Published: February 25, 2008

Where terminal servers will connect with clients that are outside the corporate network, there are a number of ways to secure the communications. The level of security selected for each farm will depend on the security requirements of the applications that run in the farm and the capabilities and location of the clients. If clients are all inside the corporate network, then there may be no need to secure the communications except where sensitive transactions need additional protection from the possibility of eavesdropping.

Task 1: Determine the Encryption Level Between Clients and the Terminal Server

Terminal Services sessions use native 128-bit RDP encryption by default. However, the RDP encryption strength can instead be set at the terminal server to use 56-bit encryption. This may be necessary if the clients that will connect are unable to support higher encryption levels or if the server or client is in a country or region that does not permit the use of 128-bit encryption.

Departments and agencies of the United States federal government require the use of the Federal Information Processing Standard (FIPS) 140 encryption algorithm. This can be used for communications by Windows Server 2008 Terminal Services, but then only clients that support this level of security will be able to connect.

Determine the highest level of encryption that will allow the clients to connect, and implement that level on the terminal server.

Task 2: Determine Whether to Seal the Communications

RDP does not provide authentication to verify the identity of a terminal server, which makes it potentially vulnerable to man-in-the-middle attacks. TLS/SSL encryption can be used to enforce mutual authentication between the client and the server before communications are allowed to proceed. This authentication is effected by a certificate exchange.

Perform an assessment of the risk and potential cost of a man-in-the-middle attack. This will be used in the next step to determine the certification authority.

Task 3: Determine the Certification Authority

Certificates will be required in order to use RDP or HTTPs communications between the clients and the terminal server. There are three ways to source those certificates so that they are available at the terminal server and at all the clients that will need them:

• Self-signed certificates. Certificates are generated locally and are then placed in the TS Gateway or in the SSL terminator if the TS Gateway is in the secure zone. The companion certificates must then be distributed and installed on each of the clients that may connect. No infrastructure setup is required and there is no cost, but the installation of the certificates on every client machine can be significant work.
• Trusted third party. There are a number of trusted certification authorities (CAs), such as VeriSign, that provide a certificate service for a fee. The client and the server both trust the CA and exchange certificates from them. No client install is required, and this can be a very convenient implementation if unmanaged clients will connect to the Terminal Services environment.
• Operate a certificate server. In this case, a certificate server is set up outside the secure zone for the clients to access. It requires investment in hardware and software and involves setup work and ongoing maintenance. In addition, the clients may not all be willing to trust this server.

Determine the total cost in hardware, software, and effort of each of the options for the organization, and weigh that against the convenience that they provide for clients. Once that is done, select the option that is most cost-effective overall. Now compare the cost of that selection against the risk of a man-in-the-middle attack, as determined in the previous task. If the benefit outweighs the cost, implement certificates.

Task 4: Determine Whether to Encapsulate with HTTPs

If the clients connect using RDP, port 3389 must be open on the external firewall. Many organizations strive to limit the number of ports that are open to the Internet, often limiting it to ports 80 (http) and 443 (https).

Determine whether policy requires that only ports 80 and 443 can be open in the external firewall, and if that is the case, implement HTTPs communications using the TS Gateway role service.

Decision Summary

The security implementation between the clients and the terminal server has been determined. Record this in the farm design job aid (Appendix C).

Additional Reading

Windows Server 2008 Security Guide, available at https://www.microsoft.com/technet/security/prodtech/windowsserver2008/default.mspx