Using Terminal Server to host applications centrally

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using Terminal Server to host applications centrally

Terminal Server provides an effective and reliable way to distribute Windows-based programs by making them available on a network server. With Terminal Server, a single point of installation allows multiple users to access the desktop of a server running one of the Windows Server 2003 family operating systems. Users can run programs, save files, and use network resources as though they were sitting at that computer. Terminal Server delivers the Windows desktop and Windows-based applications to computers that might not typically be able to run Windows operating systems.

Note

Terminal Server is not included in Windows Server 2003, Web Edition.

Ease of use

Feature	Description	For more information, see:
Improved client: Remote Desktop Connection	Renamed Remote Desktop Connection, the Terminal Services client features a more streamlined user interface that allows you to connect to terminal servers, change connection settings, save connection information, and connect to a remote computer. The old Terminal Services Client Connection Manager tool is no longer needed, although you can still use any connections that were created with that tool. With Remote Desktop Connection, users can create connection files, which are predefined connections to servers for either a single program or full desktop access, and save them in My Documents. You can ensure that the same version of a single program is being used across the computing environment by creating a connection file and distribute it along with the Remote Desktop Connection client software.	Remote Desktop Connection overview
Automated local printer support	Terminal Services can both add and automatically reconnect printers attached to Terminal Services clients.	Providing client access to local printers
Drive and file system redirection	Users can see their local drives while logged on to a terminal server. In Microsoft Windows Explorer, users' local drives appear in the session folder tree as <driveletter> on <client>.	Providing client access to the local file system
Audio redirection	Users of a terminal server can direct audio output from the terminal server to the audio device on their local computer.	Providing client access to server audio
Clipboard redirection	Users can cut and paste between the programs running on the local computer and the terminal server.	Shared clipboard
Performance enhancements	Enhancements to caching, including persistent caching, packet utilization, and frame size, provide significant performance improvements over earlier versions of Terminal Services.	Bitmap caching
Roaming disconnect support	This feature enables users to disconnect from a session without logging off. A session can remain active while disconnected, enabling the user to reconnect to the existing session from another computer or at a later time. Logon is required for reconnection, keeping each session secure at all times.	Log off or disconnect
Multiple logon support	Users can log on to multiple sessions simultaneously from one or more clients, to multiple terminal servers, or to a single server multiple times. As a result, the user can do several tasks concurrently or run multiple unique desktop sessions.	Terminal Services User Properties

Manageability

Feature	Description	For more information, see:
Terminal Services Group Policies	With the addition of Terminal Services Group Policies, administrators can use one tool (Group Policy) to manage Terminal Services-related settings throughout an organization. Terminal Services nodes have been added to the Computer and User section of the Administrative Group Policy template (System.adm).	Configuring Terminal Services with Group Policy
Terminal Services WMI provider	The Windows Management Instrumentation (WMI) provider for Terminal Services allows you to use scripts to manage, configure, and troubleshoot terminal servers remotely, bypassing the Terminal Services tools, command-line options, and other management methods.	Configuring Terminal Services with WMI
Session remote control	Support staff can either view or control another Terminal Services session. Keyboard input, mouse movements, and display graphics are shared between two Terminal Services sessions, giving support staff the ability to diagnose and resolve configuration problems, as well as provide user training from a remote location. This feature is particularly useful for organizations with branch offices.	Using remote control
Load balancing	Terminal Services Connection Management (TSCM), combined with load balancing technology, allows Terminal Services clients to connect to the least busy member of a group of terminal servers. Session Directory services ensure that disconnected sessions are reconnected to the same server where the original connection was established.	Load balancing and terminal servers
Terminal Services Web Client: Remote Desktop Web Connection	Remote Desktop Web Connection is an ActiveX control that provides virtually the same functionality as the full Remote Desktop Connection client, but is designed to deliver this functionality over the Web. When embedded in a Web page, Remote Desktop Web Connection can host a Terminal Services client session even if the full client is not installed on the user's computer.	About Remote Desktop Web Connection
Microsoft Windows Installer (MSI) package for client deployment	Remote Desktop Connection can be installed with Windows Installer. Windows Installer provides a quick and efficient means for deploying client software to target computers, using either a network-based share point or Microsoft IntelliMirror.	About the Terminal Services Client MSI Setup Package
Windows-based terminals	Windows-based terminals are available from a variety of manufacturers. They use a custom implementation of the Microsoft Windows CE operating system and the Remote Desktop Protocol (RDP).
Terminal Server Licensing	Terminal Server Licensing helps system administrators and purchasing offices track clients and their associated licenses.	Terminal Server Licensing
Distributed File System (DFS) support	Support for Distributed File System (DFS) enables users to connect to a DFS share, and administrators to host a DFS share from a terminal server.	Distributed File System overview
Terminal Services Manager	Administrators can use Terminal Services Manager to query and manage Terminal Services sessions, users, and processes.	Terminal Services Manager
Terminal Services Configuration	Terminal Services Configuration allows you to create, modify, configure, and delete Remote Desktop Protocol (RDP) connections. You can also use Terminal Services Configuration to view and set terminal server settings.	Terminal Services Configuration
Integration with Local Users and Groups and Active Directory Users and Computers	Administrators can create accounts for Terminal Services users the same way they create accounts for users on any Windows Server 2003 family operating system. Extra fields exist for specifying information specific to Terminal Services, such as the Terminal Services Profile Path and Home Directory.	Terminal Services users
Integration with System Monitor	Integration with System Monitor enables administrators to monitor Terminal Services system performance, including tracking processor use, memory allocation, and paged memory usage and swapping per-user session.	Performance monitoring
Messaging support	Administrators can alert users to important information, such as system shutdowns, upgrades, or new programs.	Send a message to a user
Remote administration with Remote Desktop for Administration	Any member of the Administrators group with access to the Terminal Services administrative utilities can remotely manage all aspects of a server. Remote Desktop for Administration is installed automatically on all Windows Server 2003 family operating systems.	Remote Desktop for Administration
Configurable session time-out	Administrators can reduce server resource usage by configuring session time-outs. Administrators can specify the length of an active session and how long a session can remain idle on the server.	Configuring session limits

Security

Feature	Description	For more information, see:
Security modes	Terminal Server can run in one of two security modes, depending on the applications you plan to run: Full Security Select this option to take advantage of new security features in Windows Server 2003 family operating systems and provide the most secure environment for your terminal server. Relaxed Security This option allows access to the system registry, enabling most legacy applications to run as they did under Windows 2000, Terminal Server Edition.	Choosing the security mode for a terminal server
Encryption	Terminal Services has four levels of encryption. By default, Terminal Services connections between any of the Windows Server 2003 family operating systems and client computers running the Remote Desktop Connection client are encrypted with High (128-bit) encryption. The FIPS Compliant encryption level encrypts and decrypts data sent from client to server and from server to client with the Federal Information Processing Standard (FIPS) encryption algorithms using the Microsoft cryptographic modules. If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, administrators cannot change the encryption level for Terminal Services connections either by changing the Terminal Services Set client connection encryption level Group Policy setting or by using Terminal Services Configuration. For legacy clients that support only low levels of encryption, administrators can set the encryption level to Client Compatible. The Low level encrypts data sent from the client to the server using 56-bit encryption. Important Data sent from the server to the client is not encrypted. In addition, the Terminal Services logon process includes change password, unlock desktop, and unlock screen saver features. The logon process is encrypted, ensuring secure transfer of user name and password.	Configuring authentication and encryption System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Limit logon attempts and connection time	Administrators can limit the number of user logon attempts to prevent unauthorized access to a server. Additionally, the connection time of an individual user or a group of users can be limited.	Terminal Services Configuration

Security modes

Terminal Server can run in one of two security modes, depending on the applications you plan to run:

Full Security: Select this option to take advantage of new security features in Windows Server 2003 family operating systems and provide the most secure environment for your terminal server.

Relaxed Security: This option allows access to the system registry, enabling most legacy applications to run as they did under Windows 2000, Terminal Server Edition.

Choosing the security mode for a terminal server

Encryption

Terminal Services has four levels of encryption.

By default, Terminal Services connections between any of the Windows Server 2003 family operating systems and client computers running the Remote Desktop Connection client are encrypted with High (128-bit) encryption.
The FIPS Compliant encryption level encrypts and decrypts data sent from client to server and from server to client with the Federal Information Processing Standard (FIPS) encryption algorithms using the Microsoft cryptographic modules. If FIPS compliance has already been enabled by the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy, administrators cannot change the encryption level for Terminal Services connections either by changing the Terminal Services Set client connection encryption level Group Policy setting or by using Terminal Services Configuration.
For legacy clients that support only low levels of encryption, administrators can set the encryption level to Client Compatible.
The Low level encrypts data sent from the client to the server using 56-bit encryption.

Important
- Data sent from the server to the client is not encrypted.

In addition, the Terminal Services logon process includes change password, unlock desktop, and unlock screen saver features. The logon process is encrypted, ensuring secure transfer of user name and password.

Configuring authentication and encryption System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Limit logon attempts and connection time

Administrators can limit the number of user logon attempts to prevent unauthorized access to a server. Additionally, the connection time of an individual user or a group of users can be limited.

Terminal Services Configuration

Using Terminal Server to host applications centrally