We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Secure RDP Sessions to Windows Server 2003 with SSH like key?

Medium Priority
893 Views
Last Modified: 2012-05-11
Is it possible to set up a public / private key arrangement to secure Windows terminal services, much like Linux secures ssh connections?
Comment
Watch Question

Unfortunately not by defualt or a simple setting, here is how RDP works on the encryption side http://www.oxid.it/downloads/rdp-gbu.pdf
What you can use is a VPN or you can implement an RDP/SSH combo
http://www.softwaresecretweapons.com/jspwiki/windowsremotedesktopoverssh

Author

Commented:
OYE! and OYE again.
Heaven forbid it should be easy!
Unfortunately, my users are doing well if they can remember which icon to click on and what their password is. Adding another layer of user interactive security is not an option. Thus, I was hoping for a public/private key setup that need only be configured once on each machine.

Are there other commercial alternatives that are seamless or at least more seamless the ssh or vpn? Google isn't bringing up much. Thanks.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
The latest version of the RDP client allows the client to authenticate the server via standard certificates over TLS. This is if you are concerned about man in the middle attacks over your LAN. If you are connecting over the Internet, you should be using Remote Desktop Gateway, which wraps the RDP traffic inside SSL/TLS and uses computer certificates to authenticate the servers and encrypt the connections. This only works with Windows XP SP3 clients and better and Windows 2008 Servers or better.

http://technet.microsoft.com/en-us/library/cc770833.aspx

http://technet.microsoft.com/en-us/library/cc732713.aspx

http://blogs.technet.com/b/askperf/archive/2008/02/16/ws2008-network-level-authentication-and-encryption.aspx

Author

Commented:
In title:
Secure RDP Sessions to Windows Server 2003...
:)
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
Sorry, I missed that. Use TS Gateway or IPSec.

Author

Commented:
Ok, riddle me this. How is vpn any more secure against brute force attacks? The MITM attacks are less of a concern then this much more real threat, which we are currently dealing with. What am I missing?
Aaron TomoskyDirector, SD-WAN Solutions
CERTIFIED EXPERT

Commented:
VPN is easy to configure with certs. That's how. Also with multiple rdp hosts you increase your points of entry but with VPN you have a single point to monitor
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
What exactly is the threat model that you are concerned with?

RDP is encrypted to begin with, but is subject to MITM because the client doesn't normally authenticate the end point, and you can't authenticate it with Windows 2003. RDP uses 128 bit RC4 or TLS, so crptographic attack against the data stream isn't practical. If you connect to TS Gateway (available on  SBS 2003 or Windows 2008, can be used with 2003 TS server), the RDP protocol in tunneled inside an SSL session, which is authenticated via computer certificates just like SSL in your browser. That is very secure from an authenticated endpoint and data privacy standpoint.
Dave HoweSoftware and Hardware Engineer

Commented:
It is possible to use client certificate authentication with recent versions of MSTSC - you need to have a corporate CA, but that's standard as well these days.

Author

Commented:
Kevin,
We are experiencing a prolonged brute force attack on our terminal server from multiple IPs which change every 24 hours or so. Ideally, I would like to prevent anyone that does not have a key or certificate installed on their PC which matches a corresponding key or certificate from even being able to connect.

Network Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
remark Block traffic from International Networks and invalid networks
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 1.0.0.0 0.255.255.255 any
 deny   ip 2.0.0.0 0.255.255.255 any
 deny   ip 5.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 23.0.0.0 0.255.255.255 any
 deny   ip 27.0.0.0 0.255.255.255 any
 deny   ip 31.0.0.0 0.255.255.255 any
 deny   ip 36.0.0.0 0.255.255.255 any
 deny   ip 37.0.0.0 0.255.255.255 any
 deny   ip 39.0.0.0 0.255.255.255 any
 deny   ip 42.0.0.0 0.255.255.255 any
 deny   ip 57.0.0.0 0.255.255.255 any
 deny   ip 58.0.0.0 0.255.255.255 any
 deny   ip 59.0.0.0 0.255.255.255 any
 deny   ip 60.0.0.0 0.255.255.255 any
 deny   ip 61.0.0.0 0.255.255.255 any
 deny   ip 62.0.0.0 0.255.255.255 any
 deny   ip 77.0.0.0 0.255.255.255 any
 deny   ip 78.0.0.0 0.255.255.255 any
 deny   ip 79.0.0.0 0.255.255.255 any
 deny   ip 80.0.0.0 0.255.255.255 any
 deny   ip 81.0.0.0 0.255.255.255 any
 deny   ip 82.0.0.0 0.255.255.255 any
 deny   ip 83.0.0.0 0.255.255.255 any
 deny   ip 84.0.0.0 0.255.255.255 any
 deny   ip 85.0.0.0 0.255.255.255 any
 deny   ip 86.0.0.0 0.255.255.255 any
 deny   ip 87.0.0.0 0.255.255.255 any
 deny   ip 88.0.0.0 0.255.255.255 any
 deny   ip 89.0.0.0 0.255.255.255 any
 deny   ip 90.0.0.0 0.255.255.255 any
 deny   ip 91.0.0.0 0.255.255.255 any
 deny   ip 92.0.0.0 0.255.255.255 any
 deny   ip 93.0.0.0 0.255.255.255 any
 deny   ip 94.0.0.0 0.255.255.255 any
 deny   ip 95.0.0.0 0.255.255.255 any
 deny   ip 100.0.0.0 0.255.255.255 any
 deny   ip 101.0.0.0 0.255.255.255 any
 deny   ip 102.0.0.0 0.255.255.255 any
 deny   ip 103.0.0.0 0.255.255.255 any
 deny   ip 104.0.0.0 0.255.255.255 any
 deny   ip 105.0.0.0 0.255.255.255 any
 deny   ip 106.0.0.0 0.255.255.255 any
 deny   ip 109.0.0.0 0.255.255.255 any
 deny   ip 110.0.0.0 0.255.255.255 any
 deny   ip 111.0.0.0 0.255.255.255 any
 deny   ip 112.0.0.0 0.255.255.255 any
 deny   ip 113.0.0.0 0.255.255.255 any
 deny   ip 114.0.0.0 0.255.255.255 any
 deny   ip 115.0.0.0 0.255.255.255 any
 deny   ip 116.0.0.0 0.255.255.255 any
 deny   ip 117.0.0.0 0.255.255.255 any
 deny   ip 118.0.0.0 0.255.255.255 any
 deny   ip 119.0.0.0 0.255.255.255 any
 deny   ip 120.0.0.0 0.255.255.255 any
 deny   ip 121.0.0.0 0.255.255.255 any
 deny   ip 122.0.0.0 0.255.255.255 any
 deny   ip 123.0.0.0 0.255.255.255 any
 deny   ip 124.0.0.0 0.255.255.255 any
 deny   ip 125.0.0.0 0.255.255.255 any
 deny   ip 126.0.0.0 0.255.255.255 any
 deny   ip 175.0.0.0 0.255.255.255 any
 deny   ip 176.0.0.0 0.255.255.255 any
 deny   ip 177.0.0.0 0.255.255.255 any
 deny   ip 178.0.0.0 0.255.255.255 any
 deny   ip 179.0.0.0 0.255.255.255 any
 deny   ip 180.0.0.0 0.255.255.255 any
 deny   ip 181.0.0.0 0.255.255.255 any
 deny   ip 182.0.0.0 0.255.255.255 any
 deny   ip 183.0.0.0 0.255.255.255 any
 deny   ip 185.0.0.0 0.255.255.255 any
 deny   ip 186.0.0.0 0.255.255.255 any
 deny   ip 187.0.0.0 0.255.255.255 any
 deny   ip 189.0.0.0 0.255.255.255 any
 deny   ip 190.0.0.0 0.255.255.255 any
 deny   ip 193.0.0.0 0.255.255.255 any
 deny   ip 194.0.0.0 0.255.255.255 any
 deny   ip 195.0.0.0 0.255.255.255 any
 deny   ip 197.0.0.0 0.255.255.255 any
 deny   ip 200.0.0.0 0.255.255.255 any
 deny   ip 201.0.0.0 0.255.255.255 any
 deny   ip 202.0.0.0 0.255.255.255 any
 deny   ip 210.0.0.0 0.255.255.255 any
 deny   ip 211.0.0.0 0.255.255.255 any
 deny   ip 212.0.0.0 0.255.255.255 any
 deny   ip 213.0.0.0 0.255.255.255 any
 deny   ip 217.0.0.0 0.255.255.255 any
 deny   ip 218.0.0.0 0.255.255.255 any
 deny   ip 219.0.0.0 0.255.255.255 any
 deny   ip 220.0.0.0 0.255.255.255 any
 deny   ip 221.0.0.0 0.255.255.255 any
 deny   ip 222.0.0.0 0.255.255.255 any
 deny   ip 223.0.0.0 0.255.255.255 any

Author

Commented:
Accurate answer, just not the answer I wanted... and frankly Microsoft, not the answer I should have to accept.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.