Troubleshoot Terminal Services: Terminal Services allow Administrators the ability to gain remote access to a Windows Client computer. Terminal Server Services can also be used by Network Administrators to run applications from a single server. Multiple client machines can access the application on the Terminal Server instead of having the application loaded individually on each machine. Clients can run programs, save files, and use network resources as if they were sitting at that machine. Administrators will typically have to troubleshoot issues pertaining to Terminal Server such as client connectivity and error messages.
Diagnose/Resolve issues on Terminal Services Security: Administrators have various settings that may be applied to enhance security while using Terminal Server in the Application mode on Windows Server 2003. Terminal Server has two separate security modes when Terminal Server has been installed in the Application mode (not Remote Administration mode):
Full Security - This mode will provide the most security in the Windows Server 2003 environment.
Relaxed Security - This mode is commonly used to allow legacy applications (pre-Windows 2000) to run. It allows the system registry to be edited.
Which security mode is selected will have a large impact on the security of the Windows Server 2003. A security descriptor is written to the user group in the Relaxed mode to allow legacy applications the ability to run properly. The Full Security mode does not apply a security descriptor to the user group. If the Relaxed mode was chosen and it has been decided to be changed to the Full Security mode, it can be done by opening the Terminal Services Configuration console. Use the Run As command or make sure you are a member of the Domain Administrators (for computers joined to a domain) or Administrators group (for local computers).
To open the consoled click on Start then select Administrative Tools and choose the Terminal Services Configuration option from the menu. Choose the Server Settings option and then on the left select the Permissions Compatibility option. Choose Full Security and click OK.
NOTE: If you attempt to upgrade a Windows NT 4.0 Terminal Server Edition computer to Windows Server 2003 you could receive an error stating:
You need Whistler Advanced Server or higher for Terminal Server. Microsoft Windows XP Setup has detected that the computer you are upgrading is running Terminal Server (formerly "Terminal Services in Application Server mode"). Terminal Server is not supported on Windows XP Server. To upgrade this computer and continue to run Terminal Server, you must cancel this upgrade and install Windows XP Advanced Server. Terminal Server is also included as part of Windows XP Datacenter Server.
This error means that you need to use Microsoft Windows Server 2003 Advanced Server.
Administrators also have the ability to set time-out settings for clients who are active, idle or disconnected. Open the Terminal Services Configuration Console by clicking on Start, selecting Administrative Tools, then choosing the Terminal Services Configuration option. Right-click the connection that needs modifying and choose Properties.
Select the Sessions tab and choose the Override user settings box. Enter the maximum amount of time that a client disconnected session can remain on the server in the End a disconnected session option. Once this time has been reached, the session will end. The session will permanently be removed from the server unless you select the Never option, which allows the session to remain on the server for an indefinite amount of time.
The Active Session Limit option can be used to enter the maximum amount of time a session can be active on the Terminal Server. The user will be disconnected once the time limit has been reached or the session will end and the session is permanently removed from the Terminal server. The Idle session limit is used to set a maximum amount of time a session can remain without client activity. Once the session ends, it is deleted from the server and the Never option may be used to allow an idle session to remain on the server forever.Diagnose/Resolve issues on Terminal Services Client Access: Before the Terminal Server computer can give clients licenses, it must be activated. The activation process is used to validate the server ownership and identity and is provided by Microsoft. The license can be activated by a Telephone, Web Browser or Automatic Activation. Review the process below for the procedures to use for Terminal Server Activation:
Telephone Activation - Click Start select Administrative Tools choose Terminal Server Licensing. Open All Servers and choose the server that needs activation and right-click on the server. Select the Activate Server option then click Next on the Activation Wizard. Choose the Telephone option for the Activation method and then choose Next. Select your Country or Region then choose Next. The telephone number will appear for you to call. Have the Product ID for the product available, name, organization name and the licensing you need to activate. A unique ID will then be created and given to you to enter by the Microsoft support representative. Enter the ID and then select Next. The license will then be activated. You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time.
Web Browser - Click Start select Administrative Tools choose Terminal Server Licensing. Open All Servers and choose the server that needs activation and right-click on the server. Select the Activate Server option then click Next on the Activation Wizard. Choose the Web Browser activation method and choose Next. Click on the hyperlink given to activate the license and choose the Select Option and select Activate a License Server then click on Next. Enter your Product ID, Name, Organization Name, Country or Region then choose the Next button. The License server ID will then be given to you and you can go to the License Activation Page and enter the License ID and select the Next button. You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time.
Automatically - Click Start select Administrative Tools choose Terminal Server Licensing. Open All Servers and choose the server that needs activation and right-click on the server. Select the Activate Server option then click Next on the Activation Wizard. Choose the Automatic connection (recommended) and then select Next. Enter your name, organization, country or region and click on Next. The option is also available for you to enter the e-mail address of the company or yourself and company address. Select Next after this optional information has been entered. You will now have the option to install the client license key packs on the server by choosing the Next button or you may uncheck the Start Terminal Server Client Licensing Wizard Now and choose the Finish button to complete this step at a later time.
Verify effective permissions when granting permissions: There are some very specific "best practices" that should be considered when granting permissions for Terminal Services:
1. Deny permissions should be used for certain special cases-to exclude a subset of a group that has Allowed permissions or to exclude one special permission when you have already granted full control to a user or group.
2. Rather than set individual permissions, use security templates whenever possible.
3. If possible, avoid changing the default permission entries on file system objects, particularly on system folders and root folders. Changing default permissions can cause unexpected access problems or reduce security.
4. Never deny the Everyone group access to an object. If you deny everyone permission to an object, that includes administrators. A better solution would be to remove the Everyone group, as long as you give other users, groups or computers permissions to that object.
5. Assign permissions to an object as high on the tree as possible and then apply inheritance to propagate the security settings through the tree. You can quickly and effectively apply access control settings to all children or a subtree of a parent object. By doing this, you gain the greatest breadth of effect with the least effort. The permission settings you establish should be adequate for the majority of users, groups and computers.
6. Privileges can sometimes override permissions. Privileges and permissions may disagree and you should know what happens if they do. Active Directory has its own set of best practices regarding permissions.
7. Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow permission entry. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Change ownership of files and folders: On Windows Server 2003, Administrators need to know how to take ownership of files and folders in order to repair or change them.
All Active Directory objects, files and folders have an owner. Owners have the right to control access permissions on the object. Ownership cannot be transferred by current owners to other users; however the user who current has ownership rights can give another user the right to take ownership. In simple terms-you cannot force ownership of a document, folder or printer onto another person. All you can do is offer ownership. The other user must be the one to take ownership. NOTE: The exception to this rule is if the owner of the file or folder has the Restore Files and Directories privilege. A user who has that can double-click Other users and groups and choose any user or group to assign ownership to. Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data and gain ownership of system objects, only assign this user right to trusted users. Backup Operators, Server Operators and Administrators are groups that have this right by default.
The Windows Server 2003 Administrators have the built-in ability to take ownership of a file from the Take Ownership of files or other objects right You can take ownership from within Windows Explorer. Find the file or folder you wish to take ownership of and right-click on the file, choose Properties, then select Security from the security tab. Select the Advanced tab then choose the Ownership tab.
Taking Ownership of a file using the Ownership tab in the Advanced properties of the object. The screen will show the current owner of the file or folder. To give Take Ownership rights to a user or group just click on the Other Users or Groups button and type the user or group name in the Enter the object name to select (examples). To change the owner to a user or group that is listed, click the new owner. All subfolders (if applicable) and objects in the tree can have their ownership changed by selecting the Replace owner on subcontainers and objects check box. Ownership can also be transferred by clients with the Restore files and Directories privilege by double-clicking the Other users and groups and then selecting a user or group to assign ownership. Or the Take ownership permission can be applied to clients.
Pop Quiz Questions:
1. When Terminal Server has been installed in Application mode, what are the two separate security modes available
2. What are the three ways you can activate a license for Terminal Server
3. What is an unwelcome side-effect if you assign Deny access to the Everyone group
4. Which will take precedence-an inherited Deny permission or an explicit Allow permission
5. What privilege must a user or group have in order to explicitly assign ownership to another user
Pop Quiz Answers:
1. The two modes are Full Security which will provide the most security in the Windows Server 2003 environment, and Relaxed Security which is commonly used to allow legacy applications (pre-Windows 2000) to run. It allows the system registry to be edited.
2. The license can be activated by a Telephone, Web Browser or Automatic Activation.
3. By denying the Everyone group, you do, indeed, deny everyone-even the Administrators. A better choice is to remove the Everyone group from the permissions list and then specifically assign permissions to other users and groups.
4. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
5. If the owner of a file or folder has the "Restore Files and Directories" privilege, they can assign ownership to another user. Backup Operators, Server Operators and Administrators, by default, have that privilege.
Troubleshoot access to files and shared folders: Troubleshooting access to files and folders that are shared on Windows Server 2003 can sometimes be daunting. Some common problems, causes and solutions that uses could experience when accessing shared resources on a Windows Server 2003.Problem Cause Solution Shared Folders that are shared cannot be accessed by any client. Shared folder permissions are set incorrectly. Check the permissions to the folder for accuracy.
Folders that are shared cannot be accessed by any client. Possible network connection has been lost. Check and verify network connectivity on server and client machines.
Shared Files that are shared cannot be accessed by any client. Shared folder permissions are set incorrectly. Check the permissions to the file for accuracy.
Usually you want to also make certain the Everyone Group has not been denied access to files or folders. The net share command, the net file (for machines running the server service only) command (which shows all open files on a machine) or the net session command may also be used at the command prompt to view information on shares or files. You must be a member of the local Administrators group for local computers or the Domain Administrators group for computers joined to the domain before these commands may be used. To view syntax for these commands open the command prompt and type:
net share - net help share - this command will show the net share command syntax that can be used to troubleshoot shares.
net file - net help file - share this command will show the net share command syntax that can be used to troubleshoot files.
net session - net help session this will show the net session command syntax that can be used to show all open sessions on a computer.
The net file command syntax: The net session command can be used to view open sessions on a computer. Using any or all of the methods above can typically assist you with troubleshooting client access to files and shared folders.
Jada Brock-Soldavini is author of book InsideScoop to Windows Server 2003 Certification Examination 70-290 Managing and Maintaining a Microsoft Windows ServerTM 2003 Environment. Jada works for the State of Georgia as a Network Services Administrator. She has co-authored or contributed to other numerous works pertaining to Microsoft Windows technologies. In her spare time she enjoys cooking, writing and reading anything that pertains to Network and Security technology. To buy my book, please visit www.totalrecallpress.com.
- Article Word Count: 2420
- |
- Total Views: 296
- |
- permalink