S 4.366 Secure configuration of moving user profiles in terminal server environments

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In order to provide applications for a higher number of users, several terminal servers are frequently used in a cluster. This cluster is also referred to as a terminal server farm.

For the scenario mentioned here, some specific security requirements regarding the user profiles arise. Individual user settings, terminal device configurations (for example for printers), and possibly even self-created files are stored in user profiles for each user.

In terminal server clusters, the users cannot usually foresee which terminal server will be used to establish a session. The administration services of the respective terminal server solutions control this automatically, usually taking into consideration the utilisation of the individual servers in the farm.

If the user logs in, his/her individual profile is loaded from this server. If no corresponding precautions were taken, this is the profile stored locally to the server. If the user logs out and logs in again, the connection is very likely to be established using a different a terminal server, which is why a new local user profile is also created. The settings and files stored on the first terminal server are only available to the user if he/she accidentally establishes a connection to exactly the same server.

At this point it becomes clear that it is necessary to store the files centrally to a file server when using terminal server farms, if changes of the user are to be maintained within his/her profile. This method of storing the profile data is also referred to as "moving profile".

However, it must be observed that this may not required or desired in application scenarios in which individual applications are accessed directly instead of a complete user interface (desktop).

When using Windows servers, selecting moving user profiles, also referred to as a "roaming profile", has some disadvantages. For example, the user is provided with numerous options for changing the appearance and behaviour of his/her user session, as intended. However, the session profile may also easily be rendered useless due to a single mistake of the user. Moreover, a profile configured in such a way will quickly increase in size. It then takes a long time to be loaded from the file server with every application and thus also increases the network and server load.

Therefore, it is recommendable to use so-called "mandatory profiles" , which increase the speed of the terminal servers and preventing the users from accidentally being excluded from use.

This profile type may also be stored to a remote server; however, created files and changes to the settings are only stored for the duration of the session. Certain parts of the profiles (e.g. newly created documents) can be secured on the file server in a targeted manner due to specifically created batch processing programs (scripts) before final closure.

Moreover, a limitation of the profile size should be specified by the administrators in order to prevent the growth beyond a tolerable extent.

Review questions:

• Has a procedure been defined and implemented in order to keep the files of users created within a terminal server session available on all terminal servers of a terminal server farm synchronously?
• Has a maximum upper limit for storing the user profile on the terminal servers been defined?
• If so, was the upper limit of the user profiles on terminal servers documented and have the users been informed accordingly?