RDP with Secure Sockets Layer (SSL) is a new feature in Windows Server 2003 Service Pack (SP) 1 and later that you don't hear much about. It might be flying under the radar, but you can use RDP with SSL to transport your data with strong encryption and to let users confirm that they're connecting to a trusted terminal server. I'll show you how to configure your clients to connect to a terminal server by using SSL and to configure your terminal server to accept RDP connections with SSL.
New in SP1
RDP is the Microsoft proprietary protocol for Windows Terminal Services. The end-to-end encryption provided by RDP with SSL provides an extra layer of encryption for data confidentiality and allows the client to verify the identity of the server, preventing man-in-the-middle attacks. If the client doesn't trust the Certification Authority (CA) that issues the SSL certificate to the server and/or the server name can't be verified, the client displays a warning before connecting to the server.
Using SSL to enforce server identity checking and end-to-end data encryption for RDP is different from RDP over HTTP (scheduled for Longhorn Server), which is the ability to make a connection to a Windows Terminal Services server via RDP through port 443. RDP port 3389 is still required to establish a terminal server session in Windows 2003 SP1 and later.
Even if you have a certificate issued by your own intranet CA (as opposed to a third-party CA such as VeriSign, which Windows trusts by default), SSL can't be used to ensure that only known clients connect via RDP to the server. Client certificate requests aren't supported. An IPsec VPN or Secure Shell (SSH) tunnel is still the best method to ensure that only trusted clients can connect to a server.
Installing and Configuring the Remote Desktop Connection Client
On Windows 2003 SP1 and later systems, you can find the files for the new Remote Desktop Connection client (version 5.2.3790.1830) in the C:\windows\system32\clients\tsclient\win32 folder. Note that the source files for installing version 5.2 of the client software on your workstations are currently available only in Windows 2003 SP1.
Make the files in the win32 folder available on a share that's accessible to the workstations on your network. Then you can manually install the updated Remote Desktop Connection client on a Windows XP or Windows 2000 workstation by connecting to the share, running the setup.exe file, and following the prompts.
Version 5.2 of the Remote Desktop Connection client has a new Security tab (shown in Figure 1), which you can use to specify whether the client should check the server's certificate before establishing a connection with the server. You can choose from three options:
- No authtication—the client won't attempt to check the server certificate before a connection is made. If the server requires SSL authentication, the client won't be able to connect.
- Require authentication—the client will check the server certificate before it connects with the server. If the client can't determine the identity of the server, it won't establish a connection with the server.
- Attempt authentication—the client will check the server certificate before connecting with the server. The client can connect to the server with or without SSL authentication, depending on the configuration of the server, even if the client can't fully verify the server identity.
Currently, no setting is available in Group Policy for the new security option of the Remote Desktop Connection client. However, you can define a DWORD value of AuthenticationLevelOverride in the HKEY_CURRENT_USER\ Software\Microsoft\Terminal Server Client registry subkey to enforce your chosen setting. Set the value to 0 for No authentication, 1 for Require authentication, or 2 for Attempt authentication. You can set a DWORD value of Authentication-LevelOverride in the HKEY_LOCAL_MACHINE\SOFTWARE\Terminal Server Client subkey to affect all the users of the workstation.