Archive for category Terminal Services

Terminal Services (notes from Launch)

Posted by Mark Raborn in Terminal Services on 2008/02/28

Terminal Services in Windows Server 2008 is the biggest release of Terminal Services since Windows NT. Although I did not get to attend in depth sessions at Launch, here are the bullet points:

Emphasizes

Remote Worker Efficiency
Secure Data Applications (RDP is more Secure than VPN’s which allow connection to the internal network)
Application Deployment can be accelerated (all apps instantly available to all users)

Applications now launch as though local to the user. The UI experience is vastly improved.

Printing now uses Universal Print, a new print component of Terminal Services.

click Print
document rendered as XPS
sent to Server as XPS
Printed and returned to Client as XPS
converted (at client) back to Print for local printing

To learn more… GO TO

Presentation Virtualization with Terminal Services

No Comments

Securing Terminal Services Connection using TLS and FIPS

Posted by Mark Raborn in Terminal Services on 2008/02/12

Terminal Services can be secured using a variety of methods. One of the better methods available in Windows Server 2003 is the combination of a Server Certificate and the requirement of Federal Information Processing Standard encryption (FIPS). This article notes links and observations about using this method (with side notes about Small Business Server 2003). To improve security on the client side plese read this article on Terminal Services Client RDP Security

HOW TO:

KB895433 – How to configure a Windows Server 2003 terminal server to use TLS

LINKS:

Use the the KB895433 article. It walks you through the procedure.

NOTE: on Small Business Server 2003 there is a specific limitation regarding the Security Layer . When setting the Terminal Services Configuration (tscc.msc), the Security Layer must be set to Negotiate to allow Remote Web Workplace to connect to the SBS computer using the Connect to Server Desktops feature (a function of RWW). To review: in setting up the RDP-Tcp Properties in the Terminal Services Configuration, there are three options:

RDP Security Layer
Negotiate (better)
SSL (best)

SSL (in combination with FIPS) is the strongest Security Layer, however IT DOES NOT WORK WITH REMOTE WEB WORKPLACE (SBS2003). If you enable SSL and FIPS, trying to Connect to Server Desktop fails (message indicates that Authentication is required (which is Terminal Services indicating that RWW is not getting along with TLS/FIPS). By lowering the Security Layer to Negotiate, Remote Web Workplace is able to choose it’s optimal security level. So… if you are setting TLS/FIPS encryption for Terminal Services on your SBS 2003 Server – use Negotiate as the security layer. This allows Remote Web Workplace to negotiate while retaining a strong level of FIPS compliant encryption for connecting directly to Terminal Services over RDP 3389 using Remote Desktop Connection.

NOTE: in this scenario, two different certificates were used in Small Business Server (1 for TS and 1 for RWW)

UPDATE: read uksbsguy forum for Microsoft’s response to the SBS RWW question. Turns out custom code is used behind the scenes on SBS to make the Terminal Connection using RWW. This code does not use RDP from Terminal Services (therefore the Certificate and Encryption level are quite literally unavailable).

RDP, Security, Terminal Services

No Comments

Terminal Services Client RDP Security

Posted by Mark Raborn in Terminal Services on 2008/01/03

Updating Remote Desktop Connection to enable more secure connections to Terminal Services

mstsc.exe = Remote Desktop Connection

Remote Desktop Protocol (RDP) is a standard Windows Terminal protocol that has been in use for many years. Securing RDP is essential in today’s Internet environment as malicious traffic can take easy advantage of unsecured protocols and ports. The security capabilities associated with Terminal Services and the Remote Desktop Connection client have progressed with each revision. This article describes enabling a more secure RDP/RDC Connection from the Client Terminal to the Remote Server/Client.

Each Remote Desktop Connection (RDC) client offers different capabilities, user experience, and GUI. On some versions of Windows, a RDC client is pre-installed. However, the pre-installed version may not be current or secure. IF the version of Remote Desktop Connection is older than version 5.1, it should be upgraded. Here is a table (in progress) of compatible combinations of RDC and Windows Operating Systems based on releases (as of 2008-01-03):

Remote Desktop Connection Clients

Windows OS	default RDC	current RDC	highest security
Windows 2000	none	RDC 5.2	TLS+FIPS
Windows XP	RDC 5.1	RDC 6.0	negotiate
Windows Server 2003	RDC 5.2	RDC 6.0	negotiate
Windows Vista	RDC 6.0	RDC 6.0	negotiate
Windows Server 2008	RDC 6.1	RDC 6.1	???

NOTE: (tables/lists are time sensitive and require update)

Simply said, RDC 5.2 or later can secure Remote Desktop Protocol sessions. Remote Desktop Connection 5.2 includes a Security tab in the Options. Remote Desktop Connection 5.1 or earlier DOES NOT! So as we review any Remote Desktop Connection software installed on our Clients, it is important to be aware of that important difference. Vista comes standard with RDC 6.0 (secure), XP with RDC 5.1 (insecure) and Windows 2000 (no default client) did not come packaged with any Remote Desktop Client. Knowing the differences and upgrading when needed is very important.

The download package of Remote Desktop Connection from Microsoft can be a little confusing if you are working with a Windows 2000 system. Microsoft Windows 2000 will install and run Remote Desktop Connection 5.2. However, the download.microsoft.com site currently offers only RDC 6.0 which includes the RDC 5.2 install but does not state that in plain language.

when installing RDC 6.0 on Windows 2000, the Microsoft Installer will install the RDC 5.2 version that is compatible with Windows 2000 (even though the download package suggests by name that it is RDC 6.0 only)