Of late I have been working on an enterprise with Citrix XPe installed on W2K servers. As the majority of security focus has been on Citrix, the underlying Terminal services were ignored. For anyone implementing Citrix or just using Terminal services, here is a basic / minimum script for reducing unauthorised access to system files on the W2K terminal server.
I can offer more details as to Terminal and Citrix Security if anoyne is interested.
**************************************************************************
REM ** The following commands should not be ran in one script **
REM ** Break each command after the Echo Statement **
REM ** Terminal Server W2K Security settings **
REM ** Grant local administrators and SYSTEM full control **
REM ** Grant local users read access to entire volume. **
XCacls c:\ /T /c /g administrators:F System:F Users:r
XCacls D:\ /T /c /g administrators:F System:F Users:r
Echo y|xcacls c:\* /T /c /g Administrators:F System:F Users:r
REM ** deny user access to system boot files **
XCacls c:\boot.ini /e /c /r Users
XCacls c:\ntdetect /e /c /T /r Users
Xcacls ntldr /e /c /T /r Users
REM ** Revoke user access as required **
XCacls c:\winnt\config /e /c /T /r Users
XCacls c:\winnt\Ctxundo /e /c /T /r Users
XCacls c:\winnt\ICA /e /c /T /r Users
XCacls c:\winnt\INF /e /c /T /r Users
XCacls c:\winnt\profiles\administrator /e /c /T /r Users
XCacls c:\winnt\repair /e /c /T /r Users
XCacls c:\winnt\system32\clients /e /c /T /r Users
XCacls c:\winnt\system32\drivers /e /c /T /r Users
XCacls c:\winnt\system32\ICA Passthrough /e /c /T /r Users
XCacls c:\winnt\system32\lserver /e /c /T /r Users
XCacls c:\winnt\system32\ras /e /c /T /r Users
*************************************************************************