?
Solved

Set RDP/Terminal service to use certificate for encryption (SSL) but it still allows unencrypted connects

Posted on 2008-06-18
13
Medium Priority
?
1,889 Views
Last Modified: 2012-06-21
Following all the knowledge base articles and other advice, I've secured my server Remote Desktop connections by setting them to use High Encryption and SSL connection.  I can connect just fine to them if I tell my client to use encryption.  All works as it should.  The problem lies in that it isn't just me that connects to these servers.  I can't go around to these people and make them change all of their connections to use encryption.  Well not directly at least.  :)

Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
0
Comment
Question by:AAckley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 5

Expert Comment

by:sadburger
ID: 21815823
You can do this by enabling the group policy setting "Require secure RPC communication"
and setting the "Require use of specific security layer for remote (RDP) connections" to SSL
These setting are located at
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security



0
 
LVL 5

Expert Comment

by:sadburger
ID: 21815872
That location listed is for Windows Server 2008. The policies and locations for 2k3 are as follows:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security\RPC Security Policy
enable the "Secure Server (Require Security)" policy



0
 
LVL 1

Author Comment

by:AAckley
ID: 21816046
That is what I thought also...  :(   Already been there and done that.  Ran gpupdate and verified that nothing was throwing errors.     Even made the same changes on the client side to see if I could force it from that direction with no change.  

I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 5

Expert Comment

by:sadburger
ID: 21816478
What version / service pack of Windows is running on the terminal server?

You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816506
2003 sp2... w/ ISA or SQL server 2005 depending on the two servers I'm testing this on.  They've all been updated to the latest patches released this month.  

And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy.  This way, I know it has been applied.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816658
Okay, looks like you can only configure the encryption through GP, you need to configure the authentication portion directly through the terminal services configuration console.

Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.

In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816697
Not the problem.  That is all done.  I can connect with encryption just fine.  It works just fine if I tell my RDP client to connect with authentication/encryption... I pass encrypted traffic, get the lock icon and everything.  The problem is that if i tell my system to connect without encryption, the server still allows the connection and I'm passing traffic in  the clear.  I need to make the server only accept encrypted/authenticated traffic and I can't seem to get it to do that.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816782
With the security layer set to SSL and Encryption set to High, as long as the certificate is correctly installed then Non-secured remote session should not be able to authenticate. This has worked properly on my test terminal servers.

When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".

There are no other steps that I am aware of to require a secure RDP connection

See: http://support.microsoft.com/kb/895433
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816837
Yea, therein lies the issue.  That is how it is suppossed to work.  The cert is installed correctly... I even had my issueingCA revoke an old one and re-issue a new one.  (I've a whole PKI infrastructure already in place) before assigning it to this use.  

When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.  
0
 

Expert Comment

by:truggeri
ID: 22035716
Did you ever get this to work?  I am facing the same problem on my Terminal Server?
Thanks
TR
0
 
LVL 1

Author Comment

by:AAckley
ID: 22036322
Nope.  :(

The encrypted connection works just fine, but people can still connect unencrypted.  Makes no sense.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22226326
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question