• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1898
  • Last Modified:

Set RDP/Terminal service to use certificate for encryption (SSL) but it still allows unencrypted connects

Following all the knowledge base articles and other advice, I've secured my server Remote Desktop connections by setting them to use High Encryption and SSL connection.  I can connect just fine to them if I tell my client to use encryption.  All works as it should.  The problem lies in that it isn't just me that connects to these servers.  I can't go around to these people and make them change all of their connections to use encryption.  Well not directly at least.  :)

Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
0
AAckley
Asked:
AAckley
1 Solution
 
sadburgerCommented:
You can do this by enabling the group policy setting "Require secure RPC communication"
and setting the "Require use of specific security layer for remote (RDP) connections" to SSL
These setting are located at
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security



0
 
sadburgerCommented:
That location listed is for Windows Server 2008. The policies and locations for 2k3 are as follows:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security\RPC Security Policy
enable the "Secure Server (Require Security)" policy



0
 
AAckleyAuthor Commented:
That is what I thought also...  :(   Already been there and done that.  Ran gpupdate and verified that nothing was throwing errors.     Even made the same changes on the client side to see if I could force it from that direction with no change.  

I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
sadburgerCommented:
What version / service pack of Windows is running on the terminal server?

You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
0
 
AAckleyAuthor Commented:
2003 sp2... w/ ISA or SQL server 2005 depending on the two servers I'm testing this on.  They've all been updated to the latest patches released this month.  

And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy.  This way, I know it has been applied.
0
 
sadburgerCommented:
Okay, looks like you can only configure the encryption through GP, you need to configure the authentication portion directly through the terminal services configuration console.

Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.

In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
0
 
AAckleyAuthor Commented:
Not the problem.  That is all done.  I can connect with encryption just fine.  It works just fine if I tell my RDP client to connect with authentication/encryption... I pass encrypted traffic, get the lock icon and everything.  The problem is that if i tell my system to connect without encryption, the server still allows the connection and I'm passing traffic in  the clear.  I need to make the server only accept encrypted/authenticated traffic and I can't seem to get it to do that.
0
 
sadburgerCommented:
With the security layer set to SSL and Encryption set to High, as long as the certificate is correctly installed then Non-secured remote session should not be able to authenticate. This has worked properly on my test terminal servers.

When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".

There are no other steps that I am aware of to require a secure RDP connection

See: http://support.microsoft.com/kb/895433
0
 
AAckleyAuthor Commented:
Yea, therein lies the issue.  That is how it is suppossed to work.  The cert is installed correctly... I even had my issueingCA revoke an old one and re-issue a new one.  (I've a whole PKI infrastructure already in place) before assigning it to this use.  

When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.  
0
 
truggeriCommented:
Did you ever get this to work?  I am facing the same problem on my Terminal Server?
Thanks
TR
0
 
AAckleyAuthor Commented:
Nope.  :(

The encrypted connection works just fine, but people can still connect unencrypted.  Makes no sense.
0
 
Computer101Commented:
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now