We use Windows Server 2003 Terminal Services and Windows 2000 Server Terminal Services to remotely administer our servers. As my company's information security officer, I want to make sure that we use the strongest possible encryption for RDP traffic. I also want to make sure that administrators can't, as a convenience, save their passwords in RDP connections that they set up. What's the best way to accomplish these objectives?
Although Windows 2003 and Windows XP let you use Group Policy to centrally control Terminal Services, Win2K doesn't. To configure Terminal Services centrally on Windows 2003 and XP platforms, open a Group Policy Object (GPO) that's applied to your servers and navigate to Computer Configuration, Windows Settings, Administrative Templates, Windows Components, Terminal Services. You'll find a host of settings related to Terminal Services; the settings for RDP encryption are under the Encryption and Security folder. Select that folder and double-click Set client connection encryption level, as Figure 1 shows. Select High Level to signal Terminal Services to require 128-bit encryption for RDP traffic between the client and server.
With regard to your other requirement, you can't prevent your administrators from saving their passwords in RDP connections they create, but you can reduce the risk that doing so causes. In the Encryption and Security folder, double-click Always prompt client for password upon connection and enable this policy. Now, if the administrator violates your policy and saves a password in the RDP connection, Windows will still prompt for his or her password. Thus, an attacker who gains access to the administrator's workstation while he or she is logged on as the administrator or who succeeds in logging on as the administrator won't inevitably have access to your server through Terminal Services. You can learn more about Terminal Services at http://www.microsoft.com/windowsserver2003/technologies/terminalservices/default.mspx.