When enabling Terminal Services in Applications Sharing mode, you will be asked to select a permission level for users of Terminal Services. If you select Permissions Compatible with Windows 2000 Users, you will have the most secure settings, but some legacy application will not run. These legacy applications might need access to registry and file locations to which Windows 2000 users do not have access. If you need to ensure the capability to use legacy applications, choose Permissions Compatible with Terminal Server 4.0 Users.
Users logged on using the RDP client are automatically members of the implicit Terminal Services Users local group. To control Terminal Services users, control this group. This group is already restricted. They cannot install applications or invoke the Windows installed. The Windows installed is sometimes used to install missing parts of applications. Because the Terminal Services Users local group cannot involve the Windows installed, users cannot install missing parts of applications. Terminal Services users, therefore, unlike normal Windows users, cannot install any kind of application on the Terminal Server.
For more information, visit these other resources:
- Tech Tip: Where do you run terminal services?
- Network Security Tip: Remote access best practices
- Ask the Expert: Securing communications between Web browser and Microsoft Terminal Servicer