JustinGSEIWI
asked on
encrypting RDP sessions between xp/server 2003/server 2008
I am working toward my PCI compliance and I have a question about the below requirement.
All non-console administrative access is encrypted.
Help
A console is a keyboard or screen that is directly connected to your network hub (like a server or mainframe computer), and is used by administrators.
Passwords that are entered on any computer keyboard with Internet access (both laptop and desktop) other than your console must be encrypted. Examples of this scenario include: database administration interface, web server interface, payment gateway interface, wireless access point (WAP) interface and router interface. The best way to determine if these connections are secure is to look for the https protocol in your web browser address bar.
How to verify you are fulfilling this requirement
- For a sample of system components, verify that non-console administrative access is encrypted by:
- an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested;
- services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and
- that administrator access to the web-based management interfaces is encrypted with strong cryptography.
Remediation
The organization must ensure all non-console administrative access is encrypted. Technologies such as SSH, VPN, or SSL/TLS should be used.Verify that non-console administrative access is encrypted by reviewing system service and parameter files to ensure Telnet and other remote login commands are not available and by verifying the web-based management interface access uses strong encryption.
--------------------------
I use RDP internally all the time. When I use it externally, I use a VPN. However, this sounds like when I use RDP at all, it needs to be encrypted, including internal access. How do I tell if all my RDP sessions are encrypted now or not? Also, if they are not, how do I make all RDP sessions encrypted so that I can complete this requirement?
Thanks,
Justin
All non-console administrative access is encrypted.
Help
A console is a keyboard or screen that is directly connected to your network hub (like a server or mainframe computer), and is used by administrators.
Passwords that are entered on any computer keyboard with Internet access (both laptop and desktop) other than your console must be encrypted. Examples of this scenario include: database administration interface, web server interface, payment gateway interface, wireless access point (WAP) interface and router interface. The best way to determine if these connections are secure is to look for the https protocol in your web browser address bar.
How to verify you are fulfilling this requirement
- For a sample of system components, verify that non-console administrative access is encrypted by:
- an administrator log on to each system to verify that a strong encryption method is invoked before the administrator’s password is requested;
- services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally; and
- that administrator access to the web-based management interfaces is encrypted with strong cryptography.
Remediation
The organization must ensure all non-console administrative access is encrypted. Technologies such as SSH, VPN, or SSL/TLS should be used.Verify that non-console administrative access is encrypted by reviewing system service and parameter files to ensure Telnet and other remote login commands are not available and by verifying the web-based management interface access uses strong encryption.
--------------------------
I use RDP internally all the time. When I use it externally, I use a VPN. However, this sounds like when I use RDP at all, it needs to be encrypted, including internal access. How do I tell if all my RDP sessions are encrypted now or not? Also, if they are not, how do I make all RDP sessions encrypted so that I can complete this requirement?
Thanks,
Justin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Dave Alford
Should have said - that's server 2003. Encryption capabilities for each server are here - http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
You can impliment IPSEC
see http://www.petri.co.il/securing-rdp-remote-desktop-and-terminal-server-connections.htm
see http://www.petri.co.il/securing-rdp-remote-desktop-and-terminal-server-connections.htm
ASKER
Dave, I went to the terminal server configuration manager and it is set at client compatible.
I seen on wikipedia that as of RDP 5.2, encryption is supported.
In KCTS's link, I found this.
" By default, Terminal Services connections are encrypted at the highest level of security available (128-bit). However, some older versions of the Terminal Services client do not support this high level of encryption."
This sounds like all my sessions are already encrypted as long as they are up to date.
How do I confirm a RDP session is encrypted? Is their any other way then making sure the client and server are up to date with the RDP protocol?
Thanks,
Justin
I seen on wikipedia that as of RDP 5.2, encryption is supported.
In KCTS's link, I found this.
" By default, Terminal Services connections are encrypted at the highest level of security available (128-bit). However, some older versions of the Terminal Services client do not support this high level of encryption."
This sounds like all my sessions are already encrypted as long as they are up to date.
How do I confirm a RDP session is encrypted? Is their any other way then making sure the client and server are up to date with the RDP protocol?
Thanks,
Justin
You want to increase the the encryption to 'high'. 'Client compatible' allows non-encrypted connections if the client is set to do unencrypted connections or, if the client is unable to do encrypted connections - you appear to require all rdp sessions to be encrypted so it should only do 'high' to either over-tide the client or not allow the connection. Remember, some one may use an RDP client other than MS.
ASKER
I would like to do that but I don't want to change it and then be left unable to connect. If I set it to high, do I have to create/add a certificate or do anything else to insure the encryption is working?
I did some more reading and a couple of places suggested that RDP is natively encrypted?
Thanks,
Justin
I did some more reading and a couple of places suggested that RDP is natively encrypted?
Thanks,
Justin
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.