections.
When
you choose the Negotiate option, the terminal server will use SSL
security only when supported by both the client and the server.
Otherwise, native RDP encryption is used. Negotiate is also the default
selection.
Encryption Level
The
Encryption Level setting on the General tab enables you to define the
strength of the encryption algorithm used in RDP connections. The
default selection is Client Compatible, which chooses the maximum key
strength supported by the client computer. The other available options
are FIPS Compliant (highest), High, and Low.
Network Level Authentication
When
the Allow Connections Only From Computers Running Remote Desktop With
Network Level Authentication setting is enabled, only clients that
support NLA will be allowed to connect to the terminal server.
To
determine whether a computer is running a version of the Remote Desktop
Connection (RDC) client that supports NLA, start the RDC client, click
the icon in the upper-left corner of the Remote Desktop Connection
dialog box, and then click About. Look for the phrase “Network Level
Authentication Supported” in the About Remote Desktop Connection dialog
box, shown in Figure 3.
Logon Settings Tab
The Logon Settings tab, shown in Figure 4,
enables you to configure all Terminal Services clients to use a single
predefined username and password. Sharing credentials in this way
enables users to connect to the terminal server without having to
supply any credentials. Choosing this option might be suitable for
testing environments or for public terminals.
When
you select the Always Prompt For Password option, the user must always
supply at least a password (if not the username) before connecting.