Securing Remote Desktop Services in Windows Server 2008



Similar documents
Microsoft Windows Server 2012 R2 Remote Desktop Services - How to Set Up (Mostly) Seamless Logon for RDP Connections

RDP Exploitation using Cain I will demonstrate how to ARP poison a connection between a Windows 7 and Windows 2008 R2 Server using Cain.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Maximize your Remote Desktop Services

TS Gateway Step-By-Step Guide

Publish Cisco VXC Manager GUI as Microsoft RDS Remote App

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Configure a VPN Connection Using Windows XP

Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by- Step Guide

Configuring the Outlook 2003 RPC over HTTP Client

WHAT S NEW AND EXCITING WITH REMOTE DESKTOP SERVICES

REMOTE DESKTOP WEB PORTAL (RD Web) ACCESS GUIDE Updated 12/30/2013

Using RD Gateway with Azure Multifactor Authentication

WHITE PAPER Citrix Secure Gateway Startup Guide

Deploy Remote Desktop Gateway on the AWS Cloud

Abila Nonprofit Online. Connection Guide

Connection and Printer Setup Guide

Deploying Microsoft RemoteFX for Personal Virtual Desktops Step-by-Step Guide

App Orchestration 2.5

Building the SAP Business One Cloud Landscape Part of the SAP Business One Cloud Landscape Workshop

Meeting CJIS Advanced Authentication

HOTPin Integration Guide: DirectAccess

Windows 2003 Terminal Services (Part 2)

RSA Security Analytics

DEPLOYMENT GUIDE. Deploying the BIG-IP LTM v9.x with Microsoft Windows Server 2008 Terminal Services

Quick Start Guide for Parallels Virtuozzo

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Contents Overview of RD Web Access What is RD Web Access?... 2 What are the benefits of RD Web Access versus thin client?...

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

App Orchestration 2.0

Deploying Microsoft RemoteFX on a Single Remote Desktop Virtualization Host Server Step-by-Step Guide

Configuring Security Features of Session Recording

MS-6416D: Updating Your Windows Server 2003 Technology Skills to Windows Server 2008

Updating Your Windows Server 2003 Technology Skills to Windows Server 2008

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Introduction to Mobile Access Gateway Installation

Remote Application Server Version 14. Last updated:

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Updating Your Windows Server 2003 Technology Skills to Windows Server 2008

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH MICROSOFT WINDOWS SERVER 2008 TERMINAL SERVICES

Wireless Network Configuration Guide

uh6 efolder BDR Guide for Veeam Page 1 of 36

Creating and Configuring Web Sites in Windows Server 2003

2X SecureRemoteDesktop. Version 1.1

Citrix XenApp 6.5 and XenDesktop 5.6 Security Standards and Deployment Scenarios Supplementary scenarios

Remote Application Server Version 14. Last updated:

Virtualizing Enterprise Desktops and Apps

NE-6416D Updating Your Windows Server 2003 Technology Skills to Windows Server 2008

Oracle Retail XBR Loss Prevention and Store Analytics Remote Desktop Services Configuration Guide Release 7.0. August 2015

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

2X ApplicationServer & LoadBalancer Manual

Course MS20694A Virtualizing Enterprise Desktops and Apps. Length: 5 Days

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

CONNECT-TO-CHOP USER GUIDE

2X ApplicationServer & LoadBalancer Manual

Office of Information Technology Connecting to Microsoft Exchange User Guide

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

RoomWizard Synchronization Software Manual Installation Instructions

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

vcenter Operations Manager for Horizon Supplement

Remote Desktop Services with Vijeo Citect 2015

McAfee Firewall Enterprise 8.2.1

View Agent Direct-Connection Plug-In Administration

GTS Software Pty Ltd. Remote Desktop Services

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Remote Desktop Solution, (RDS), replacing CITRIX Home Access

Owner of the content within this article is Written by Marc Grote

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

Remote Desktop Web Access. Using Remote Desktop Web Access

Microsoft Virtualizing Enterprise Desktops and Apps

How to configure your Windows PC post migrating to Microsoft Office 365

Setting up Hyper-V for 2X VirtualDesktopServer Manual

MS-6416: Updating your Network Infrastructure and Active Directory Technology Skills to Windows Server 2008

McAfee Firewall Enterprise 8.3.1

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Exchange Mailbox Protection Whitepaper

Installing and Configuring vcloud Connector

VMware vcenter Operations Manager for Horizon Supplement

Cisco SSL Encryption Utility

client configuration guide. Business

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Deploying F5 with Microsoft Remote Desktop Services

Configuring Outlook for Windows to use your Exchange

Kaspersky Lab Mobile Device Management Deployment Guide

Step-By-Step Guide to Deploying Lync Server 2010 Enterprise Edition

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

NeoMail Guide. Neotel (Pty) Ltd

How to move a SharePoint Server bit environment to a 64-bit environment on Windows Server 2008.

Working with RD Web Access in Windows Server 2012

For paid computer support call

MultiSite Manager. User Guide

K7 Business Lite User Manual

Transcription:

1 sur 6 28/09/2010 22:48 Securing Remote Desktop Services in Windows Server 2008 R2 Taking a look at the security mechanisms built into RDS; how to use Group Policy and configuration settings for better security. Published: Aug 18, 2010 Updated: Aug 18, 2010 Section: Articles :: Misc Network Security Author: Deb Shinder Rating: 5/5-7 Votes Introduction Remote Desktop Services (RDS) on Windows Server 2008 R2 has more than just a new name; this is not your father s Terminal Services. With new features (some of them introduced in Windows Server 2008) such as RemoteApp, RD Gateway, and RD Virtualization Host, this Windows Server role now provides you with the flexibility to deploy individual applications or full desktops via RDS or a VDI solution - in many cases without the need for Citrix or other third party add-ons. But what about security? All of these added complexities translate to new security challenges, too. In this article, we will look at the security mechanisms built into RDS, how you can use configuration settings and Group Policy for better security, and best security practices for an RDS deployment. What s New in R2 If you re coming to RDS from Windows Server 2008 Terminal Services, you will not see as many dramatic changes as if you have upgraded from Windows Server 2003. WS 2008 added some big improvements to Terminal Services, including TS Web Access for connecting via a browser, the TS Gateway for users connecting across the Internet, RemoteApp for delivering individual applications to users over the Remote Desktop Protocol (RDP) and the Session Broker which included a load balancing feature. WS 2008 R2 added even more goodness: Remote Desktop Virtualization for a VDI solution RDS Provider for PowerShell so admins can change configuration and perform tasks at the command line and via scripts Remote Desktop IP Virtualization, which allows IP addresses to be assigned to connections on a per-session or per-program basis A new version of RDP and the Remote Desktop Connection (RDC) client, v. 7.0 Fair Share CPU scheduling to dynamically distribute processing time across sessions based on the number of active sessions. Windows Installer compatibility to make it easier to install programs that require per-user configuration. True multiple monitor support for up to 16 monitors, whereby programs function just as they do when running on the client computer. There are also improvements to audio/video and support for Windows Aero in an RD session (however, note that Desktop Composition, which enables Aero, is not supported in a session with multiple monitors). Security Implications and Mechanisms Obviously, potential security issues depend on how you deploy RDS. If you have a more complex setup, with users connecting over the Internet and/or via a web browser, you ll have more security issues to address than if you have a simple deployment where users only connect via the RDC client over the LAN. RDS includes a number of security mechanisms to help you make RD connections more secure.

2 sur 6 28/09/2010 22:48 Network Level Authentication For best security, you should require Network Level Authentication (NLA) for all connections. NLA requires that the user be authenticated to the RD Session Host server before a session is created. This helps protect the remote computer from malicious users and malware. To use NLA, the client computer must be using an operating system that supports Credential Security Support Provider (CredSSP) protocols, which means Windows XP SP3 or above, and running RDC client 6.0 or above. NLA is configured on the RD Session Host server via Administrative Tools Remote Desktop Services Desktop Session Host Configuration. To configure a connection to use NLA, follow these steps: 1. 2. 3. 4. 5. Right click the Connection Select Properties Click the General tab Check the box that says Allow connections only from computers running Remote Desktop with Network Level Authentication as shown in Figure 1 Click OK. Figure 1 Transport Layer Security (TLS) An RDS session can use one of three security layers for protecting communications between the client and the RDS Session Host server: RDP security layer this uses native RDP encryption and is least secure. The RD Session Host server is not authenticated. Negotiate TLS 1.0 (SSL) encryption will be used if the client supports it. If not, the session will fall back to RDP security. SSL TLS 1.0 encryption will be used for server authentication and encryption of data sent between the client and Session Host server. This is the most secure option. For best security practices, you can require SSL/TLS encryption. You will need a digital certificate, which can be issued by a CA

3 sur 6 28/09/2010 22:48 (preferred) or self-signed. In addition to selecting the security layer, you can select the encryption level for the connection. Your choices here are: Low uses 56 bit encryption for data sent from client to server. Does not encrypt data sent from server to client. Client Compatible this is the default. It encrypts data sent both ways between client and server with the maximum key strength that the client supports. High this encrypts data sent both ways between client and server with 128 bit encryption. FIPS Compliant this encrypts data sent both ways between client and server with FIPS 140-1 validated encryption. Note that if you select a High or FIPS Compliant level, any clients that don t support those levels won t be able to connect. Here s how you configure the server authentication and encryption settings: 1. 2. 3. On the RD Session Host, open Remote Desktop Session Host Configuration and the connection s Properties dialog box as described above. On the General tab, choose the appropriate security layer and encryption level from the drop-down boxes, as shown in Figure 2. Click OK. Figure 2 You can also use Group Policy to control these authentication and encryption settings, along with other aspects of RDS. Group Policy There are a number of Group Policy settings for RDS in Windows Server 2008 R2. These are located under Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services in the Group Policy Management Console for your domain, as shown in Figure 3.

4 sur 6 28/09/2010 22:48 Figure 3 As you can see, there are policies for licensing, the RDC client and the RD Session Host. The security-related policies for the RD Session Host include: Server Authentication Certificate Template: Use this policy to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. If you enable this policy, only certificates that are created using the specified template will be considered in selecting a certificate to authenticate the RD Session Host server. Set Client Connection Encryption Level: This policy is used to control whether use of a specific encryption level is required. When you enable the policy, all communications must use the specified encryption level. The default encryption level setting is High. Always Prompt for Password upon Connection: You can use this policy to force RDS to always ask for the user s password when logging onto an RD session, even if the password is entered in the RDC client. By default, users can log in automatically if the password is entered in the RDC client. Require Secure RPC Communication: Enabling this policy means only authenticated and encrypted requests from clients will be allowed. Communications with untrusted clients will not be allowed. Require Use of Specific Security Layer for Remote (RDP) Connections: If you enable this policy, all communications between clients and Session Host servers must use the security layer that you specify here (RDP, Negotiate or SSL/TLS) Do Not Allow Local Administrators to Customize Permissions: This policy disables administrator rights to customize security permissions in the RD Session Host Configuration tool, to prevent local admins from changing the user groups on the Permissions tab in the configuration tool. Require User Authentication for Remote Connections by using Network Level Authentication: With this policy, you can require NLA for all remote connections to the RD Session Host server. Only clients that support NLA will be able to connect. Note: Here s how you can find out whether a client computer supports Network Level Authentication: Open the RDC client and click the icon in the upper left corner, then select about. If NLA is supported, you will see Network Level Authentication Supported. Other Group Policy settings worth checking out fall under the RD Connection Client node. These include: Do not allow passwords to be saved: Enabling this policy will disable the checkbox to save the password in the RDC client dialog box. If a user opens an RDP file and saves his settings, previously saved passwords will be deleted. This forces the user to enter his password each time he logs on. Specify SHA1 thumbprints of certificates representing trusted.rdp publishers: With this policy, you can specify a list of SHA1 certificate thumbprints and when a certificate matches a thumbprint on the list, it will be trusted. Prompt for credentials on the client computer: This policy causes users to be prompted for credentials on the client computer instead of on the RD Session Host.

5 sur 6 28/09/2010 22:48 Configure server authentication for client: With this policy, you can determine whether a client can establish a connection to the RD Session Host when the client cannot authenticate the RD Session Host server. Highest security setting is Do not connect if authentication fails. You can also use Group Policy to configure FIPS compliance, but you won t find that policy here with the other RDS security policies. Instead, it s in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. In the right pane, scroll down to: System Cryptography: use FIPS compliant algorithms for encryption, hashing and signing. When you enable this policy, it supports only the Triple DES (3DES) encryption algorithm for RDS communications. RD Web Access For client computers that don t have the RDC client software installed, users can access the published apps to which they have access using the web browser. The user goes to the URL to which the RDS resources are published. The RD Web Access Server is a separate server from the RD Session Host. You define which RD Web Access servers can connect to which RD Session Host servers. The web interface is configured with SSL and the user must be authenticated with his/her credentials. The authenticated user will only be able to see those RemoteApp programs that his/her account is authorized to use because the published programs are trimmed, using an access control list (ACL). The Web Access Server uses an X.509 certificate to provide encryption. By default, a self-signed certificate is used. For better security, you should obtain a certificate from a public CA or your company s PKI. RD Gateway The RD Gateway (RDG) is used to give access to RD resources to users across the Internet. The Gateway server is located at the edge and it filters incoming RDS requests according to a Network Policy Server (NPS). The NPS uses two policies: the Connection Authorization Policy (CAP) that lists which users can access the RDG and the Resource Authorization Policy (RAP) that specifies which devices the CAP user can connect to via the RDG. Summary a dvertise ment Remote Desktop Services in Windows Server 2008 R2 greatly extends the functionality of its predecessor, Terminal Services but it also presents some new security issues that need to be addressed. Following security best practices in configuring the components of your RDS deployment the RD Session Host, the RD Web Access Server, the RD Gateway and the client and using Group Policy to control the configuration will help you maintain a secure environment while reaping the benefits of RDS delivery of applications and full desktops to your users. About Deb Shinder DEBRA LITTLEJOHN SHINDER, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security. She is also a tech editor, developmental editor and contributor to over 20 additional books. Her articles are regularly published

6 sur 6 28/09/2010 22:48 on TechRepublic s TechProGuild Web site and Windowsecurity.com, and have appeared in print magazines such as Windows IT Pro (formerly Windows &.NET) Magazine. She has authored training material, corporate whitepapers, marketing material, and product documentation for Microsoft Corporation, Hewlett- Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and other technology companies. Deb lives and works in the Dallas-Ft Worth area and can be contacted at deb@shinder.net or via the website at www.shinder.net Click here for Deb Shinder's section. Latest articles by Deb Shinder DirectAccess versus VPN: They are Not the Same SEO Poisoning: What it is and what you can do about it Painless Encryption:Intel Advanced Encryption Standard New Instructions (AES-NI) Better Security through Sandboxing Securing DNS Connections with Windows Server 2008 R2 DNSSEC Receive all the latest articles by email! Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below! Click for Real-Time sample & Monthly sample Become a WindowSecurity.com member! Discuss your security issues with thousands of other network security experts. Click here to join! About Us : Email us : Product Submission Form : Advertising Information WindowsSecurity.com is in no way affiliated with Microsoft Corp. *Links are sponsored by advertisers. Copyright 2010 TechGenix Ltd. All rights reserved. Please read our Privacy Policy and Terms & Conditions.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information