Terminal Services Console Session and the /Admin Switch > CitrixTools.Net > Citrix Tools

Wednesday, September 03, 2008

Terminal Services Console Session and the /Admin Switch
By Pierre Marmignon @ 6:01 PM :: 9885 Views :: 0 Comments ::

Laurent Falguiere, a French Terminal Server MVP, has written an interesting article regarding the Terminal services Console Session and the "/Admin" Switch introduced in RDP Client 6.1 and Windows 2008 Server.

I decided to translate it and publish it in Our English part (as the French part is directly pointing the Laurent's French WebSite).

On Windows 2003, the console session points to the local session (the one accessible when being physically in front of the server, connected directly on it).

This session has a really specific role : it is used by the User connected to the Physical Machine but also to execute and run System Services (which are running under high privileges).

Then if the User running this Console Session is mainly an Administrator allowed to connect to the Server, it is technically possible for Malware or SpyWare to install and run within this context and successfully get higher System Privileges by hacking System Services.

To prevent this security hole and globally increase Security, under Windows 2008 (and Vista), the Console session (also called session 0) is now dedicated to System Services Système and it's not possible anymore to open an Interactive Session using the Session 0.

Applications that were designed to run only within the Console Session should be able to work within another session, but the Main consequence regarding Terminal Services is that the "/console" of the Remote Desktop Client (mstsc), used to connect remotely the the Console Session of the Windows Server 2003 (and also without consuming any TSCal) won't work within a Windows 2008 Environment.

Note from translator : That's also why this switch has been removed from the Remote Desktop Client 6.1

When trying to use the "/Console" switch to connect to a Windows 2008 Server /console You'll get the Following :

When running mstsc /console, the switch is not taken into account and a "standard" Terminal Server session is opened.

If you append the "/Console" switch to the Computer Namer within the Remote DeskTop Client, You'll have an error message specifying that an Unknown parameter has been specified (Same Error Message if written into a .RDP File).

The /Console has then been depriciated and replaced (and Vista or RDC 6.1 Users are already aware of this) by the /admin switch.

And now the new name takes is all sense : as You cannot connect to the "Real Console" Session 0 anymore in Windows Server 2008, the purpose of this new switch is really different and that's why the name was changed.

The /admin switch has then the property to allow Admins to connect up to Two conccurent Remote Admin Sessions. This Two Sessions contains the Local Server Session, which allows to reconnect a locally opened session from any other computer and Vice-Versa (Which was not possible with Windows 2003).

The Old Active Session Limit that allows only Two conccurent Admin Connection on a server still remains, but now a PopUp can allow an Admin to Ask another to close its session or even to force its disconnection, wich is a good news for all admins.

When Connecting onto a Terminal services Enabled Server, Sessions using the /admin switching won't consume any TSCal.

The /admin switch has also the following specificities (when connecting to any Server Type) :

Time Zone is not redirected.

TS Session Broker redirection is Disabled.

Plug and Play Devices Redirection is Disabled.

Default Theme is changed to “Windows Classic”.

Easy Print is disabled.

The Setting “Prevent this user to connect to Terminal Server Computers" is ignored.