Securing RDP

Trusting Intranet CA Certificates
In addition to configuring the Remote Desktop Connection client, you need to ensure that the workstation trusts certificates issued by the intranet CA. To do so, perform these steps:

1. Browse to http://servername/certsrv, where servername is the name of the server that hosts your intranet CA.
2. Select Download a CA certificate, certificate chain or CRL.
3. Select Install this CA certificate chain. Assuming that you trust the CA, accept the security warnings, and a message will be displayed confirming successful installation of the certificate chain.

Requesting a Certificate for Your Terminal Server
Before you can enforce SSL for use with your terminal server, you must request an appropriate certificate from your intranet CA:

1. Open the Microsoft Management Console (MMC) Certificates snap-in on the terminal server under the local computer account.
2. Select Certificates (Local Computer) under the console root, then select Options from the View menu. Select Certificate Purpose under Organize view mode by and click OK.
3. Right-click Server Authentication, and select Request new certificate under All tasks.
4. Click Next on the welcome screen. Select Server Authentication (or Domain Controller Authentication). Select the Advanced check box, then click Next.
5. Ensure that the cryptographic service provider is set to Microsoft RSA SChannel Cryptographic Provider and the key length is set to 1024. Click Next.
6. Browse to your intranet CA (if it isn't already selected) and select it. Click Next.
7. Enter a friendly name and description for the certificate. Click Next, then Finish.

You should now receive a message saying that the request to your intranet CA has been successful.

Configuring Your Terminal Server to Use SSL with RDP
To configure RDP to use SSL, open Terminal Services Configuration from Administrative Tools on the terminal server. Under Connections in the right pane, right-click RDPTcp, and select Properties to open the RDP-Tcp Properties dialog box (Figure 2).

First you must select a certificate for use with the connection. On the General tab, click Edit. The resulting Select Certificate dialog box (Figure 3) lets you choose from among certificates that have been issued to the server by a CA. Select the certificate you created in the previous step.

The General tab's Security layer field has two new options in addition to the RDP Security layer option. The Negotiate option allows for the highest supported level of encryption (TLS 1.0) to be used if the client supports it—otherwise, standard RDP is used. This option is useful as a stopgap while you're upgrading your workstations to the new Remote Desktop Connection client. The SSL option allows TLS 1.0 connections only. You should note that the SSL option is available only after you've selected a certificate. The RDP Security layer option provides the Microsoft standard data encryption that's available in previous versions of RDP.

Testing the Connection
After configuring the terminal server for SSL security, you'll want to try to connect to the server from your workstations. Figure 4 shows a sample security alert that you might see if you entered the server's IP address rather than the Fully Qualified Domain Name (FQDN) that's specified in the server's certificate and if a client doesn't trust the CA that issued the certificate to the server.

You must always use the FQDN of the terminal server in the Remote Desktop Connection client to connect without an error. The alert also indicates that there's a problem with the server's certificate. This isn't really true—it's just that the client doesn't trust the server certificate's issuing CA. I can't bypass this security check and proceed with the connection because the Remote Desktop Connection client is set to Require authentication.

After I download and install the root certificate of the issuing CA on the workstation and enter the FQDN of the server in the Remote Desktop Connection client, a secure SSL connection will be made with the server. A small padlock symbol at the top left of the screen indicates the secure connection. Clicking the padlock provides information about the server's certificate.

RDP with SSL is a welcome new feature for Windows 2003 SP1 that Microsoft doesn't appear to be advertising. The inability of a terminal server to require the request of a client certificate limits the usefulness of this new feature, but hopefully that aspect will be included as part of RDP over HTTP in Longhorn Server.

End of Article

   Previous  1  [2]  Next