Not only the system settings, but also the application environment configuration should be adapted to running on terminal servers. The following section describes some common modifications.
A terminal server’s permission compatibility is set to Full Security or Relaxed Security via the server settings of Terminal Services configuration. If the low security level is selected, each user who starts a Terminal Services session receives an additional permission that allows extended access to certain areas of the registry database and the file system. In the registry, this involves HKLM\Software, HKLM\Software\Microsoft\Tracing, HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths, HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace, HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs, HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall, and redirecting accesses from HKLM\Software\Classes. In the file system, extended access to .inf files and the files located in %SystemRoot%\help is granted.
If full security was selected for permission compatibility and an application needs to access the system areas concerned, error messages will occur because of the restricted permissions. This setting might even cause the program start to be aborted. Settings for individual aspects of permission compatibility are located in the registry under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\RegistryExtensionFlags. Nevertheless, it is recommended that the basic permission compatibility be changed to relaxed security only if errors occur when an application is launched, and only by modifying the Terminal Services Configuration server settings.
Dr. Watson is the application debugger that automatically starts if errors occur in applications and if these errors cannot be handled by a default procedure. For instance, Dr. Watson is often launched when an application accesses memory improperly. This requires exception handling; and if such an exception occurs, Dr. Watson is launched and saves all relevant data. However, this type of behavior is not desirable on terminal servers, except for targeted error analyses.
For this reason, Dr. Watson should be disabled on production systems by deleting the HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger registry key and the drwtsn32 –P %ld –e %ld –g value. By deleting this key, Dr. Watson is disabled. Dr. Watson can also be deactivated by deleting the HKLM\Software\Microsoft\DrWatson key.
After Microsoft Office applications are installed on standard clients, they contain a little tool called SysInfo. This tool can be started from a menu entry. It displays system information and allows access to other system resources. If Office 2000 or Office XP is installed with the help of the transformation file for terminal servers, SysInfo is disabled by default. This should not be changed, because SysInfo represents a potential danger on terminal servers.
Because the Microsoft Word grammar check gobbles up enormous system resources, it should be disabled on terminal servers. Depending on the different versions of Word, the corresponding setting can be found at different places in the registry. However, searching for the AutoGrammar key will lead you to the right place in HKCU. It is recommended that the value of this key be set to zero either for the default user before creating new profiles, or through a logon script.