Terminal Services can be secured using a variety of methods. One of the better methods available in Windows Server 2003 is the combination of a Server Certificate and the requirement of Federal Information Processing Standard encryption (FIPS). This article notes links and observations about using this method (with side notes about Small Business Server 2003). To improve security on the client side plese read this article on Terminal Services Client RDP Security
HOW TO:
KB895433 – How to configure a Windows Server 2003 terminal server to use TLS
LINKS:
Use the the KB895433 article. It walks you through the procedure.
NOTE: on Small Business Server 2003 there is a specific limitation regarding the Security Layer . When setting the Terminal Services Configuration (tscc.msc), the Security Layer must be set to Negotiate to allow Remote Web Workplace to connect to the SBS computer using the Connect to Server Desktops feature (a function of RWW). To review: in setting up the RDP-Tcp Properties in the Terminal Services Configuration, there are three options:
- RDP Security Layer
- Negotiate (better)
- SSL (best)
SSL (in combination with FIPS) is the strongest Security Layer, however IT DOES NOT WORK WITH REMOTE WEB WORKPLACE (SBS2003). If you enable SSL and FIPS, trying to Connect to Server Desktop fails (message indicates that Authentication is required (which is Terminal Services indicating that RWW is not getting along with TLS/FIPS). By lowering the Security Layer to Negotiate, Remote Web Workplace is able to choose it’s optimal security level. So… if you are setting TLS/FIPS encryption for Terminal Services on your SBS 2003 Server – use Negotiate as the security layer. This allows Remote Web Workplace to negotiate while retaining a strong level of FIPS compliant encryption for connecting directly to Terminal Services over RDP 3389 using Remote Desktop Connection.
NOTE: in this scenario, two different certificates were used in Small Business Server (1 for TS and 1 for RWW)
UPDATE: read uksbsguy forum for Microsoft’s response to the SBS RWW question. Turns out custom code is used behind the scenes on SBS to make the Terminal Connection using RWW. This code does not use RDP from Terminal Services (therefore the Certificate and Encryption level are quite literally unavailable).