The following information is a customization guide intended as the foundation for a well-installed Terminal Server, developed by Matthew Harris of the UC-Davis Crocker Nuclear Laboratory. His suggestions are targeted towards the Citrix Metaframe on NT4 TSE, but are also applicable to non-Citrix and Windows 2000 in most cases.
[need to clean up each customization, identifying purpose and applicable platforms where necessary.]
[modify top comments as well to clarify. These things should be done first, including current Service Pack.]
-I don't recommend running NetBeui of your servers. NetBeui is fine for a lot
of things, but after extensive testing (over a month), I've determined that as
transfers get faster (>100Mbit/sec) NetBeui performance will drop off, whereas
TCP/IP performance will remain steady. I would encourage the use of private and
public ip addresses to hide servers that don't need to be accessible from the
internet, like the backup and program servers.
-Make it so that only admins have read/full control access to rshx32.dll. This
will effectively remove the security tab from the file and folder properties
listings.
-Make Everyone have read access to
HKLM\Software\Microsoft\Windows\Explorer\BitBucket to lock down the recycle bin.
-delete/rename c:\windows\system32\syncapp.exe (to avoid 'my briefcase'
creation)
-change permissions on appwiz.cpl, mmsys.cpl, odbccp32.cpl, telephon.cpl,
sysdm.cpl, and wgpocpl.cpl to not have the everyone group for access. Add the
Soft Foxpro group to the odbccp32.cpl control panel.
-update the registry with the following information:
Key Name: SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Class Name: <NO CLASS>
Last Write Time: 10/9/00 - 1:38 PM
Value 0
Name: <NO NAME>
Type: REG_EXPAND_SZ
Data: %USERNAME% on %COMPUTERNAME%
-Install the Service Pack 128-bit Version 6 from Microsoft
-Remove the IE icon from the desktop and delete the following registry key to
get rid of the Inbox on the desktop:
HKLM\Software\Microsoft\CurrentVersion\Explorer\NameSpace\<CLSID of the Inbox>
-Go to www.windowsupdate.com and install the latest hotfixes and security
patches. Other components can be installed from this website depending on what
users need what applications or plugins (i.e. MS Virtual Machine, Media
Players...etc). Some hotfixes may not be listed on the MS website, like the ones
which were given to CNL to solve special problems. All hotfixes used on the
Terminal Servers are kept in the hotfix folder where you found this file.
-Install IE 5.5 (or the latest browser or Service pack) with the following
components:
IE Web browser
Internet Explorer Help
Internet Explorer Core Fonts
Dynamic HTML Data Binding
Internet Explorer Browsing Enhancements
Visual Basic Scripting Support
Additional Web Fonts
(Virtual Machine is installed later)
-For the installation of applications, be sure to set security as you go. Be
as secure as possible, and only allow certain groups access to certain
applications. Don't allow directory access on C:\Program Files, Service,
Recycler, C:\Windows\Repair, or Temp, but be sure to allow file read and execute
on these directories. Also, allow read and execute for both file and directory
permissons on C:\zDefault and C:\zSystem. As for C:\Windows, give users read
access only for directory permissions, and read and execute access for file
permissions. Change the C:\Windows\Help folder to have change access for users
so they can create help temporary files.
-Establish the roaming profile template by following the instructions from
any book or from the Microsoft KnowledgeBase articles.
-Establish policy files and load them onto the server
-Create, using the Application Security program, a list of authorized programs
(assuming E: is the application disk you've installed your programs into). A
word of caution...Some programs do not completely follow the 8.3 naming format.
I've noticed that application security sometimes has problems with long
filenames, so consequently, I sometimes have to put two allowed applications for
every application I want allowed. (for instance, to allow wordpad, you need to
put in C:\Program Files\Windows NT\Accessories\Wordpad.exe as well as
C:\Progra~1\Window~1\Access~1\Wordpad.exe.
Note...this list is ONLY applied to non-administrator users...and it is
important to realize that application security only controls 32bit applications,
so if someone opens up NTVDM and runs 16bit applications from there, you are
basically unprotected. This list is incomplete due to the fact that many
programs listed here are installed after the OS is installed. Programs that come
with the OS may need to be added here depending on what you allow your users to
access...so basically, this list is totally imcomplete and is only here as a
sample:
IExplore.exe
WinWord.exe
Excel.exe
Powerpnt.exe
Acrobat.exe
Schdpl32.exe
Conman.exe
Mstsc.exe
WfcMgr32.exe
Winzip32.exe
Ascii.exe
Clock.exe
Calc.exe
MsPaint.exe
Wordpad.exe
Notepad.exe
Charmap.exe
Command.com
Dos.pif
Perl.exe
DDHelp.exe
QBasic
ftp
telnet