RDP with Secure Sockets Layer (SSL) is a new feature in Windows Server 2003 Service Pack (SP) 1 and later that you don't hear much about. It might be flying under the radar, but you can use RDP with SSL to transport your data with strong encryption and to let users confirm that they're connecting to a trusted terminal server. I'll show you how to configure your clients to connect to a terminal server by using SSL and to configure your terminal server to accept RDP connections with SSL.

New in SP1
RDP is the Microsoft proprietary protocol for Windows Terminal Services. The end-to-end encryption provided by RDP with SSL provides an extra layer of encryption for data confidentiality and allows the client to verify the identity of the server, preventing man-in-the-middle attacks. If the client doesn't trust the Certification Authority (CA) that issues the SSL certificate to the server and/or the server name can't be verified, the client displays a warning before connecting to the server.

Using SSL to enforce server identity checking and end-to-end data encryption for RDP is different from RDP over HTTP (scheduled for Longhorn Server), which is the ability to make a connection to a Windows Terminal Services server via RDP through port 443. RDP port 3389 is still required to establish a terminal server session in Windows 2003 SP1 and later.

Even if you have a certificate issued by your own intranet CA (as opposed to a third-party CA such as VeriSign, which Windows trusts by default), SSL can't be used to ensure that only known clients connect via RDP to the server. Client certificate requests aren't supported. An IPsec VPN or Secure Shell (SSH) tunnel is still the best method to ensure that only trusted clients can connect to a server.

Installing and Configuring the Remote Desktop Connection Client
On Windows 2003 SP1 and later systems, you can find the files for the new Remote Desktop Connection client (version 5.2.3790.1830) in the C:\windows\system32\clients\tsclient\win32 folder. Note that the source files for installing version 5.2 of the client software on your workstations are currently available only in Windows 2003 SP1.

Make the files in the win32 folder available on a share that's accessible to the workstations on your network. Then you can manually install the updated Remote Desktop Connection client on a Windows XP or Windows 2000 workstation by connecting to the share, running the setup.exe file, and following the prompts.

Version 5.2 of the Remote Desktop Connection client has a new Security tab (shown in Figure 1), which you can use to specify whether the client should check the server's certificate before establishing a connection with the server. You can choose from three options:

  • No authtication—the client won't attempt to check the server certificate before a connection is made. If the server requires SSL authentication, the client won't be able to connect.
  • Require authentication—the client will check the server certificate before it connects with the server. If the client can't determine the identity of the server, it won't establish a connection with the server.
  • Attempt authentication—the client will check the server certificate before connecting with the server. The client can connect to the server with or without SSL authentication, depending on the configuration of the server, even if the client can't fully verify the server identity.

Currently, no setting is available in Group Policy for the new security option of the Remote Desktop Connection client. However, you can define a DWORD value of AuthenticationLevelOverride in the HKEY_CURRENT_USER\ Software\Microsoft\Terminal Server Client registry subkey to enforce your chosen setting. Set the value to 0 for No authentication, 1 for Require authentication, or 2 for Attempt authentication. You can set a DWORD value of Authentication-LevelOverride in the HKEY_LOCAL_MACHINE\SOFTWARE\Terminal Server Client subkey to affect all the users of the workstation.

Trusting Intranet CA Certificates
In addition to configuring the Remote Desktop Connection client, you need to ensure that the workstation trusts certificates issued by the intranet CA. To do so, perform these steps:

  1. Browse to http://servername/certsrv, where servername is the name of the server that hosts your intranet CA.
  2. Select Download a CA certificate, certificate chain or CRL.
  3. Select Install this CA certificate chain. Assuming that you trust the CA, accept the security warnings, and a message will be displayed confirming successful installation of the certificate chain.

Requesting a Certificate for Your Terminal Server
Before you can enforce SSL for use with your terminal server, you must request an appropriate certificate from your intranet CA:

  1. Open the Microsoft Management Console (MMC) Certificates snap-in on the terminal server under the local computer account.
  2. Select Certificates (Local Computer) under the console root, then select Options from the View menu. Select Certificate Purpose under Organize view mode by and click OK.
  3. Right-click Server Authentication, and select Request new certificate under All tasks.
  4. Click Next on the welcome screen. Select Server Authentication (or Domain Controller Authentication). Select the Advanced check box, then click Next.
  5. Ensure that the cryptographic service provider is set to Microsoft RSA SChannel Cryptographic Provider and the key length is set to 1024. Click Next.
  6. Browse to your intranet CA (if it isn't already selected) and select it. Click Next.
  7. Enter a friendly name and description for the certificate. Click Next, then Finish.

You should now receive a message saying that the request to your intranet CA has been successful.

Configuring Your Terminal Server to Use SSL with RDP
To configure RDP to use SSL, open Terminal Services Configuration from Administrative Tools on the terminal server. Under Connections in the right pane, right-click RDPTcp, and select Properties to open the RDP-Tcp Properties dialog box (Figure 2).

First you must select a certificate for use with the connection. On the General tab, click Edit. The resulting Select Certificate dialog box (Figure 3) lets you choose from among certificates that have been issued to the server by a CA. Select the certificate you created in the previous step.

The General tab's Security layer field has two new options in addition to the RDP Security layer option. The Negotiate option allows for the highest supported level of encryption (TLS 1.0) to be used if the client supports it—otherwise, standard RDP is used. This option is useful as a stopgap while you're upgrading your workstations to the new Remote Desktop Connection client. The SSL option allows TLS 1.0 connections only. You should note that the SSL option is available only after you've selected a certificate. The RDP Security layer option provides the Microsoft standard data encryption that's available in previous versions of RDP.

Testing the Connection
After configuring the terminal server for SSL security, you'll want to try to connect to the server from your workstations. Figure 4 shows a sample security alert that you might see if you entered the server's IP address rather than the Fully Qualified Domain Name (FQDN) that's specified in the server's certificate and if a client doesn't trust the CA that issued the certificate to the server.

You must always use the FQDN of the terminal server in the Remote Desktop Connection client to connect without an error. The alert also indicates that there's a problem with the server's certificate. This isn't really true—it's just that the client doesn't trust the server certificate's issuing CA. I can't bypass this security check and proceed with the connection because the Remote Desktop Connection client is set to Require authentication.

After I download and install the root certificate of the issuing CA on the workstation and enter the FQDN of the server in the Remote Desktop Connection client, a secure SSL connection will be made with the server. A small padlock symbol at the top left of the screen indicates the secure connection. Clicking the padlock provides information about the server's certificate.

RDP with SSL is a welcome new feature for Windows 2003 SP1 that Microsoft doesn't appear to be advertising. The inability of a terminal server to require the request of a client certificate limits the usefulness of this new feature, but hopefully that aspect will be included as part of RDP over HTTP in Longhorn Server.

Solution Snapshot

PROBLEM:
You want to ensure that users can confirm that they're connecting to a trusted Windows Terminal Services server, and you want to enforce strong data encryption of RDP traffic.

SOLUTION:
Use theSSL feature of the REmote Desktop Connection client in Windows 2003 SPI and later for server authentication and traffic encryption.

WHAT YOU NEED:
Windows 2003 SPI or later on the terminal server; XP or Win2K on the clients.

SOLUTION STEPS:
1. Instal and configure the RDP client software on the client machine.
2. Configure the client machine to trust intranet CA certificates.
3. Request a certificate for your terminal server.
4. Configure your terminal server to use SSL.
5. Test the connection.