DOCUMENT:Q186569 11-DEC-2001 [winnt] TITLE :Security Configuration in Terminal Server PRODUCT :Microsoft Windows NT PROD/VER:winnt:4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0, Terminal Server Edition ------------------------------------------------------------------------------- SUMMARY ======= This article discusses the Terminal Server Administration tool, Security Configuration. This tool is a modified version of the C2 Security Configuration tool in the Windows NT Server 4.0 Resource Kit in the SUPPORT\SECTOOL folder. MORE INFORMATION ================ This utility will check for and set C2 security levels in the file system and the registry according to a set of .inf files containing the settings for each level. Administrators can use this tool plus the Application Security tool, normal NTFS security through Explorer, auditing, creating system backups, creating firewalls, and so on to enhance system security. By default, the security setting is set to low. The registry and file permissions that will be set for each security level are detailed in a series of .inf files in the %SystemRoot%\system32 folder: C2reglow.inf, C2regmed.inf, C2reghi.inf, C2ntglow.inf, C2ntfmed.inf, and C2ntfhi.inf. Low Security ------------ Minimal security. This is probably a good setting for intranets, where users are known and authorized to access the Terminal Server. Low security allows write access to much of the registry and the file system. It does protect executable files, and it restricts users from performing administrative tasks. The advantages of low security are that very few applications will have trouble accessing resources and system maintenance is easier. Medium Security --------------- Medium security is meant for Terminal Servers that users external to the intranet or Internet users might access. It denies almost all write access to the file system and the registry. Only the user's home directory and temporary directories have write access. Directories with write access do not have Execute access. This prevents users from copying executable programs to a directory and running them. The registry only grants a user write access for the individual user's registry sections. Users cannot change any common registry entries. Users can access all user-level Terminal Server tools. High Security ------------- This security restricts users to only a small, well-defined list of applications. The primary goal of this level is to completely protect the registry and the file system from attack by malicious users. Users can execute only explicitly enabled applications. The C2 Configuration screen shows areas of the system that should be secured and their current state. By clicking an entry, you can get more information and the option to set the proper security. Additional query words: ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNT400search kbWinNTSsearch kbWinNTS400search kbNTTermServ400 kbNTTermServSearch Version : winnt:4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.