Okay right up front I’m not allowing comments on this post.  You can email me via the contact page, but I’ve seen and read all the arguments for and against Terminal Server.  At the end of the day, this isn’t a forum, this is my blog, my view, and it’s my network.  I’ve seen the arguments and the risks of putting a user sitting on my domain controller, my pride and joy, you just cannot convince me are worth it.  With all the malware infested boxes that people have to clean up, there’s no way I’d allow it.  Next from the standpoint of look already what we are putting on our boxes and I’m wondering if we’re just starting to get to the point we need to step back and question ….really question… what we are doing here.

James in the comments of a prior post says he’s buying the transition pack just to unlock his SBS box so he can run TS in application mode on the Server.

Why in the world would you spend that much money

  • Do something that is considered dangerous to a domain controller

Why not instead consider that

  • It’s cheaper to either purchase additional Windows XP boxes and do remote web workplace

  • Buy a second server for that TS box and then get the option of making that second server an additional domain controller

My TS box is my old SBS 2000 server reincarnated and it doesn’t have to be that beefy of a box.  But you don’t want to be shoving that much stuff on one server these days.  My Dell OEM at the office has WSUS, now has SBA on it, I mean how many things are we going to ask our boxes to do?

Are we really being smart in asking our boxes to do all this AND wanting TS on the box back?  Why aren’t we considering everything we are asking these servers to do, the risks we are taking, the fact that in the SBS 2000 era it was stupid to do it, and XP boxes from Dell Outlet can be purchased pretty cheaply these days.

Instead of trying to shove everything back on that one box, isn’t there better …and cheaper ways to solve the remote worker problem?

Avoid installing Terminal Services on a domain controller for application sharing. Users or groups that access the Terminal Server must have the Log on Locally permission. If Terminal Services is installed on a domain controller, users would have the Log on Locally permission for all domain controllers within the domain. Terminal Services should only be installed on domain controllers in Remote Administration mode only. In addition, the Log on Locally permission should be granted only to administrators.

If I were in charge of the universe, the minute you made any server a domain controller you’d be blocked from running TS in application mode on that box.

Remember we asked Microsoft to be more secure.  To make servers and workstations secure.  James, they did.  Let’s not ask for insecurity back. Okay?


Comments are closed.