Terminal Services 2008 - Phn 123:45 | 22/04/2010
Gii ThiuTerminal Service Remote Application l mt tnh nng mi trn
Windows Server 2008. Cc chng trnh ng dng s c ci t sn trn Windows
Server 2008, cc my trm tuy khng ci t chng trnh ng dng, nhng vn c th
khai thc cc chng trnh ng dng trn my ch thng qua Terminal Service.1.
c im:-S truy cp lin mch . Ngi dng truy cp vo cc ng dng hosting t xa
mt cch lin mach nh cc ng dng ang c ci t cc b. Cc ng dng hosting c
th c tr trn cc ng dng c ci t cc b.- Qun l ng dng tp trung, d dng, v
n gin.-D dng qun l cc vn phng chi nhnh,ph hp nht vi nhng cng ty
khng c nhn vin IT chuyn nghip ti cc vn phng chi nhnh.-S dng cc ng
dng khng tng thch cng vi nhau trong cng 1 h thng- Cc my trm khng cn
phi c cu hnh phn cng mnh v doanh nghip khng phi tn nhiu chi ph v bn
quyn phn mm khi s dng dch v ny. Tuy nhin, doanh nghip vn phi mt chi
ph bn quyn cho CAL (Client Access License), v chi ph ny vn thp, c
th chp nhn c- My trm kt ni n my ch thng qua Terminal Service nn my
trm phi c ci t Remote Desktop Connection (RDC) 6.0 tr ln. C th
download RDC 6.0 cho Windows 2003 SP1 v Windows XP Professional SP2
tihttp://support.microsoft.com/default.aspx/kb/925876.2. Cc hnh thc
my trm kt ni n my ch:- C 4 cch my trm kt ni n my ch khi khai thc
chng trnh ng dng trn my ch:S dng trnh duyt web: My ch phi ci t thm
Terminal Service Web Access, my trm phi c ci t Remote Desktop
Connection (RDC) 6.1. RDC6.1 c sn trong Windows Vista Service Pack
1 v Windows XP Professional Service Pack 3.S dng Network Access: My
ch to sn file .rdp (mi chng trnh ng dng tng ng 1 file .rdp) v c
share trn my ch, my trm truy cp vo my ch, chy trc tip file khai thc
chng trnh ng dng trn my ch.S dng Network Access: My ch to sn file
.msi (mi chng trnh ng dng tng ng 1 file .msi)v c share trn my ch,
my trm truy cp vo my ch, chy trc tip file ci t cc shortcut lin kt n
chng trnh ng dng trn my ch. Cc shortcut ny c ci t trong Start menu
ca my trm, c th l mc Remote Application. My trm chy cc shortcut
khai thc chng trnh ng dng trn my ch.S dng policy(p dng cho mi trng
Domain) trin khai hng lot vic ci t shortcut lin kt n chng trnh ng
dng trn my ch cho nhiu my trm.Ci t v cu hnh Terminal ServiceChun
b:H thng gm:- Server: Windows Server 2008+ To local user: sv1/123 ,
sv2/ 123 v add vo group remote desktop users+ Bt ch remote desktop
trn my server.+ Change password Adminstrator l 123- Client: Windows
XP.Thc hin:1. Ci t Terminal Services:Start >Programs
>Administrative Tools >Server ManagerChut phi Roles >Add
Roles
Before you begin > Next
ChnTerminal Services >Next
Hp thoi Instruction to Terminal Services > NextChn Terminal
Server > Next
Application Compatibility mc nh >Next
Authentication Method > ChnDo Not Require Network Level
Authentication >Next
Licensing Mode > Configure later > Next
Add 2 user sv1 v sv2 vo c th access the terminal server
Confirmation Installation > chn Install. Sau khi ci t xong th
chn Restart > OK
Kim tra Remote Connection c enablePhi chut Computer > Chn
properties > Remote Setting > Tab Remote
2. Thm cc chng trnh ng dng RemoteApp:- Start > Program >
Administrative Tools ->Terminal Services ->TS RemoteApp
Manager.- Menu Action > Add RemoteApp Programs.
Menu Action > Add RemoteApp Programs
Mn hnh Wellcome > Next
Choose Program to add to RemoteApp Program list > Chn cc ng
dng cho Client > Next
Review Setting > Finish
Trong mn hnh TS remote App > Cun xung cui mn hnh > Phi
chut vo application v chn Create Windows Installer Package
Mn hnh Welcome > Next
mc nh cc thng s cu hnh > Next
Chn Finish
3. Chia s folder chafile ng dng:C:\Program File > Chut phi ln
Packaged Program > Properties > Share Folder > Everyone
Allow-Read > OK
4. Kim tra trn my client:Start > Run > Nhp a ch ip Remote
ServerVd:\\192.168.1.38OK
Hp thoi yu cu khai bo username/password ng nhp > Nhp sv1/123
> OK
Chn ng dng cn dng
Chn Connect
Nhp vo user chng thc > OK
Qu trnh kt ni din ra v ng dng cn dng s m ra
Trin khai cc ng dng RemoteApp thng qua TS Web Access:1. Ci t TS
Web Access trn Terminal Server:- Server Manager > Terminal
Services > Add Role Services.
Chn TS Web Acess > Next
Chn Add Require Role Services
cc thng s mc nhNextChn Install
Start > Programs > Administrative Tools > Terminal
Service > TS RemoteApp ManagerChut phi cc ng dng mun hin th >
Chn Show in TS Web Access
Kim tra trn Terminal ClientM Internet Explorer > Khung
Address nhp vo a ch Terminal Serverhttp:// 192.168.1.38/ts >
EnterHp thoi khai bo username v password xut hin. Nhp sv1/123
Sau khi ng nhp thnh cng -> La chn cc ng dng cn dng
xem tip Phn 2
Terminal Services 2008 - Phn 212:36 | 23/04/2010
Bo mt Terminal Services ca Windows Server 2008Mt s nng cao
choTerminal Services trong Windows Server 2008S dng chng thc Smart
CardsS dng Smart Cards, ngi dng khng ch phi cung cp cc tiu chun ng
nhp hp l m cn phi c th kt ni vt l vi th thng minh n thit b m h ang
s dng nh mt thit b u cui xa. yu cu thm nh th thng minh, bn phi to
mt Group Policy Object s dng cho Terminal Server. Trong GPO, duyt
nComputer Configuration\Windows Settings\Security Settings\Local
Policies\Security Optionsv kch hot thit lpInteractive Logon:
Require Smart Card. Thm vo bn cng cn phi kch hot Smart Cards c th
chuyn hng n Terminal Server bng cch tch vo hp kim Smart Cards trn
tab Local Resources ca Remote Desktop Connection trn cc my trm ca
ngi dng.Hnh 1Thc thi thm nh mc mng i vi tt c my khchNetwork Level
Authentication (NLA) l mt tnh nng c gii thiu trong phin bn 6.0 ca
Remote Desktop Connection Client, tnh nng ny cho php ngi dng nhp vo
trc cc tiu chun ng nhp ca h s c hin th ti ca s ng nhp ca Windows
Server. Windows Server 2008 cho php chng ta s dng tin ch ny v yu cu
tt c cc my khch ang kt ni s dng n.Hnh 2 s dng NLA, bn phi s dng
Windows 2008 Server, v cc my khch ang kt ni phi h tr CredSSP
(Windows XP SP3, Windows Vista, Windows 7) cng nh ang chy Remote
Desktop Connection 6.0 hoc cao hn. Bn c th cu hnh Terminal Server
ca mnh yu cu cc my khch ca n s dng NLA bng cc cch sau: Trong sut qu
trnh ci t Terminal Services role ban u, khi bn thy mn hnhSpecify
Authentication Method for Terminal Server, chn ty chnAllow
connections only from computers running Remote Desktop with Network
Level Authentication. Truy cp Terminal Services Configuration MMC
Snap-In, kch chut phi vo kt ni terminal server ang c s dng bi cc my
khch v chn properties, sau chn ty chnAllow connections only from
computers running Remote Desktop with Network Level Authentication.
To mt Group Policy Object, duyt nComputer
Configuration\Administrative Templates\Windows Components\Terminal
Services\Terminal Server\Security, kch hot thit lpRequire user
authentication for remote connections by using Network Level
Authenticationsettingv s dng n cho mt OU gm c terminal server.Thay
i cng RDP mc nhMc nh, Terminal Server thng s dng cng 3389 cho lu
lng RDP. V mt s hacker thnh tho trn th gii u bit c iu . Chnh v vy
mt trong nhng thay i nhanh nht m bn c th thc hin i vi mi trng
Terminal Server ca mnh trnh nhng k xm nhp v thay i tha thun cng mc
nh. thay i cng RDP mc nh cho Terminal Server, bn hy m regedit v
duyt nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp. Tm key PortNumber v thay th gi tr hex
00000D3D (tng ng vi 3389) thnh mt gi tr khc m bn mun s dng.Cch khc,
bn c th thay i s cng c s dng bi Terminal Server ca mnh trn mt kt ni
c bn. Vn s dng regedit, duyt
nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\WinStations\connection name. Tip , tm n key PortNumber v
thay th gi tr hex bi mt gi tr khc m bn mun.Cn phi lu rng khi thay i
thit lp trn my ch ny, tt c cc my khch kt ni cn phi c bo m rng chng
ang kt ni n Terminal Server vi cng mi c gn th trn a ch IP ca cc my
ch. Cho v d, vic kt ni n Terminal Server vi mt a ch IP trong l
192.168.0.1 c ngha hin ang s dng cng non-standard 8888 s yu cu ngi
dng nhp 192.168.0.1:8888 vo Remote Desktop Connection.Hnh 3In n d
dng v hn ch my in c chuyn hngVic in n t cc thit b c kt ni ni b vi
cc my trm client lun l mt yu im ca Terminal Services trc Windows
Server 2008. thc hin iu , bn phi bo m ging chnh xc phin bn ca
driver my in c ci t trn c my ch v my khch, mc d vy i khi sau vn
khng c s lm vic. T quan im bo mt, chng ta khng bao gi mun ci t thm
nhiu driver vo h thng ca mnh ngoi nhng g bt buc. Mi mt driver c ci
t vo my ch u c tin n kh nng m rng b mt tn cng ca n.Windows Server
2008 gii thiu mt tnh nng c tn Easy Print, tnh nng ny s thay i trit
cch kt ni ni b cc my in c qun l. V bn cht, TS Easy Print l mt
driver phc v nh mt proxy tt c d liu my in c chuyn hng qua. Khi mt
my khch in n mt thit b bng driver Easy Print, cc thit lp d liu v my
in s c chuyn i thnh nh dng ph bin ri gi n Terminal Server x l. Thc
hin iu ny, sau khi kch in, hp thoi my in s c khi chy t my khch,
khng trong terminal session. iu ny c ngha rng khng driver no c ci t
cho Terminal Server x l cc cng vic in t cc thit b in kt ni ni b. cu
hnh Easy Print, bn cn phi bo m tt c cc thit b in c gn ni b phi c cc
my in logic c cu hnh trn cc my khch thit lp s dng driver ca Easy
Print. Tnh nng Easy Print c h tr bi tt c cc my khch Windows XP SP3,
Windows Vista v Windows 7 ang chy Remote Desktop Connection 6.1 hoc
mi hn v .NET Framework 3 SP1.Hnh 4Khi cu hnh cc thit b gn ni b mc
my trm, bn cn bo m rng my in duy nht c chuyn hng n Terminal Server
l my in ang s dng TS Easy Print, thnh phn c thit lp nh mt my in mc
nh. Bn c th thc hin iu ny bng cch to mt Group Policy Object v duyt
nComputer Configuration\ Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Printer Redirection,
sau kch hot ty chnRedirect only the default client printer.Hn ch cc
ti khon ngi dngChng ta cn phi bit rng, khi mt ngi dng no ang kt ni
hay ang lm vic trc tip t mt my ch vn c s truy cp n mt vi th m h
khng cn n, v to mt mi trng an ton hn, chng ta cn phi hn ch iu . y
khng ch l bin php bo v cc tiu chun ca ngi dng ang c tha hip m cn bo
v ngi dng chnh ng vi nhng nh khng chnh ng. Mt s th m chng ta c th
thc hin y l:S dng cc ti khon c th cho ngi dngNgi dng c th lm vic ni
b vi cc ng dng no , sau truy cp vo Terminal Server truy cp n cc ng
dng khc. Vic s dng cng mt ti khon cho truy cp ni b v truy cp t xa s
n gin hn trong vn qun l, tuy nhin n cng d b tha hip hn bi cc k tn
cng c th tha hip mt lot cc tiu chun truy cp vo cc ng dng. Vic to mt
ti khong ngi dng ring bit cho s truy cp Terminal Server v hn ch
quyn ca n cho nhng ng dng cn thit s gim nh c s nh hng ca kiu tha
hip ny.S dng cc chnh sch hn ch phn mmCc chnh sch hn ch phn mm c th
c cu hnh cho php hoc t chi s s dng i vi mt s ng dng no v vn c s dng
trong cc my tnh cng cng, mc d vy chng cng rt tuyt trong cc mi trng
Terminal Server.Kim tra s truy cp ngi dng vo my ch Terminal bng
GroupMc nh, ch c cc thnh vin ca nhm Terminal Servers Remote Desktop
Users (v Domain/Local Administrators) mi c th ng nhp vo Terminal
Server . Tuy nhin bn cn minh chng v thm nh cc thnh vin nhm mt cch
thng xuyn. Nu ngi dng khng cn ng nhp vo mt Terminal Server, hy
remove h khi nhm ngi dng xa.Cu hnh bo mt b sung bng Group
PolicyNhiu ci tin bo mt cho cc mi trng Terminal Server c cung cp
thng qua Group Policy. y l mt s v d in hnh m chng ti mun gii thiu
cho cc bn.1. Hn ch ngi dng Terminal Services vo mt Session t
xaTrong hu ht cc trng hp, mt ngi dng khng cn khi to nhiu session
trn mt Terminal Server. Vic cho php ngi dng khi to nhiu session s
lm cho mi trng ca bn c nhiu l hng cho tn cng t chi dch v (DoS), do
cc tiu chun ca ngi dng b tha hip. Bn c th cu hnh thit lp ny bng cch
duyt nComputer Configuration\Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Connectionsbn trong
GPO ca bn.2. Khng cho php s chuyn hng driveTr khi bn c mt nhu cu no
tht cn thit, khi mi cho php ngi dng truy cp vo cc a ni b t mt
Terminal Server session v hnh ng ny c th to mt knh truyn thng khng
an ton. Vi kh nng ny, ngi dng khng ch copy d liu vo mt Terminal
Server m d liu c th cha m c v c th c thc thi trn my ch.Bn c th cu
hnh thit lp ny bng cch duyt nComputer Configuration\Administrative
Templates\Windows Components\Terminal Services\Terminal
Server\Device and Resource Redirectionbn trong GPO.3. Thit lp hn ch
thi gian cho cc Session b hy kt niNhn chung, chng ta nn cho php ngi
dng thot khoi mt session m khng cn ng xut hon ton. V khi ai c th
tng iu khin trn session ny th h c th s truy cp vo phn d liu nhy cm
hoc bit c rng h c xc thc cho ng dng mng khc. Cch tt nht khc phc tnh
trng ny l thit lp s hn ch v thi gian mc thp hy kt ni cc session.
Khi n gii hn thi gian, session s b ng li.Bn c th cu hnh thit lp ny
bng cch duyt nComputer Configuration\Administrative
Templates\Windows Components\Terminal Services\Terminal
Server\Session Time Limitsbn trong GPO.4. V hiu ha b ci WindowsCh
cc qun tr vin mi c quyn ci t cc ng dng vo Terminal Server. Trong hu
ht cc trng hp, khng cho ngi dng c php ci t cc ng dng nu h khng ng
nhp vi quyn qun tr vin. Mc d vy, nu mt s ngi dng no c cho l cn phi
c hnh ng nng c quyn th bn c th hn ch kh nng ci t mt s chng trnh bng
cch v hiu ha Microsoft Windows Installer.C th cu hnh thit lp ny bng
cch duyt nComputer Configuration\Administrative Templates\Windows
Components\Windows Installerbn trong GPO. Cn lu rng bn phi cu hnh
thit lp ny l Enabled thay cho Always. Nh vy s bo m rng bn vn c th
publish cc ng dng cho Terminal Server thng qua Group Policy. Cn s
dng ty chn Always s khng cho php bn thc hin iu .5. Hn ch th mcMc d
chng ta (cc qun tr vin) c cung cp nhiu location ring v cng cho vic
lu tr bo mt d liu nhng mt s ngi dng ca chng ta vn ty tin lu d liu
trn desktop ca h. Tuy nhin c mt cch to mt bc tng bo v d liu cho h l
chng ta c th chuyn hng (redirect) desktop ca h n mt location lu tr
thch hp trn mt file server.Bn c th cu hnh thit lp ny bng cch duyt
nUser Configuration\Windows Settings\Folder Redirectionbn trong
GPO. Desktop ca ngi dng l th mc m chng ta c th chuyn hng.6. Chn
truy cp vo Control PanelCng nh vi Microsoft Installer, ngi thng
thng khng nn truy cp vo Control Panel ni chung. Mc d vy, nu nhng
ngi no cn phi c cc c quyn qun tr vin thc hin mt s thao tc th bn cng
c th hn ch s truy cp ca h vo control panel bng cch cu hnh thit lp
ny.Bn c th cu hnh thit lp ny bng cch duyt nUser
Configuration\Administrative Templates\Control Panelbn trong
GPO.Kch hot logCc thit lp log Microsoft khuyn dng di y: Audit
Account Logon Events - No Auditing Audit Account Management - Audit
Success and Failure Audit Directory Services Access - No Auditing
Audit Logon Events - Audit Success and Failure Audit Object Access
- Audit Failure Audit Policy Change - Audit Success and Failure
Audit Privilege Use - Audit Failure Audit Process Tracking - Audit
Failure Audit System Events - Audit Success and FailureCng vi cc
thit lp , bn cng c th s dng log kt ni Connection Auditing bn trong
Terminal Services. Cch thc ny s cho php bn ghi li mt vi mc c th ca
Terminal Server. xem v cu hnh cc thit lp ny, bn hy m Terminal
Services Configuration snap-in, kch chut phi vo kt ni m bn mun kch
hot thm nh, sau kch Properties. Vo tab Security, kch Advanced, nh
tn ngi dng ca ti khon mun kch hot ghi log. y bn c th chn mt trong
cc ty chn c lit k sn.Hnh 5