Solved

Set RDP/Terminal service to use certificate for encryption (SSL) but it still allows unencrypted connects

Posted on 2008-06-18
13
1,882 Views
Last Modified: 2012-06-21
Following all the knowledge base articles and other advice, I've secured my server Remote Desktop connections by setting them to use High Encryption and SSL connection.  I can connect just fine to them if I tell my client to use encryption.  All works as it should.  The problem lies in that it isn't just me that connects to these servers.  I can't go around to these people and make them change all of their connections to use encryption.  Well not directly at least.  :)

Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
0
Comment
Question by:AAckley
13 Comments
 
LVL 5

Expert Comment

by:sadburger
ID: 21815823
You can do this by enabling the group policy setting "Require secure RPC communication"
and setting the "Require use of specific security layer for remote (RDP) connections" to SSL
These setting are located at
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security



0
 
LVL 5

Expert Comment

by:sadburger
ID: 21815872
That location listed is for Windows Server 2008. The policies and locations for 2k3 are as follows:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security\RPC Security Policy
enable the "Secure Server (Require Security)" policy



0
 
LVL 1

Author Comment

by:AAckley
ID: 21816046
That is what I thought also...  :(   Already been there and done that.  Ran gpupdate and verified that nothing was throwing errors.     Even made the same changes on the client side to see if I could force it from that direction with no change.  

I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 5

Expert Comment

by:sadburger
ID: 21816478
What version / service pack of Windows is running on the terminal server?

You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816506
2003 sp2... w/ ISA or SQL server 2005 depending on the two servers I'm testing this on.  They've all been updated to the latest patches released this month.  

And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy.  This way, I know it has been applied.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816658
Okay, looks like you can only configure the encryption through GP, you need to configure the authentication portion directly through the terminal services configuration console.

Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.

In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816697
Not the problem.  That is all done.  I can connect with encryption just fine.  It works just fine if I tell my RDP client to connect with authentication/encryption... I pass encrypted traffic, get the lock icon and everything.  The problem is that if i tell my system to connect without encryption, the server still allows the connection and I'm passing traffic in  the clear.  I need to make the server only accept encrypted/authenticated traffic and I can't seem to get it to do that.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816782
With the security layer set to SSL and Encryption set to High, as long as the certificate is correctly installed then Non-secured remote session should not be able to authenticate. This has worked properly on my test terminal servers.

When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".

There are no other steps that I am aware of to require a secure RDP connection

See: http://support.microsoft.com/kb/895433
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816837
Yea, therein lies the issue.  That is how it is suppossed to work.  The cert is installed correctly... I even had my issueingCA revoke an old one and re-issue a new one.  (I've a whole PKI infrastructure already in place) before assigning it to this use.  

When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.  
0
 

Expert Comment

by:truggeri
ID: 22035716
Did you ever get this to work?  I am facing the same problem on my Terminal Server?
Thanks
TR
0
 
LVL 1

Author Comment

by:AAckley
ID: 22036322
Nope.  :(

The encrypted connection works just fine, but people can still connect unencrypted.  Makes no sense.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22226326
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question