|
Making Profiles Work
by
Christa Anderson, triCerat Senior Technologist
Most
of the technical problems applying to Terminal Services
(and server-based computing in general) stem from one
basic fact: Windows NT® was never designed to be a
multi-user operating system.
One of the ways this shows up is in the way profiles
work. Windows NT operating systems (including Windows®
2000 and 2003) are built to assume that every person
using the operating system would be logged in only once.
As you know, in a server-based computing environment –
particularly one using load balancing and published
applications – that isn't necessarily true.
NT-based operating systems store user and machine
settings in a flat database called the Registry that you
can edit either directly with the Registry Editor or
indirectly through applications or the Control Panel.
The Registry is organized into five main
sections--keys--but the two that really matter for this
discussion are HKEY_LOCAL_MACHINE (HKLM) and
HKEY_CURRENT_USER (HKCU)--all other keys are duplicates
of the settings in HKLM and HKCU. HKLM contains all
machine-wide settings. HKCU is created from a template
in HKEY_USERS and populated with the settings associated
with the security ID (SID) that the person logging in is
using. If more than one person is logged into the
computer then the Registry will contain one copy of HKCU
for each person, although each person will only be able
to see their copy of HKCU. If a person is logged onto
more than one server, then they'll have a separate copy
of HKCU on each server. If a setting appears in both
HKLM and HKCU, the settings in HKCU take precedence.
The information in HKCU comes from the user profile for
the person currently logged in and (optionally) from
system policies or from group policies. The user profile
consists of per-user Registry settings (stored in a flat
file called NTUSER.DAT, with one copy of NTUSER.DAT
associated with each SID) and files associated with that
SID. If a user is logging onto a computer or domain for
the first time, they'll use the version of NTUSER.DAT
assigned to Default User, which will then be copied to
their user directory and loaded whenever they log on
thereafter. Users edit the contents of HKCU when they
change per-user settings (such as application settings).
When they log off, the contents of HKCU are written to
NTUSER.DAT – to the profile. The location of NTUSER.DAT
depends on the kind of profile you're using. Local
profiles, the default type, are stored on the computer
where they're used, meaning that a person using more
than one computer will have more than one version of
their profile. Roaming profiles are stored in a network
location accessible to all computers where the profile
is used. Mandatory profiles may be local or on the
network (almost always on the network, though) and are
read-only. Users can make changes but those changes are
not written back to the profile file.
Notice a few things here:
*Each person gets one copy of HKCU per server they're
logged into.
*The entire contents of HKCU are written back to
NTUSER.DAT at logoff, not just the edits.
*Profiles are either entire read/write or read only.
*You can use group policies to define some per-user
settings and leave the rest up to the user, but that
limits you to settings defined within group policies,
and works best for organizations using Active Directory.
The implications are obvious: anyone logged onto more
than one server – entirely possible in server-based
computing – has multiple copies of their profile open.
If a person makes changes to both copies of their
profile, only the last-written changes will be
preserved. And if the operating system attempts to save
multiple copies of the profile at the same time, the
profile itself can easily get corrupted. For this
reason, it's often better to use mandatory profiles with
terminal services, but if you do that then users can't
customize their work environment – and that's not going
to endear your user base to server-based computing.
triCerat®'s
Simplify Profiles™ tool helps profiles work better
with server-based computing. It cooperates with policies
and profiles to tune the contents of HKCU after a user
logs in and after his or her profile loads. In
combination with a mandatory profile, the administrator
can open up settings to let users change certain parts
of their profile, while leaving the rest static.
Essentially, Simplify Profiles gives administrators
granular control over the contents of HKCU, allowing
them to make some settings read-write and some
read-only. Some settings commonly used with server-based
computing are predefined, and administrators can import
settings, thus gaining control of just about all of HKCU.
When a user logs onto a terminal server, Simplify
Profiles looks up that user's owner status and loads the
settings associated with that user on top of their
profile. When the user logs off, their profile closes as
normal and any changes that they've made that they can
save are written to their personal database. Because
changes are stored as Registry entries, they're very
small and quickly written.
Although Simplify Profiles will function with roaming
profiles, we recommend that you use it with mandatory
profiles. When Simplify Profiles changes the values of
HKCU, those changes are now part of the profile and will
be saved when the profile is written back. If you use
mandatory profiles, those changes will not be written
back to the profile, they'll just be saved in the
per-user database of read/write settings. The end result
is that you get all the reduced administration of
mandatory profiles with all the customization of roaming
profiles, as appropriate to a particular user.
See you next time,
Christa
canderson@tricerat.com
Back To Top
Securing Published Applications on your Terminal Server
While published applications give the appearance of full
security – given that you have limited exposure to the
terminal server desktop environment – this security can
be circumvented due to inherent security holes such as
file association built into the Windows® operating
system. So if your means to providing security is to
write scripts and policies, then good luck! You'll be
doing this 24/7, 365 days a year. Sounds exaggerated?
Not really. As new vulnerabilities come up, you'll have
to update what you've written.
Instead of writing tedious scripts and Group Policies,
triCerat has a simple and clever solution – ThOR™
Technology.
ThOR halts the execution of all unauthorized
applications, scripts, viruses or trojans, regardless of
source. Because the technology is not signature-based,
you do not have to rely on software patches and other
reactive solutions to detect, quarantine or destroy
malicious code on your servers. End users can no longer
perform unauthorized application installations.
With ThOR's innovative “granting technology”, just set
ThOR on, identify and configure process dependencies
necessary for those applications you are presenting to
the end users, and you are done. With ThOR, new
vulnerabilities in the form of executables are already
implicitly denied. You never have to update your ThOR
settings unless you add new applications.
ThOR can prevent unauthorized downloads and installs,
port monitoring tools, packet sniffers, games, password
crackers, virus and script attacks among others,
resulting to fewer support calls and server downtime.
Learn More
Download
Back To Top
|
|
Product Alert
Simplify Printing™ v3
triCerat customers and partners:
Sign-up now to receive
triCerat Product Alert
for information on the latest versions, features and
other technical updates on triCerat products. Please
note that this communication is different from
triCerat's newsletter eNews.
Back To Top
Special Offer
Half-off
Simplify Data Transfer™!
Offer good until June 30, 2004
Simplify Data Transfer provides Fast, Easy and
Secure file transfer for Terminal Services, and supports
transferring files between the client workstation's
drives and those on the terminal server.
With
Simplify Data Transfer, administrators obtain total
control over which local and/or system drives a user can
use inside the session and which direction data is
transferred. It is also the easiest way to provide file
management within Portal and Published Application
environments.
Take advantage of this special offer! Promo ends June
30, 2004. For more information, email
sales@tricerat.com or call 1.800.582.5167.
Learn More
Download Free Trial
Back To Top
Events
** Live Webcast: Securing Terminal Services **
There are many administrative advantages to using
Terminal Services--that's why you use it. However,
server-based computing introduces some new security
problems that don't enter into client-centric computing.
You have to worry about who's running what on the
terminal servers (whether that's viruses or applications
they're not licensed for), whether communications
between server and client can be intercepted, and,
especially now that RDP in Windows 2003 Terminal
Services supports drive mapping, whether users can copy
sensitive information to their home computers if logging
in remotely. In this live webcast, terminal services
expert Christa Anderson explains some approaches that
will help you close the security holes in your
server-based computing environment.
Date:
June 1, 2004
Time:
12:00PM ET
Speaker:
Christa Anderson
Register Now
** Seminar: Simplify
Administration of Terminal Services **
Date:
June 2, 2004
Time:
10:00AM - 12:00PM PT
Where:
Microsoft®
8880 Cal Center Dr., Suite 330
Sacramento, CA 95826
Directions
Organized by:
Folsom Technology Group
Sponsors:
Microsoft, triCerat Inc. and HP®
Register now! Limited seats available.
** Webinar: Simplify
Administration of Terminal Services **
This session will cover how to reduce helpdesk calls by
eliminating printer driver management, dramatically
improve system reliability and security by preventing
users from running hacking tools, scripts, and other
unauthorized activities... and more!
More info
Register Now
Back To Top
triCerat
triCerat, Inc. 10320 Little Patuxent Parkway Ste 304,
Columbia, MD 21044
© 2004 triCerat Inc. All rights reserved.
Simplify Profiles, Simplify Lockdown, ThOR, Simplify
Printing, Simplify Data Transfer, triCerat and the
triCerat logo are trademarks or registered trademarks of
triCerat Inc. All other trademarks or registered
trademarks are the property of their respective owners.
|
