In the newsgroups today, a person updated his SBS 2000 and was prompted that the TS in application mode would be removed during the upgrade. He went through the upgrade and then posted back in the newsgroups asking how to turn on Application mode again…….
Well… it can’t be turned back on again….. and we should not have been allowed to do it in the first place.
Let’s determine why shall we?
Okay first and foremost, would you agree that allowing your employees to sit at your server and use it as a workstation is a good idea? Probably not right? Well that’s what you are doing when you do TS in application mode. You are allowing people to log onto that server, use possibly “leaky“ applications that may require you to reboot the server, and in general, expanding greatly the threat vectors on that server.
Take for example – Internet Explorer. You have to remove the Enhanced IE security [go into add/remove programs to remove this on a normal server]. Michael Howard [MS Security dude] talks about the threat modeling that they did on Windows 2003 server. Near the end of the project they did a “threat model“ brainstorm and asked themselves what was a potential issue….and the threat that came back was surfing on that domain controller. So the Security folks pushed through that Enhanced IE [you know that box that prompts you the web site you are wanting to go to is not in a trusted zone?]. Andrew Duthie talks about the settings on his blog.
Right now my security issues are the spybots and gunk that are going after Internet Explorer. Just last night in talking “geek“ with my friends from LA that were up for a visit, Pierre talked about having to track down a browser hijack program [He wanted to do it manually, but he could have used the CWshredder tool]. Now ask yourself, do you want to do that on your one and only domain controller? Think of what you do to clean up your separate desktops.
So the next time someone says “But it’s dumb, I want my TS in application mode back!“ remember that we can’t do things the way we used to. That was then, this is now.
Now, there is one way that this can be better. Documentation and information.
In one of the listserves I’m on we were chatting about the lack of documentation on this issue [and I'd add the lack of documentation of WHY we shouldn't do it] Now granted, we women would argue that guys don’t read, but I do agree with my fellow listmates that the information about the lack of TS in application mode should be WAY more obvious. The information of how it is no longer supported or included and why it’s not safe and secure to have it there in the first place needs to be way way more obvious. In fact it should be part of the sales and marketing stuff because to me, it shows better than anything else that Microsoft is indeed “walking the walk, talking the talk“. We asked them to make the products more secure. They responded. This should be a selling point that they are making it more secure, not a “What happened to TS?“ question in the newsgroup.
Documents that discuss TS in application mode removed …..
This KB and read Page 44 in this document