Microsoft has redesigned many aspects of Terminal services. In the new OS, Remote Desktop supplants Windows 2000 Terminal Service's Remote Administration mode, client server encryption has increased, and use AD Group Policy to centrally perform most Terminal Services configuration management.
Restricting user access
The new Windows 2003 has a new built-in local security group called Remote Desktop Users. We can use this group to manage access to the computer when it's configured as a TS machine. Only members of this group and the local Administrators group have permission to log on remotely to the TS system. In addition to that, we can further manage basic user permissions and privileges by assigning users to the local computer's various security groups.
Restricting data access
To restrict access to particular application, you can apply a Software Restriction Policy GPO or set NTFS ACLs on the directories of the applications that you want to restrict. The GPO route is advantageous because you can link the GPO to a Domain, Site, or OU AD object, and that GPO will be enforced for any objects within that container. For example, if you need to add a server, you can configure it an move it to the GPO-enabled OU. After you restart the computer or run the command gpupdate.exe to update the GPO for its new OU, it will be locked down like the others in that OU. Generally, NTFS ACLs don't scale as well as GPOs, which you can manage centrally; however it lets you discretely restrict access on a per-file or per-folder basis.
Fine-tuning security configuration through a GPO
You might prefer that the user have greater access at his or her workstation that at the TS system. Unfortunately, because the user configuration is associated with the user object, the same user-configuration GPO will be applied regardless of which computer the user logs on to. However, you can solve this problem by using a GPO setting called loopback processing.
With loopback processing, you can apply a GPO on an OU containing the TS computer object that also applies to users contained elswhere. Any user who logs onto the TS server will be governed by that system's user-configuration GPO instead of any other GPO that might be applied to the user. In the GPO editor, navigate to Computer Settings, Administrative Templates, System, Group Policy and enable the GPO policy called User Group Policy loopback processing mode. When you enable this policy, you must select whether to replace or merge the user-configuration settings between the Terminal Server computer GPO and the user's native GPO.
Fine-tuning security configuration through TSCC
You can also configure most Terminal Server security settings directly on a Terminal Server computer by using the TSCC tool. However, if you have set a GPO, the GPO will have priority and the equivalent setting in TSCC will be unavailable.