Secure RDP Sessions to Windows Server 2003 with SSH like key?

Unfortunately not by defualt or a simple setting, here is how RDP works on the encryption side http://www.oxid.it/downloads/rdp-gbu.pdf
What you can use is a VPN or you can implement an RDP/SSH combo
http://www.softwaresecretweapons.com/jspwiki/windowsremotedesktopoverssh

OYE! and OYE again.
Heaven forbid it should be easy!
Unfortunately, my users are doing well if they can remember which icon to click on and what their password is. Adding another layer of user interactive security is not an option. Thus, I was hoping for a public/private key setup that need only be configured once on each machine.

Are there other commercial alternatives that are seamless or at least more seamless the ssh or vpn? Google isn't bringing up much. Thanks.

The latest version of the RDP client allows the client to authenticate the server via standard certificates over TLS. This is if you are concerned about man in the middle attacks over your LAN. If you are connecting over the Internet, you should be using Remote Desktop Gateway, which wraps the RDP traffic inside SSL/TLS and uses computer certificates to authenticate the servers and encrypt the connections. This only works with Windows XP SP3 clients and better and Windows 2008 Servers or better.

http://technet.microsoft.com/en-us/library/cc770833.aspx

http://technet.microsoft.com/en-us/library/cc732713.aspx

http://blogs.technet.com/b/askperf/archive/2008/02/16/ws2008-network-level-authentication-and-encryption.aspx

In title:
Secure RDP Sessions to Windows Server 2003...
:)

Sorry, I missed that. Use TS Gateway or IPSec.

Ok, riddle me this. How is vpn any more secure against brute force attacks? The MITM attacks are less of a concern then this much more real threat, which we are currently dealing with. What am I missing?

VPN is easy to configure with certs. That's how. Also with multiple rdp hosts you increase your points of entry but with VPN you have a single point to monitor

What exactly is the threat model that you are concerned with?

RDP is encrypted to begin with, but is subject to MITM because the client doesn't normally authenticate the end point, and you can't authenticate it with Windows 2003. RDP uses 128 bit RC4 or TLS, so crptographic attack against the data stream isn't practical. If you connect to TS Gateway (available on  SBS 2003 or Windows 2008, can be used with 2003 TS server), the RDP protocol in tunneled inside an SSL session, which is authenticated via computer certificates just like SSL in your browser. That is very secure from an authenticated endpoint and data privacy standpoint.

It is possible to use client certificate authentication with recent versions of MSTSC - you need to have a corporate CA, but that's standard as well these days.

Kevin,
We are experiencing a prolonged brute force attack on our terminal server from multiple IPs which change every 24 hours or so. Ideally, I would like to prevent anyone that does not have a key or certificate installed on their PC which matches a corresponding key or certificate from even being able to connect.

remark Block traffic from International Networks and invalid networks
 deny   ip 0.0.0.0 0.255.255.255 any
 deny   ip 1.0.0.0 0.255.255.255 any
 deny   ip 2.0.0.0 0.255.255.255 any
 deny   ip 5.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 23.0.0.0 0.255.255.255 any
 deny   ip 27.0.0.0 0.255.255.255 any
 deny   ip 31.0.0.0 0.255.255.255 any
 deny   ip 36.0.0.0 0.255.255.255 any
 deny   ip 37.0.0.0 0.255.255.255 any
 deny   ip 39.0.0.0 0.255.255.255 any
 deny   ip 42.0.0.0 0.255.255.255 any
 deny   ip 57.0.0.0 0.255.255.255 any
 deny   ip 58.0.0.0 0.255.255.255 any
 deny   ip 59.0.0.0 0.255.255.255 any
 deny   ip 60.0.0.0 0.255.255.255 any
 deny   ip 61.0.0.0 0.255.255.255 any
 deny   ip 62.0.0.0 0.255.255.255 any
 deny   ip 77.0.0.0 0.255.255.255 any
 deny   ip 78.0.0.0 0.255.255.255 any
 deny   ip 79.0.0.0 0.255.255.255 any
 deny   ip 80.0.0.0 0.255.255.255 any
 deny   ip 81.0.0.0 0.255.255.255 any
 deny   ip 82.0.0.0 0.255.255.255 any
 deny   ip 83.0.0.0 0.255.255.255 any
 deny   ip 84.0.0.0 0.255.255.255 any
 deny   ip 85.0.0.0 0.255.255.255 any
 deny   ip 86.0.0.0 0.255.255.255 any
 deny   ip 87.0.0.0 0.255.255.255 any
 deny   ip 88.0.0.0 0.255.255.255 any
 deny   ip 89.0.0.0 0.255.255.255 any
 deny   ip 90.0.0.0 0.255.255.255 any
 deny   ip 91.0.0.0 0.255.255.255 any
 deny   ip 92.0.0.0 0.255.255.255 any
 deny   ip 93.0.0.0 0.255.255.255 any
 deny   ip 94.0.0.0 0.255.255.255 any
 deny   ip 95.0.0.0 0.255.255.255 any
 deny   ip 100.0.0.0 0.255.255.255 any
 deny   ip 101.0.0.0 0.255.255.255 any
 deny   ip 102.0.0.0 0.255.255.255 any
 deny   ip 103.0.0.0 0.255.255.255 any
 deny   ip 104.0.0.0 0.255.255.255 any
 deny   ip 105.0.0.0 0.255.255.255 any
 deny   ip 106.0.0.0 0.255.255.255 any
 deny   ip 109.0.0.0 0.255.255.255 any
 deny   ip 110.0.0.0 0.255.255.255 any
 deny   ip 111.0.0.0 0.255.255.255 any
 deny   ip 112.0.0.0 0.255.255.255 any
 deny   ip 113.0.0.0 0.255.255.255 any
 deny   ip 114.0.0.0 0.255.255.255 any
 deny   ip 115.0.0.0 0.255.255.255 any
 deny   ip 116.0.0.0 0.255.255.255 any
 deny   ip 117.0.0.0 0.255.255.255 any
 deny   ip 118.0.0.0 0.255.255.255 any
 deny   ip 119.0.0.0 0.255.255.255 any
 deny   ip 120.0.0.0 0.255.255.255 any
 deny   ip 121.0.0.0 0.255.255.255 any
 deny   ip 122.0.0.0 0.255.255.255 any
 deny   ip 123.0.0.0 0.255.255.255 any
 deny   ip 124.0.0.0 0.255.255.255 any
 deny   ip 125.0.0.0 0.255.255.255 any
 deny   ip 126.0.0.0 0.255.255.255 any
 deny   ip 175.0.0.0 0.255.255.255 any
 deny   ip 176.0.0.0 0.255.255.255 any
 deny   ip 177.0.0.0 0.255.255.255 any
 deny   ip 178.0.0.0 0.255.255.255 any
 deny   ip 179.0.0.0 0.255.255.255 any
 deny   ip 180.0.0.0 0.255.255.255 any
 deny   ip 181.0.0.0 0.255.255.255 any
 deny   ip 182.0.0.0 0.255.255.255 any
 deny   ip 183.0.0.0 0.255.255.255 any
 deny   ip 185.0.0.0 0.255.255.255 any
 deny   ip 186.0.0.0 0.255.255.255 any
 deny   ip 187.0.0.0 0.255.255.255 any
 deny   ip 189.0.0.0 0.255.255.255 any
 deny   ip 190.0.0.0 0.255.255.255 any
 deny   ip 193.0.0.0 0.255.255.255 any
 deny   ip 194.0.0.0 0.255.255.255 any
 deny   ip 195.0.0.0 0.255.255.255 any
 deny   ip 197.0.0.0 0.255.255.255 any
 deny   ip 200.0.0.0 0.255.255.255 any
 deny   ip 201.0.0.0 0.255.255.255 any
 deny   ip 202.0.0.0 0.255.255.255 any
 deny   ip 210.0.0.0 0.255.255.255 any
 deny   ip 211.0.0.0 0.255.255.255 any
 deny   ip 212.0.0.0 0.255.255.255 any
 deny   ip 213.0.0.0 0.255.255.255 any
 deny   ip 217.0.0.0 0.255.255.255 any
 deny   ip 218.0.0.0 0.255.255.255 any
 deny   ip 219.0.0.0 0.255.255.255 any
 deny   ip 220.0.0.0 0.255.255.255 any
 deny   ip 221.0.0.0 0.255.255.255 any
 deny   ip 222.0.0.0 0.255.255.255 any
 deny   ip 223.0.0.0 0.255.255.255 any

Accurate answer, just not the answer I wanted... and frankly Microsoft, not the answer I should have to accept.