Back

Disable Terminal Services unless Terminal Services use is absolutely necessary.


CONTROL ID
01831
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • This setting determines if users can connect to computers using Terminal Services. For Enterprise Client environments, the Allow Users To Connect Remotely Using Terminal Services setting is Not Configured. For Specialized Security - Limited Functionality environments, this setting should be Disabled… (Pg 91, Microsoft Windows Vista Security Guide Appendix A: Security Group Policy Settings)
  • The organization must only enable Terminal Services if absolutely necessary. Normal use of the terminal service on a workstation terminates the existing interactive logon session; however, if remote assistance is enabled, any existing session can be shared between two computers. (§ 4.1.21, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • Table F-2: For Windows 2003 Server, the organization must configure the permissions for Terminal Services (TermService) to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. Table F-3: For Windows 2000 Professional, the organization must configure the permissions for Ter… (Table F-2, Table F-3, Table F-4, CMS Business Partners Systems Security Manual, Rev. 10)
  • The Terminal Services service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Terminal Services service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • For Specialized Security - Limited Functionality systems, this service should be Disabled. For all other Windows XP environments, this service is Not Defined. (§ 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This service lets remote users connect interactively to a computer and display the desktop and applications on the remote computer. The Terminal Services service is Not Defined for Enterprise Client environments and should be Disabled for Specialized Security - Limited Functionality environments. (Pg 70, NSA Guide to Security Microsoft Windows XP)