Choose the appropriate permission levels for Terminal Services

When installing Terminal Services on Windows Server 2003, you have two security options: Relaxed Security or Full Security. Scott Lowe discusses the differences.

When you install Terminal Services on a Windows Server 2003 server in your data center, you have the option to either select the Relaxed Security setting or choose the Full Security option for your clients. While the answer may appear to be a simple one, it's important to consider your organization's specific applications before clicking that Full Security option.

First of all, make sure you understand the Terminal Services language. In this case, relaxed doesn't necessarily mean lax--it's actually shorthand for Windows NT Server 4.0, Terminal Server Edition Permissions Compatibility Mode (Relaxed Security). Your other option, Full Security, actually stands for Windows 2000/Windows Server 2003 Permissions Mode.

If you select the Relaxed Security option, users connecting to the terminal server can modify certain system files (such as those located in the SYSTEM32 directory) as well as registry keys. Windows 2000 and Windows Server 2003 restrict user access to these areas to boost security and stability.

You might wonder why you would ever want to allow users to access such important system areas. However, some earlier programs won't operate unless the user has access to certain registry keys and the SYSTEM32 folder, and Terminal Services' Relaxed Security setting allows the support of these applications.

The good news is that these programs are all generally pretty old. The even better news is that the Relaxed Security setting precludes you from having to grant users Administrator privileges on the system. But even though it's better than giving users admin rights, it still creates a major security hole.

So, whenever possible, choose the Full Security option to lock down your terminal server. If you're not sure if a particular application will work, try running it under the Full Security setting first. If that doesn't work, you'll likely need to use the Relaxed Security option. However, to better protect your network, segregate such applications by putting them on their own terminal server.