Managing Terminal Services via Group Policy

Configuring and hardening Windows Server Terminal Services through Group Policy settings improves the server's security and overall performance.

Most Windows Server's components including Terminal Services can be configured and hardened through Group Policy settings. The benefits of using these settings are improved server security and performance.

Locating Group Policy settings
Terminal Service related Group Policy settings are stored in two locations within the Group Policy Object Editor. Computer related settings are located at Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services, while user specific settings can be found at User Configuration \ Administrative Templates \ Windows Components \ Terminal Services.

Computer specific Group Policy settings pertaining to Terminal Services are located at Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services.

The figure below shows some of the computer specific settings (click to enlarge).

The settings in the above screen capture only a small sampling of the available settings. The figure doesn't show all of the user specific settings and the settings within the various sub containers.

How Group Policy improves Terminal Server performance
Terminal Server performance is improved with Group Policy because the settings offer several options for controlling users' ability to disconnect a Terminal Service session.

If a user logs out of the Terminal Services their session is terminated however, if a user simply disconnects their session then it is held open so that the user can reconnect to the session and pick up where they left off. While this is handy for end users, it negatively impacts the server because the user's session continues to consume server resources even though the user isn't active.

You can ensure resources are not wasted on inactive sessions with the following Group Policy settings:

  • Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services\Remove Disconnect Option from Shut Down Dialog
    Removing the Disconnect option from the Shut Down dialog box helps reduce the number of users disconnecting from Terminal Service sessions because some users simply do not understand the difference between disconnecting and logging out. Keep in mind this setting won't completely prevent users from disconnecting sessions since they could still disconnect sessions by closing the Terminal Service client without logging out.
  • Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services\Sessions\Set Time Limits for Disconnected Sessions
    Although you won't be able to entirely prevent users from disconnecting Terminal Service sessions, you can get a handle on the problem by configuring disconnected sessions to time out. This forces Terminal Services to release the disconnected sessions. For example, a disconnected session may be considered abandoned after 15 minutes of inactivity.
  • Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services\Keep-Automatic Reconnection
    Notice that when I talked about the above setting, I didn't recommend setting the time out period to zero. This is because not all disconnected sessions are bad.

    Sessions can become disconnected as a result of a network link being interrupted. When this happens, the disconnected session can become orphaned and Windows may attempt to establish a new (additional) session for the user when they reconnect. By enabling the Automatic Reconnection setting, Windows will check every five seconds to see if the user has reconnected. If they have, they are rejoined to their previous session, however if the user does not reconnect, then Windows stops monitoring the user's connection after 125 seconds.

  • Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services\Restrict Terminal Services Users to a Single Remote Session
    As the policy's name implies, this setting prevents users from establishing multiple simultaneous Terminal Service sessions. Users' disconnection sessions can be especially problematic in offices where users establish Terminal Services from multiple computers or from the Internet. In these types of environments, it is not uncommon to find several abandoned sessions for each user. These disconnected sessions consume server resources and software licenses.

ABOUT THE AUTHOR:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Exchange Server, and has previously received Microsoft's MVP award for Windows Server and Internet Information Server (IIS). Brien has served as CIO for a nationwide chain of hospitals and was once responsible for the Department of Information Management at Fort Knox. As a freelance technical writer, Brien has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at
http://www.brienposey.com.

This was first published in August 2009

Dig deeper on Terminal Services and Remote Desktop Services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchEnterpriseDesktop

SearchServerVirtualization

SearchCloudComputing

SearchConsumerization

SearchVMware

Close