encrypting RDP sessions between xp/server 2003/server 2008

JustinGSEIWI
JustinGSEIWI used Ask the Experts™
on
I am working toward my PCI compliance and I have a question about the below requirement.

      
All non-console administrative access is encrypted.

Help

A console is a keyboard or screen that is directly connected to your network hub (like a server or mainframe computer), and is used by administrators.

Passwords that are entered on any computer keyboard with Internet access (both laptop and desktop) other than your console must be encrypted. Examples of this scenario include: database administration interface, web server interface, payment gateway interface, wireless access point (WAP) interface and router interface. The best way to determine if these connections are secure is to look for the https protocol in your web browser address bar.
How to verify you are fulfilling this requirement

- For a sample of system components, verify that non-console administrative access is encrypted by:
- an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested;
- services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and
- that administrator access to the web-based management interfaces is encrypted with strong cryptography.
Remediation

The organization must ensure all non-console administrative access is encrypted. Technologies such as SSH, VPN, or SSL/TLS should be used.Verify that non-console administrative access is encrypted by reviewing system service and parameter files to ensure Telnet and other remote login commands are not available and by verifying the web-based management interface access uses strong encryption.

--------------------------------------------------------------

I use RDP internally all the time. When I use it externally, I use a VPN. However, this sounds like when I use RDP at all, it needs to be encrypted, including internal access. How do I tell if all my RDP sessions are encrypted now or not? Also, if they are not, how do I make all RDP sessions encrypted so that I can complete this requirement?

Thanks,

Justin
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
It Support
Commented:
On the server - administrative tools /  terminal service configuration / right click RDP-tcp connection in right pane and select 'properties' and check the encryption level.
davealfordIt Support

Commented:
Should have said - that's server 2003. Encryption capabilities for each server are here - http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Author

Commented:
Dave, I went to the terminal server configuration manager and it is set at client compatible.

I seen on wikipedia that as of RDP 5.2, encryption is supported.

In KCTS's link, I found this.

" By default, Terminal Services connections are encrypted at the highest level of security available (128-bit). However, some older versions of the Terminal Services client do not support this high level of encryption."

This sounds like all my sessions are already encrypted as long as they are up to date.

How do I confirm a RDP session is encrypted? Is their any other way then making sure the client and server are up to date with the RDP protocol?

Thanks,

Justin
davealfordIt Support

Commented:
You want to increase the the encryption to 'high'. 'Client compatible' allows non-encrypted connections if the client is set to do unencrypted connections or, if the client is unable to do encrypted connections - you appear to require all rdp sessions to be encrypted so it should only do 'high' to either over-tide the client or not allow the connection. Remember, some one may use an RDP client other than MS.

Author

Commented:
I would like to do that but I don't want to change it and then be left unable to connect. If I set it to high, do I have to create/add a certificate or do anything else to insure the encryption is working?

I did some more reading and a couple of places suggested that RDP is natively encrypted?

Thanks,

Justin
davealfordIt Support
Commented:
Setting it to high doesn't require anything else done and, won't affect existing connections - subsequent connections will be forced to use high encryption. 'If' you're ising RDP 6 client, the server is set to 'client compatible' and the client is in it's default installation then, yes, it'll be running high encrtption. Setting it to high just ensures it IS running in high encryption mode ..... the client might be 'natively' encrypted but, unless you check the registry of the client every time you connect, you won't know !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial