AAckley
asked on
Set RDP/Terminal service to use certificate for encryption (SSL) but it still allows unencrypted connects
Following all the knowledge base articles and other advice, I've secured my server Remote Desktop connections by setting them to use High Encryption and SSL connection. I can connect just fine to them if I tell my client to use encryption. All works as it should. The problem lies in that it isn't just me that connects to these servers. I can't go around to these people and make them change all of their connections to use encryption. Well not directly at least. :)
Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
That location listed is for Windows Server 2008. The policies and locations for 2k3 are as follows:
Computer Configuration\Administrati
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrati
enable the "Secure Server (Require Security)" policy
Computer Configuration\Administrati
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrati
enable the "Secure Server (Require Security)" policy
ASKER
That is what I thought also... :( Already been there and done that. Ran gpupdate and verified that nothing was throwing errors. Even made the same changes on the client side to see if I could force it from that direction with no change.
I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
What version / service pack of Windows is running on the terminal server?
You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
ASKER
2003 sp2... w/ ISA or SQL server 2005 depending on the two servers I'm testing this on. They've all been updated to the latest patches released this month.
And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy. This way, I know it has been applied.
And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy. This way, I know it has been applied.
Okay, looks like you can only configure the encryption through GP, you need to configure the authentication portion directly through the terminal services configuration console.
Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.
In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.
In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
ASKER
Not the problem. That is all done. I can connect with encryption just fine. It works just fine if I tell my RDP client to connect with authentication/encryption.
With the security layer set to SSL and Encryption set to High, as long as the certificate is correctly installed then Non-secured remote session should not be able to authenticate. This has worked properly on my test terminal servers.
When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".
There are no other steps that I am aware of to require a secure RDP connection
See: http://support.microsoft.com/kb/895433
When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".
There are no other steps that I am aware of to require a secure RDP connection
See: http://support.microsoft.com/kb/895433
ASKER
Yea, therein lies the issue. That is how it is suppossed to work. The cert is installed correctly... I even had my issueingCA revoke an old one and re-issue a new one. (I've a whole PKI infrastructure already in place) before assigning it to this use.
When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.
When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.
Did you ever get this to work? I am facing the same problem on my Terminal Server?
Thanks
TR
Thanks
TR
ASKER
Nope. :(
The encrypted connection works just fine, but people can still connect unencrypted. Makes no sense.
The encrypted connection works just fine, but people can still connect unencrypted. Makes no sense.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
and setting the "Require use of specific security layer for remote (RDP) connections" to SSL
These setting are located at
Computer Configuration\Administrati