Choosing the security mode for a terminal server

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Choosing the security mode for a terminal server

In Windows 2000 and Windows Server 2003 family operating systems, you can choose one of two security modes:

  • Relaxed security: Windows NT 4.0/Terminal Server Edition permissions compatibility mode

  • Full security: Windows 2000/Windows Server 2003 family operating systems permissions mode

In both modes, the TERMINAL SERVER USER security descriptor is applied to many keys in the registry and directories in the file system. The difference between the two modes is based on the way the security descriptor is applied.

  • In Relaxed Security mode, the security descriptor is added to each member of the Users group. On Windows NT 4.0, when a user’s permissions are evaluated to determine access to a file or registry entry, the presence of the security descriptor authorizes access.

    This application of the security descriptor allows members of the Users group to run programs that otherwise might not work at all in the more rigorous Full Security permissions mode used on Windows 2000 and Windows Server 2003 family operating systems. However, when you choose Relaxed Security mode, any user on the system can change files and registry settings in many places throughout the system, although others users’ data files may not be visible. A malicious user could exploit this situation by replacing a known and trusted program with a program of the same name but some bad intent.

  • By contrast, Full Security mode does not apply the descriptor to each user. Instead, applications must be written to run in the context of an ordinary user. When in doubt, you should choose Full Security mode and test your applications in that mode.

    Important

    • Use Relaxed Security mode only if your test results indicate that it is necessary.

For information on changing the security mode, see Switch default permissions for application compatibility.