Configure Server Authentication and Encryption Levels
Applies To: Windows Server 2008
By default, Terminal Services sessions use native Remote Desktop Protocol (RDP) encryption. However, RDP does not provide authentication to verify the identity of a terminal server. You can enhance the security of Terminal Services sessions by using Transport Layer Security (TLS) 1.0 for server authentication and to encrypt terminal server communications. The terminal server and the client computer must be correctly configured for TLS to provide enhanced security.
Note
For more detailed information about configuring security settings for a terminal server, see the Terminal Services page on the Windows Server 2008 TechCenter (https://go.microsoft.com/fwlink/?LinkID=73931).
Three security layers are available.
| Security layer | Description |
|---|---|
SSL (TLS 1.0) |
SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client. |
Negotiate |
This is the default setting. The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used. |
RDP Security Layer |
Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication. |
Note
You can enhance terminal server security by providing user authentication earlier in the connection process when a client connects to a terminal server. This early user authentication method is referred to as Network Level Authentication. For more information about Network Level Authentication, see Configure Network Level Authentication for Terminal Services Connections.
A certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during RDP connections. You can select a certificate that you have installed on the terminal server or you can used the default self-signed certificate.
Note
It is recommended that you obtain and install a certificate issued by one of the trusted public certification authorities that participate in the Microsoft Root Certificate Program Members program.
For Terminal Services connections, data encryption can protect your data by encrypting it on the communications link between the client and the server. Encryption helps protect against the risk of unauthorized transmission interception on the link between server and client.
By default, Terminal Services connections are encrypted at the highest level of security available (128-bit). However, some older versions of the Terminal Services client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
Note
To determine the maximum encryption strength supported by the version of Remote Desktop Connection running on the computer, start Remote Desktop Connection, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Maximum encryption strength" in the About Remote Desktop Connection dialog box. Remote Desktop Connection 5.2 and above supports 128 bits of encryption.
Four encryption levels are available.
| Encryption level | Description |
|---|---|
FIPS Compliant |
This level encrypts and decrypts data sent from the client to the server and from the server to the client by using Federal Information Process Standard (FIPS) 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect. |
High |
This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. Use this level when the terminal server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption will not be able to connect. |
Client Compatible |
This is the default setting. This level encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this level when the terminal server is running in an environment containing mixed or legacy clients. |
Low |
This level encrypts data sent from the client to the server by using 56-bit encryption. Data sent from the server to the client is not encrypted. |
Use the following procedure to configure the server authentication and encryption settings for a connection on the terminal server.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To configure the server authentication and encryption settings for a connection
Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.
Under Connections, right-click the name of the connection, and then click Properties.
In the Properties dialog box for the connection, click the General tab.
Select the server authentication and encryption settings that are appropriate for your environment, based on your security requirements and the level of security that your client computers can support.
If you select SSL (TLS 1.0), either select a certificate that is installed on the terminal server or click Default to generate a self-signed certificate. If you are using a self-signed certificate, the name of the certificate will display as Auto generated.
Click OK.
You can also configure server authentication and encryption settings by applying the following Group Policy settings:
Set client connection encryption level
Require use of specific security layer for remote (RDP) connections
Server Authentication Certificate Template
Require user authentication for remote connections by using Network Level Authentication
These Group Policy settings are located in Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that these Group Policy settings will take precedence over the settings configured in Terminal Services Configuration, with the exception of the Server Authentication Certificate Template policy setting.
You can configure the terminal server to use FIPS as the encryption level by applying the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting will take precedence over the setting configured in Terminal Services Configuration and takes precedence over the Set client connection encryption level policy setting.
For more information about Group Policy settings for Terminal Services, see the Terminal Services Technical Reference (https://go.microsoft.com/fwlink/?Linkid=89673).