Security

  • Article

Applies To: Windows Server 2008 R2

Policy settings in this node control security settings on a Remote Desktop Session Host server.

The full path of this node in the Group Policy Management Console is Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

Note

If you are using the Local Group Policy Editor, Policies is not part of the node path.

Available policy settings

Name Explanation Requirements

Server Authentication Certificate Template

This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server.

A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during RDP connections.

If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.

Important
You must set the certificate template’s attributes Template display name and Template name to the same value.

If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected.

If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the RD Session Host server. You can select a specific certificate to be used to authenticate the RD Session Host server on the General tab of the Remote Desktop Session Host Configuration tool.

Note

If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting.

At least Windows Vista

Set client connection encryption level

Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

If you enable this setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

  • High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

  • Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

  • Low: The Low setting encrypts only data sent from the client to the server using 56-bit encryption.

If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. However, you can configure a required encryption level for these connections by using Remote Desktop Session Host Configuration tool.

Important

FIPS compliance can be configured through the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options) or through the FIPS Compliant setting in Remote Desktop Session Host Configuration. The FIPS Compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers require the highest level of encryption. If FIPS compliance is already enabled through the Group Policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting, that setting overrides the encryption level specified in this Group Policy setting or in the Remote Desktop Session Host Configuration tool.

At least Windows XP Professional or Windows Server 2003 family

Always prompt for password upon connection

Specifies whether Remote Desktop Services always prompts the client for a password upon connection.

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

If the status is set to Enabled, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

If the status is set to Disabled, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

If the status is set to Not Configured, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the Remote Desktop Session Host Configuration tool.

At least Windows XP Professional or Windows Server 2003 family

Require secure RPC communication

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

If the status is set to Not Configured, unsecured communication is allowed.

Note

The RPC interface is used for administering and configuring Remote Desktop Services.

At least Windows Server 2003

Require use of specific security layer for remote (RDP) connections

Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

If you enable this setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:

  • Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated.

  • RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated.

  • SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails.

If you disable or do not configure this setting, the security method to be used for remote connections to RD Session Host servers is not enforced through Group Policy. However, you can configure a required security method for these connections by using Remote Desktop Session Host Configuration tool.

At least Windows Vista

Do not allow local administrator to customize permissions

Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool.

You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configuration tool. By default, administrators are able to make such changes.

If the status is set to Enabled, the Permissions tab in the Remote Desktop Session Host Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are Read Only.

If the status is set to Disabled or Not Configured, server administrators have full Read/Write privileges to the user security descriptors on the Permissions tab in the Remote Desktop Session Host Configuration tool.

Note

The preferred method of managing user access is by adding a user to the Remote Desktop Users group.

At least Windows Server 2003

Require user authentication for remote connections by using Network Level Authentication

This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.

If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.

To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported.

If you disable or do not configure this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.

You can specify that Network Level Authentication be required for user authentication by using Remote Desktop Session Host Configuration tool or the Remote tab in System Properties.

Important

Disabling or not configuring this policy setting provides less security because user authentication will occur later in the remote connection process.

At least Windows Vista