Windows Server 2003 SP1 Has Goodies for Terminal Server

The first service pack for Windows Server 2003 isn't just a security booster. It adds several features to Windows Terminal Services, Microsoft explained in a white paper out this week.

New SP1 features for Terminal Services include fallback printer capability, server authentication for connections, Group Policy settings for licensing and a Group Policy setting to automatically launch a program on connection to a Terminal Server.

Terminal Services is Microsoft's technology for hosting and running applications on a server that can be delivered to Windows and non-Windows clients without much client-side processing. The approach helps organizations deploy applications rapidly, manage applications that require frequent updates and wring life out of older clients or thin clients that can't handle large local applications.

Once a separate Microsoft server, then a separate version of the operating system, Terminal Services have been built into the core Windows Server operating system as a feature since Windows Server 2000.

SP1, released last week, deals primarily with hardening the OS against security threats. New security features include a Security Configuration Wizard and the Windows Firewall.

One of the new Terminal Services features in SP1 does follow the theme by relating directly to security. While Microsoft's native Remote Desktop Protocol offers encryption, Terminal Server does not provide authentication to verify the identity of a Terminal Server. Microsoft is addressing the problem by configuring Terminal Services connections to use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.0. The combination will provide server authentication and encrypted communications.

Among the non-security fixes is the new fallback printer capability. It is designed to make it easier for end users to make printouts nearby even when applications are hosted on faraway servers. The problem arises when no compatible printer driver exists on the Terminal Server for the local printer. The new feature, offered through a Group Policy setting, allows an administrator to default to a Hewlett-Packard-compatible Printer Control Language (PCL) fallback printer driver, an Adobe PostScript (PS) fallback printer driver or provide users with a choice between the two.

In an attempt to reduce the complexity of licensing Terminal Services environments, Microsoft also added new Group Policy settings specifically for licensing. By configuring the type of client access license required to connect to a Terminal Server in Group Policy, administrators override licensing mode choices made during setup or through configuration tools.

While a Group Policy setting was previously available for starting a program on connection to a Terminal Server, the policy setting previously could only be edited in Group Policy if the computer was a Domain Controller. With SP1, the policy can be configured for individual Terminal Servers within a domain. When the policy is enabled, the end user never sees the Windows desktop or the Start menu. Instead, the hosted application immediately appears at logon and ending the program logs the user off.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.