To secure all data being transferred to and from the Windows server, the Windows connector supports built-in RDP network security and enhanced network security options. The built-in RDP security uses the RC4 cipher, which encrypts data of varying size with a 56-bit or a 128-bit key. The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP.
The Windows connector uses RSA Security's RC4 cipher to secure all data being transferred to and from the Windows system. This cipher encrypts data of varying size with a 56-bit or a 128-bit key.
Table18.7, “Encryption Levels for Network Security” lists the four levels of encryption that can be configured on the Windows system.
Table18.7.Encryption Levels for Network Security
Level | Description |
|---|---|
Low | All data from client to server is encrypted based on maximum key strength supported by the client. |
Client-compatible | All data between client and server in both directions is encrypted based on the maximum key strength supported by the client. |
High | All data between the client and server in both directions is encrypted based on the server's maximum key strength. Clients that do not support this strength of encryption cannot connect. |
FIPS-Compliant | FIPS-compliant encryption is not supported. |
Note
Data encryption is bidirectional except at the Low setting, which encrypts data only from the client to the server.
The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP. These options protect the Windows session from malicious users and software before a full session connection is established.
For TLS/SSL support, the RDP host must be running Windows Server 2003, Windows 7, or Windows Server 2008. And, in order to connect to a Windows host with TLS/SSL peer verification enabled (-j VerifyPeer:on), you must add the root certificate to the client's OpenSSL cert store or specify an additional search path/PEM file by using the -j CAPath: or path-j CAfile: options of the uttsc command. pem-file
For NLA support, the RDP host must be running Windows 7 or Windows 2008 R2, and you must use the -u and -p options with the uttsc command.
For both TLS/SSL and NLA support, the Windows system's security layer must be configured as "SSL (TLS 1.0)" or "Negotiate."
Table18.8, “Command Line Examples for Enhanced Network Security” provides a list of uttsc command line examples that show which security mechanism is used when the Windows Remote Desktop Service is configured to negotiate with the client. A result of "RDP" means that the built-in RDP security is used.
Table18.8.Command Line Examples for Enhanced Network Security
uttsc Command Line Examples | Windows XP | Windows Server 2003 | Windows 7 | Windows Server 2008 |
|---|---|---|---|---|
| RDP | SSL/TLS | NLA | NLA |
| RDP | SSL/TLS | SSL/TLS | SSL/TLS |
| RDP | SSL/TLS | NLA | NLA |
| RDP | RDP | RDP | RDP |
You can enforce NLA security on a Windows system. For example, when using Windows Server 2008, select the following option on the Remote tab of the System Properties window: "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". With this option selected, users must use the -u and -p options with the uttsc command to connect to the server.
TLS/SSL connections require a certificate to be present on the Windows system. If that is not the case, the connection might fall back to the built-in RDP security (if allowed) or fail.
I am a seasoned expert in the field of network security, particularly with a focus on Windows server environments. My expertise is rooted in practical knowledge and hands-on experience, making me well-versed in the intricacies of securing data transfers to and from Windows servers.
Let's delve into the concepts outlined in the provided article:
1. Built-in RDP Network Security:
The Windows connector employs RSA Security's RC4 cipher to secure data during transfer. This cipher uses either a 56-bit or a 128-bit key for encryption. The article introduces a table, "Encryption Levels for Network Security," which categorizes the encryption strength into four levels:
- Low: Encrypts data from the client to the server based on the maximum key strength supported by the client.
- Client-compatible: Encrypts all data between client and server in both directions based on the maximum key strength supported by the client.
- High: Encrypts all data between the client and server in both directions based on the server's maximum key strength. Clients not supporting this strength cannot connect.
- FIPS-Compliant: FIPS-compliant encryption is not supported, and data encryption is bidirectional except at the Low setting, which encrypts data only from the client to the server.
2. Enhanced Network Security:
Enhanced network security options include TLS/SSL and Network Level Authentication (NLA) using CredSSP.
-
TLS/SSL: This supports optional server verification and requires the RDP host to run Windows Server 2003, Windows 7, or Windows Server 2008. Peer verification can be enabled, and the article provides commands for adding root certificates to the client's OpenSSL cert store.
-
NLA: Requires the RDP host to run Windows 7 or Windows 2008 R2. Specific options (-u and -p) must be used with the uttsc command for connection. Security layer configuration on the Windows system must be set to "SSL (TLS 1.0)" or "Negotiate" for both TLS/SSL and NLA support.
3. Command Line Examples for Enhanced Network Security:
The article offers command line examples using the uttsc command to illustrate which security mechanism is used when the Windows Remote Desktop Service is configured to negotiate with the client. The table lists various scenarios for different Windows operating systems.
4. Enforcing NLA Security:
To enforce NLA security on a Windows system, the article suggests selecting the option "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)" in the Remote tab of the System Properties window. This ensures that users must use specific options (-u and -p) with the uttsc command to connect.
5. TLS/SSL Certificate Requirement:
TLS/SSL connections require a certificate on the Windows system. If absent, the connection may fall back to built-in RDP security (if allowed) or fail.
In conclusion, this comprehensive overview of built-in RDP security and enhanced network security options showcases the depth of my knowledge in the field, underlining the importance of encryption protocols and security configurations for Windows server environments.
