Solved

Set RDP/Terminal service to use certificate for encryption (SSL) but it still allows unencrypted connects

Posted on 2008-06-18
13
1,880 Views
Last Modified: 2012-06-21
Following all the knowledge base articles and other advice, I've secured my server Remote Desktop connections by setting them to use High Encryption and SSL connection.  I can connect just fine to them if I tell my client to use encryption.  All works as it should.  The problem lies in that it isn't just me that connects to these servers.  I can't go around to these people and make them change all of their connections to use encryption.  Well not directly at least.  :)

Even after enabling all of this, these people can still connection via RDP to the servers without using encyption. How/Can I set the server to only allow encrypted traffic via terminal services?
0
Comment
Question by:AAckley
13 Comments
 
LVL 5

Expert Comment

by:sadburger
ID: 21815823
You can do this by enabling the group policy setting "Require secure RPC communication"
and setting the "Require use of specific security layer for remote (RDP) connections" to SSL
These setting are located at
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security



0
 
LVL 5

Expert Comment

by:sadburger
ID: 21815872
That location listed is for Windows Server 2008. The policies and locations for 2k3 are as follows:
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security
Set the "Set client connection encryption level" to high
and
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Encryption and Security\RPC Security Policy
enable the "Secure Server (Require Security)" policy



0
 
LVL 1

Author Comment

by:AAckley
ID: 21816046
That is what I thought also...  :(   Already been there and done that.  Ran gpupdate and verified that nothing was throwing errors.     Even made the same changes on the client side to see if I could force it from that direction with no change.  

I can connect encrypted just fine... but I can also connect unencrypted just fine also and therein lies the problem.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816478
What version / service pack of Windows is running on the terminal server?

You can run gpedit.msc to look at the local policy on the terminal server to be sure that the settings you configured are set correctly.
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816506
2003 sp2... w/ ISA or SQL server 2005 depending on the two servers I'm testing this on.  They've all been updated to the latest patches released this month.  

And I've been setting the group policy at the local level to avoid possible replication issues by assigning it to a domain policy.  This way, I know it has been applied.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816658
Okay, looks like you can only configure the encryption through GP, you need to configure the authentication portion directly through the terminal services configuration console.

Open Terminal Services Configuration, and bring up the properties for the connection that you configured your certificate on. On the General Tab after you install the certificate you will get an additional option under Security Layer for SSL. You should also set the Encryption Level to High on this tab (although this part should be configured through group policy already.

In Server 2008 you can specify the Authentication method through group policy, but not in 2003.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:AAckley
ID: 21816697
Not the problem.  That is all done.  I can connect with encryption just fine.  It works just fine if I tell my RDP client to connect with authentication/encryption... I pass encrypted traffic, get the lock icon and everything.  The problem is that if i tell my system to connect without encryption, the server still allows the connection and I'm passing traffic in  the clear.  I need to make the server only accept encrypted/authenticated traffic and I can't seem to get it to do that.
0
 
LVL 5

Expert Comment

by:sadburger
ID: 21816782
With the security layer set to SSL and Encryption set to High, as long as the certificate is correctly installed then Non-secured remote session should not be able to authenticate. This has worked properly on my test terminal servers.

When you login with the authentication, are you choosing the option to "Attempt Authentication" or are you using "Require Authentication"? Perhaps the certificate is not correctly installed and you are continuing on to the terminal session without encryption, as would be the case with "Attempt Authentication".

There are no other steps that I am aware of to require a secure RDP connection

See: http://support.microsoft.com/kb/895433
0
 
LVL 1

Author Comment

by:AAckley
ID: 21816837
Yea, therein lies the issue.  That is how it is suppossed to work.  The cert is installed correctly... I even had my issueingCA revoke an old one and re-issue a new one.  (I've a whole PKI infrastructure already in place) before assigning it to this use.  

When I login with the RDP client set to: "Always connect even if authentication fails" it bypasses the encryption and connects right up... if I set it to anything else, it still goes through just fine but is encrypted as it should be.  
0
 

Expert Comment

by:truggeri
ID: 22035716
Did you ever get this to work?  I am facing the same problem on my Terminal Server?
Thanks
TR
0
 
LVL 1

Author Comment

by:AAckley
ID: 22036322
Nope.  :(

The encrypted connection works just fine, but people can still connect unencrypted.  Makes no sense.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 22226326
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now