Terminal Services 2008 - Phn 123:45 | 22/04/2010

Gii ThiuTerminal Service Remote Application l mt tnh nng mi trn Windows Server 2008. Cc chng trnh ng dng s c ci t sn trn Windows Server 2008, cc my trm tuy khng ci t chng trnh ng dng, nhng vn c th khai thc cc chng trnh ng dng trn my ch thng qua Terminal Service.1. c im:-S truy cp lin mch . Ngi dng truy cp vo cc ng dng hosting t xa mt cch lin mach nh cc ng dng ang c ci t cc b. Cc ng dng hosting c th c tr trn cc ng dng c ci t cc b.- Qun l ng dng tp trung, d dng, v n gin.-D dng qun l cc vn phng chi nhnh,ph hp nht vi nhng cng ty khng c nhn vin IT chuyn nghip ti cc vn phng chi nhnh.-S dng cc ng dng khng tng thch cng vi nhau trong cng 1 h thng- Cc my trm khng cn phi c cu hnh phn cng mnh v doanh nghip khng phi tn nhiu chi ph v bn quyn phn mm khi s dng dch v ny. Tuy nhin, doanh nghip vn phi mt chi ph bn quyn cho CAL (Client Access License), v chi ph ny vn thp, c th chp nhn c- My trm kt ni n my ch thng qua Terminal Service nn my trm phi c ci t Remote Desktop Connection (RDC) 6.0 tr ln. C th download RDC 6.0 cho Windows 2003 SP1 v Windows XP Professional SP2 tihttp://support.microsoft.com/default.aspx/kb/925876.2. Cc hnh thc my trm kt ni n my ch:- C 4 cch my trm kt ni n my ch khi khai thc chng trnh ng dng trn my ch:S dng trnh duyt web: My ch phi ci t thm Terminal Service Web Access, my trm phi c ci t Remote Desktop Connection (RDC) 6.1. RDC6.1 c sn trong Windows Vista Service Pack 1 v Windows XP Professional Service Pack 3.S dng Network Access: My ch to sn file .rdp (mi chng trnh ng dng tng ng 1 file .rdp) v c share trn my ch, my trm truy cp vo my ch, chy trc tip file khai thc chng trnh ng dng trn my ch.S dng Network Access: My ch to sn file .msi (mi chng trnh ng dng tng ng 1 file .msi)v c share trn my ch, my trm truy cp vo my ch, chy trc tip file ci t cc shortcut lin kt n chng trnh ng dng trn my ch. Cc shortcut ny c ci t trong Start menu ca my trm, c th l mc Remote Application. My trm chy cc shortcut khai thc chng trnh ng dng trn my ch.S dng policy(p dng cho mi trng Domain) trin khai hng lot vic ci t shortcut lin kt n chng trnh ng dng trn my ch cho nhiu my trm.Ci t v cu hnh Terminal ServiceChun b:H thng gm:- Server: Windows Server 2008+ To local user: sv1/123 , sv2/ 123 v add vo group remote desktop users+ Bt ch remote desktop trn my server.+ Change password Adminstrator l 123- Client: Windows XP.Thc hin:1. Ci t Terminal Services:Start >Programs >Administrative Tools >Server ManagerChut phi Roles >Add Roles

Before you begin > Next

ChnTerminal Services >Next

Hp thoi Instruction to Terminal Services > NextChn Terminal Server > Next

Application Compatibility mc nh >Next

Authentication Method > ChnDo Not Require Network Level Authentication >Next

Licensing Mode > Configure later > Next

Add 2 user sv1 v sv2 vo c th access the terminal server

Confirmation Installation > chn Install. Sau khi ci t xong th chn Restart > OK

Kim tra Remote Connection c enablePhi chut Computer > Chn properties > Remote Setting > Tab Remote

2. Thm cc chng trnh ng dng RemoteApp:- Start > Program > Administrative Tools ->Terminal Services ->TS RemoteApp Manager.- Menu Action > Add RemoteApp Programs.

Menu Action > Add RemoteApp Programs

Mn hnh Wellcome > Next

Choose Program to add to RemoteApp Program list > Chn cc ng dng cho Client > Next

Review Setting > Finish

Trong mn hnh TS remote App > Cun xung cui mn hnh > Phi chut vo application v chn Create Windows Installer Package

Mn hnh Welcome > Next

mc nh cc thng s cu hnh > Next

Chn Finish

3. Chia s folder chafile ng dng:C:\Program File > Chut phi ln Packaged Program > Properties > Share Folder > Everyone Allow-Read > OK

4. Kim tra trn my client:Start > Run > Nhp a ch ip Remote ServerVd:\\192.168.1.38OK

Hp thoi yu cu khai bo username/password ng nhp > Nhp sv1/123 > OK

Chn ng dng cn dng

Chn Connect

Nhp vo user chng thc > OK

Qu trnh kt ni din ra v ng dng cn dng s m ra

Trin khai cc ng dng RemoteApp thng qua TS Web Access:1. Ci t TS Web Access trn Terminal Server:- Server Manager > Terminal Services > Add Role Services.

Chn TS Web Acess > Next

Chn Add Require Role Services

cc thng s mc nhNextChn Install

Start > Programs > Administrative Tools > Terminal Service > TS RemoteApp ManagerChut phi cc ng dng mun hin th > Chn Show in TS Web Access

Kim tra trn Terminal ClientM Internet Explorer > Khung Address nhp vo a ch Terminal Serverhttp:// 192.168.1.38/ts > EnterHp thoi khai bo username v password xut hin. Nhp sv1/123

Sau khi ng nhp thnh cng -> La chn cc ng dng cn dng

xem tip Phn 2

Terminal Services 2008 - Phn 212:36 | 23/04/2010

Bo mt Terminal Services ca Windows Server 2008Mt s nng cao choTerminal Services trong Windows Server 2008S dng chng thc Smart CardsS dng Smart Cards, ngi dng khng ch phi cung cp cc tiu chun ng nhp hp l m cn phi c th kt ni vt l vi th thng minh n thit b m h ang s dng nh mt thit b u cui xa. yu cu thm nh th thng minh, bn phi to mt Group Policy Object s dng cho Terminal Server. Trong GPO, duyt nComputer Configuration\Windows Settings\Security Settings\Local Policies\Security Optionsv kch hot thit lpInteractive Logon: Require Smart Card. Thm vo bn cng cn phi kch hot Smart Cards c th chuyn hng n Terminal Server bng cch tch vo hp kim Smart Cards trn tab Local Resources ca Remote Desktop Connection trn cc my trm ca ngi dng.Hnh 1Thc thi thm nh mc mng i vi tt c my khchNetwork Level Authentication (NLA) l mt tnh nng c gii thiu trong phin bn 6.0 ca Remote Desktop Connection Client, tnh nng ny cho php ngi dng nhp vo trc cc tiu chun ng nhp ca h s c hin th ti ca s ng nhp ca Windows Server. Windows Server 2008 cho php chng ta s dng tin ch ny v yu cu tt c cc my khch ang kt ni s dng n.Hnh 2 s dng NLA, bn phi s dng Windows 2008 Server, v cc my khch ang kt ni phi h tr CredSSP (Windows XP SP3, Windows Vista, Windows 7) cng nh ang chy Remote Desktop Connection 6.0 hoc cao hn. Bn c th cu hnh Terminal Server ca mnh yu cu cc my khch ca n s dng NLA bng cc cch sau: Trong sut qu trnh ci t Terminal Services role ban u, khi bn thy mn hnhSpecify Authentication Method for Terminal Server, chn ty chnAllow connections only from computers running Remote Desktop with Network Level Authentication. Truy cp Terminal Services Configuration MMC Snap-In, kch chut phi vo kt ni terminal server ang c s dng bi cc my khch v chn properties, sau chn ty chnAllow connections only from computers running Remote Desktop with Network Level Authentication. To mt Group Policy Object, duyt nComputer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security, kch hot thit lpRequire user authentication for remote connections by using Network Level Authenticationsettingv s dng n cho mt OU gm c terminal server.Thay i cng RDP mc nhMc nh, Terminal Server thng s dng cng 3389 cho lu lng RDP. V mt s hacker thnh tho trn th gii u bit c iu . Chnh v vy mt trong nhng thay i nhanh nht m bn c th thc hin i vi mi trng Terminal Server ca mnh trnh nhng k xm nhp v thay i tha thun cng mc nh. thay i cng RDP mc nh cho Terminal Server, bn hy m regedit v duyt nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Tm key PortNumber v thay th gi tr hex 00000D3D (tng ng vi 3389) thnh mt gi tr khc m bn mun s dng.Cch khc, bn c th thay i s cng c s dng bi Terminal Server ca mnh trn mt kt ni c bn. Vn s dng regedit, duyt nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection name. Tip , tm n key PortNumber v thay th gi tr hex bi mt gi tr khc m bn mun.Cn phi lu rng khi thay i thit lp trn my ch ny, tt c cc my khch kt ni cn phi c bo m rng chng ang kt ni n Terminal Server vi cng mi c gn th trn a ch IP ca cc my ch. Cho v d, vic kt ni n Terminal Server vi mt a ch IP trong l 192.168.0.1 c ngha hin ang s dng cng non-standard 8888 s yu cu ngi dng nhp 192.168.0.1:8888 vo Remote Desktop Connection.Hnh 3In n d dng v hn ch my in c chuyn hngVic in n t cc thit b c kt ni ni b vi cc my trm client lun l mt yu im ca Terminal Services trc Windows Server 2008. thc hin iu , bn phi bo m ging chnh xc phin bn ca driver my in c ci t trn c my ch v my khch, mc d vy i khi sau vn khng c s lm vic. T quan im bo mt, chng ta khng bao gi mun ci t thm nhiu driver vo h thng ca mnh ngoi nhng g bt buc. Mi mt driver c ci t vo my ch u c tin n kh nng m rng b mt tn cng ca n.Windows Server 2008 gii thiu mt tnh nng c tn Easy Print, tnh nng ny s thay i trit cch kt ni ni b cc my in c qun l. V bn cht, TS Easy Print l mt driver phc v nh mt proxy tt c d liu my in c chuyn hng qua. Khi mt my khch in n mt thit b bng driver Easy Print, cc thit lp d liu v my in s c chuyn i thnh nh dng ph bin ri gi n Terminal Server x l. Thc hin iu ny, sau khi kch in, hp thoi my in s c khi chy t my khch, khng trong terminal session. iu ny c ngha rng khng driver no c ci t cho Terminal Server x l cc cng vic in t cc thit b in kt ni ni b. cu hnh Easy Print, bn cn phi bo m tt c cc thit b in c gn ni b phi c cc my in logic c cu hnh trn cc my khch thit lp s dng driver ca Easy Print. Tnh nng Easy Print c h tr bi tt c cc my khch Windows XP SP3, Windows Vista v Windows 7 ang chy Remote Desktop Connection 6.1 hoc mi hn v .NET Framework 3 SP1.Hnh 4Khi cu hnh cc thit b gn ni b mc my trm, bn cn bo m rng my in duy nht c chuyn hng n Terminal Server l my in ang s dng TS Easy Print, thnh phn c thit lp nh mt my in mc nh. Bn c th thc hin iu ny bng cch to mt Group Policy Object v duyt nComputer Configuration\ Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection, sau kch hot ty chnRedirect only the default client printer.Hn ch cc ti khon ngi dngChng ta cn phi bit rng, khi mt ngi dng no ang kt ni hay ang lm vic trc tip t mt my ch vn c s truy cp n mt vi th m h khng cn n, v to mt mi trng an ton hn, chng ta cn phi hn ch iu . y khng ch l bin php bo v cc tiu chun ca ngi dng ang c tha hip m cn bo v ngi dng chnh ng vi nhng nh khng chnh ng. Mt s th m chng ta c th thc hin y l:S dng cc ti khon c th cho ngi dngNgi dng c th lm vic ni b vi cc ng dng no , sau truy cp vo Terminal Server truy cp n cc ng dng khc. Vic s dng cng mt ti khon cho truy cp ni b v truy cp t xa s n gin hn trong vn qun l, tuy nhin n cng d b tha hip hn bi cc k tn cng c th tha hip mt lot cc tiu chun truy cp vo cc ng dng. Vic to mt ti khong ngi dng ring bit cho s truy cp Terminal Server v hn ch quyn ca n cho nhng ng dng cn thit s gim nh c s nh hng ca kiu tha hip ny.S dng cc chnh sch hn ch phn mmCc chnh sch hn ch phn mm c th c cu hnh cho php hoc t chi s s dng i vi mt s ng dng no v vn c s dng trong cc my tnh cng cng, mc d vy chng cng rt tuyt trong cc mi trng Terminal Server.Kim tra s truy cp ngi dng vo my ch Terminal bng GroupMc nh, ch c cc thnh vin ca nhm Terminal Servers Remote Desktop Users (v Domain/Local Administrators) mi c th ng nhp vo Terminal Server . Tuy nhin bn cn minh chng v thm nh cc thnh vin nhm mt cch thng xuyn. Nu ngi dng khng cn ng nhp vo mt Terminal Server, hy remove h khi nhm ngi dng xa.Cu hnh bo mt b sung bng Group PolicyNhiu ci tin bo mt cho cc mi trng Terminal Server c cung cp thng qua Group Policy. y l mt s v d in hnh m chng ti mun gii thiu cho cc bn.1. Hn ch ngi dng Terminal Services vo mt Session t xaTrong hu ht cc trng hp, mt ngi dng khng cn khi to nhiu session trn mt Terminal Server. Vic cho php ngi dng khi to nhiu session s lm cho mi trng ca bn c nhiu l hng cho tn cng t chi dch v (DoS), do cc tiu chun ca ngi dng b tha hip. Bn c th cu hnh thit lp ny bng cch duyt nComputer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Connectionsbn trong GPO ca bn.2. Khng cho php s chuyn hng driveTr khi bn c mt nhu cu no tht cn thit, khi mi cho php ngi dng truy cp vo cc a ni b t mt Terminal Server session v hnh ng ny c th to mt knh truyn thng khng an ton. Vi kh nng ny, ngi dng khng ch copy d liu vo mt Terminal Server m d liu c th cha m c v c th c thc thi trn my ch.Bn c th cu hnh thit lp ny bng cch duyt nComputer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirectionbn trong GPO.3. Thit lp hn ch thi gian cho cc Session b hy kt niNhn chung, chng ta nn cho php ngi dng thot khoi mt session m khng cn ng xut hon ton. V khi ai c th tng iu khin trn session ny th h c th s truy cp vo phn d liu nhy cm hoc bit c rng h c xc thc cho ng dng mng khc. Cch tt nht khc phc tnh trng ny l thit lp s hn ch v thi gian mc thp hy kt ni cc session. Khi n gii hn thi gian, session s b ng li.Bn c th cu hnh thit lp ny bng cch duyt nComputer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limitsbn trong GPO.4. V hiu ha b ci WindowsCh cc qun tr vin mi c quyn ci t cc ng dng vo Terminal Server. Trong hu ht cc trng hp, khng cho ngi dng c php ci t cc ng dng nu h khng ng nhp vi quyn qun tr vin. Mc d vy, nu mt s ngi dng no c cho l cn phi c hnh ng nng c quyn th bn c th hn ch kh nng ci t mt s chng trnh bng cch v hiu ha Microsoft Windows Installer.C th cu hnh thit lp ny bng cch duyt nComputer Configuration\Administrative Templates\Windows Components\Windows Installerbn trong GPO. Cn lu rng bn phi cu hnh thit lp ny l Enabled thay cho Always. Nh vy s bo m rng bn vn c th publish cc ng dng cho Terminal Server thng qua Group Policy. Cn s dng ty chn Always s khng cho php bn thc hin iu .5. Hn ch th mcMc d chng ta (cc qun tr vin) c cung cp nhiu location ring v cng cho vic lu tr bo mt d liu nhng mt s ngi dng ca chng ta vn ty tin lu d liu trn desktop ca h. Tuy nhin c mt cch to mt bc tng bo v d liu cho h l chng ta c th chuyn hng (redirect) desktop ca h n mt location lu tr thch hp trn mt file server.Bn c th cu hnh thit lp ny bng cch duyt nUser Configuration\Windows Settings\Folder Redirectionbn trong GPO. Desktop ca ngi dng l th mc m chng ta c th chuyn hng.6. Chn truy cp vo Control PanelCng nh vi Microsoft Installer, ngi thng thng khng nn truy cp vo Control Panel ni chung. Mc d vy, nu nhng ngi no cn phi c cc c quyn qun tr vin thc hin mt s thao tc th bn cng c th hn ch s truy cp ca h vo control panel bng cch cu hnh thit lp ny.Bn c th cu hnh thit lp ny bng cch duyt nUser Configuration\Administrative Templates\Control Panelbn trong GPO.Kch hot logCc thit lp log Microsoft khuyn dng di y: Audit Account Logon Events - No Auditing Audit Account Management - Audit Success and Failure Audit Directory Services Access - No Auditing Audit Logon Events - Audit Success and Failure Audit Object Access - Audit Failure Audit Policy Change - Audit Success and Failure Audit Privilege Use - Audit Failure Audit Process Tracking - Audit Failure Audit System Events - Audit Success and FailureCng vi cc thit lp , bn cng c th s dng log kt ni Connection Auditing bn trong Terminal Services. Cch thc ny s cho php bn ghi li mt vi mc c th ca Terminal Server. xem v cu hnh cc thit lp ny, bn hy m Terminal Services Configuration snap-in, kch chut phi vo kt ni m bn mun kch hot thm nh, sau kch Properties. Vo tab Security, kch Advanced, nh tn ngi dng ca ti khon mun kch hot ghi log. y bn c th chn mt trong cc ty chn c lit k sn.Hnh 5