Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


June 2006

Securing RDP

Add SSL for authentication and encryption
From the June 2006 Edition
of Windows IT Pro
Russell Smith
Solutions +
InstantDoc #50040
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Trusting Intranet CA Certificates
In addition to configuring the Remote Desktop Connection client, you need to ensure that the workstation trusts certificates issued by the intranet CA. To do so, perform these steps:

  1. Browse to http://servername/certsrv, where servername is the name of the server that hosts your intranet CA.
  2. Select Download a CA certificate, certificate chain or CRL.
  3. Select Install this CA certificate chain. Assuming that you trust the CA, accept the security warnings, and a message will be displayed confirming successful installation of the certificate chain.

Requesting a Certificate for Your Terminal Server
Before you can enforce SSL for use with your terminal server, you must request an appropriate certificate from your intranet CA:

  1. Open the Microsoft Management Console (MMC) Certificates snap-in on the terminal server under the local computer account.
  2. Select Certificates (Local Computer) under the console root, then select Options from the View menu. Select Certificate Purpose under Organize view mode by and click OK.
  3. Right-click Server Authentication, and select Request new certificate under All tasks.
  4. Click Next on the welcome screen. Select Server Authentication (or Domain Controller Authentication). Select the Advanced check box, then click Next.
  5. Ensure that the cryptographic service provider is set to Microsoft RSA SChannel Cryptographic Provider and the key length is set to 1024. Click Next.
  6. Browse to your intranet CA (if it isn't already selected) and select it. Click Next.
  7. Enter a friendly name and description for the certificate. Click Next, then Finish.

You should now receive a message saying that the request to your intranet CA has been successful.

Configuring Your Terminal Server to Use SSL with RDP
To configure RDP to use SSL, open Terminal Services Configuration from Administrative Tools on the terminal server. Under Connections in the right pane, right-click RDPTcp, and select Properties to open the RDP-Tcp Properties dialog box (Figure 2).

First you must select a certificate for use with the connection. On the General tab, click Edit. The resulting Select Certificate dialog box (Figure 3) lets you choose from among certificates that have been issued to the server by a CA. Select the certificate you created in the previous step.

The General tab's Security layer field has two new options in addition to the RDP Security layer option. The Negotiate option allows for the highest supported level of encryption (TLS 1.0) to be used if the client supports it—otherwise, standard RDP is used. This option is useful as a stopgap while you're upgrading your workstations to the new Remote Desktop Connection client. The SSL option allows TLS 1.0 connections only. You should note that the SSL option is available only after you've selected a certificate. The RDP Security layer option provides the Microsoft standard data encryption that's available in previous versions of RDP.

Testing the Connection
After configuring the terminal server for SSL security, you'll want to try to connect to the server from your workstations. Figure 4 shows a sample security alert that you might see if you entered the server's IP address rather than the Fully Qualified Domain Name (FQDN) that's specified in the server's certificate and if a client doesn't trust the CA that issued the certificate to the server.

You must always use the FQDN of the terminal server in the Remote Desktop Connection client to connect without an error. The alert also indicates that there's a problem with the server's certificate. This isn't really true—it's just that the client doesn't trust the server certificate's issuing CA. I can't bypass this security check and proceed with the connection because the Remote Desktop Connection client is set to Require authentication.

After I download and install the root certificate of the issuing CA on the workstation and enter the FQDN of the server in the Remote Desktop Connection client, a secure SSL connection will be made with the server. A small padlock symbol at the top left of the screen indicates the secure connection. Clicking the padlock provides information about the server's certificate.

RDP with SSL is a welcome new feature for Windows 2003 SP1 that Microsoft doesn't appear to be advertising. The inability of a terminal server to require the request of a client certificate limits the usefulness of this new feature, but hopefully that aspect will be included as part of RDP over HTTP in Longhorn Server.

Solution Snapshot

PROBLEM:
You want to ensure that users can confirm that they're connecting to a trusted Windows Terminal Services server, and you want to enforce strong data encryption of RDP traffic.

SOLUTION:
Use theSSL feature of the REmote Desktop Connection client in Windows 2003 SPI and later for server authentication and traffic encryption.

WHAT YOU NEED:
Windows 2003 SPI or later on the terminal server; XP or Win2K on the clients.

SOLUTION STEPS:
1. Instal and configure the RDP client software on the client machine.
2. Configure the client machine to trust intranet CA certificates.
3. Request a certificate for your terminal server.
4. Configure your terminal server to use SSL.
5. Test the connection.

End of Article

   Previous  1  [2]  Next  


Reader Comments
none

nnekatroy April 30, 2008 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Learning Path For more information about certificates:
"Access Denied: Obtaining a Server Certificate from Your Own CA, Security Administrator, October 2004"

"Validating Digital Certificates in Windows PKI, Security Administrator, August 2004"


To learn more about SSL:
"Configuring SSL/TLS, Windows IT Security, April 2006"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Introduction to Identity Lifecycle Manager "2"

SQL Server Security: How to Secure, Monitor & Audit Your Databases

Protecting Mobile Users' Data

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement