SSL Auth/Encrypt your RDP sessions

  • Article

Every day I see critical servers in higher education sitting right out on the internet with public IPs.  If you are responsible for maintaining that server and protecting your constituent's data, having it fully exposed to the Internet means you must be more cognoscente of security than if you were behind a corporate perimeter defense regardless of OS.  I often recommend IPSEC to control access to the server and provide basic security like IKE signing of traffic where possible.

Remote Desktop Protocol is already encrypted but it is possible to SSL authenticate and encrypt your session with TLS 1.0.  This provides an additional layer of security when connecting across the Internet and is simple to setup.  Here are the things you will need:

  • Certificate provider (Windows enterprise certificate server is perfect and easy to setup for testing)
  • Windows Server 2003 SP1
  • Remote Desktop Client 5.2

Enrolling a Server Authentication Certificate

The first step is the most complicated.  Make sure your server has a server certificate that includes Server Authentication.  In my lab I auto-enrolled using group policy and use the DC as an enterprise CA.  Just apply a policy to an OU where your test server resides and under Computer Policy – Windows Settings – Public Key Policies – AutoEnrollment Settings, enable autoenrollment.  The Computer certificate included in GPO AutoEnrollment by default includes Server Authentication.

You can also enroll the server by connecting to the /CertSrv website and making a request.  Use “Advanced Request”, “Administrator”, and check the box to store the certificate in the local computer certificate store.  If your test server and/or test clients are not members of the forest, you can install the CA chain from the CertSrv website.

Require SSL and High Encryption (or FIPS Compliant Encryption)

On the server, open Administrative Tools – Terminal Services Configuration.  Select Connections and in the right hand pane you should see RDP-Tcp.  Open the properties of this connection and on the first page change Authentication to SSL and Encryption to either High or FIPS Compliant.  (For more information on these see the following TechNet article:  https://technet2.microsoft.com/WindowsServer/en/Library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx)

Install RDP Client version 5.2

A standard 32-bit Windows XP Pro machine does not come with a version of the RDP Client that supports high encryption.  You can install the client from your 2003 server using %systemdrive\system32\clients\tsclient\win32\msrdpcli.msi.  With the newer version of the client you should see a security tab on the options page.  Select “Attempt Authentication”.  If you do not have the 5.2 client or do not at least attempt authentication, the connection attempt will time out.  Also, make sure you connect to the server using the same name as what’s used in the certificate, in most cases the full DNS name.  If not, you will be prompted to approve trusting the cert.

Caveats

You may decide it is more practical to select “Negotiate” rather than SSL.  This will allow down-level clients such as the RDP client on Windows Mobile to connect without using TLS 1.0.  If you require SSL, you will not be able to connect unless your client supports it.  Negotiate allows the highest level of encryption available on each client.