Step 10: Secure the Communications
Published: February 25, 2008
Where terminal servers will connect with clients that are outside the corporate network, there are a number of ways to secure the communications. The level of security selected for each farm will depend on the security requirements of the applications that run in the farm and the capabilities and location of the clients. If clients are all inside the corporate network, then there may be no need to secure the communications except where sensitive transactions need additional protection from the possibility of eavesdropping.
Task 1: Determine the Encryption Level Between Clients and the Terminal Server
Terminal Services sessions use native 128-bit RDP encryption by default. However, the RDP encryption strength can instead be set at the terminal server to use 56-bit encryption. This may be necessary if the clients that will connect are unable to support higher encryption levels or if the server or client is in a country or region that does not permit the use of 128-bit encryption.
Departments and agencies of the United States federal government require the use of the Federal Information Processing Standard (FIPS) 140 encryption algorithm. This can be used for communications by Windows Server 2008 Terminal Services, but then only clients that support this level of security will be able to connect.
Determine the highest level of encryption that will allow the clients to connect, and implement that level on the terminal server.
Task 2: Determine Whether to Seal the Communications
RDP does not provide authentication to verify the identity of a terminal server, which makes it potentially vulnerable to man-in-the-middle attacks. TLS/SSL encryption can be used to enforce mutual authentication between the client and the server before communications are allowed to proceed. This authentication is effected by a certificate exchange.
Perform an assessment of the risk and potential cost of a man-in-the-middle attack. This will be used in the next step to determine the certification authority.
Task 3: Determine the Certification Authority
Certificates will be required in order to use RDP or HTTPs communications between the clients and the terminal server. There are three ways to source those certificates so that they are available at the terminal server and at all the clients that will need them:
Determine the total cost in hardware, software, and effort of each of the options for the organization, and weigh that against the convenience that they provide for clients. Once that is done, select the option that is most cost-effective overall. Now compare the cost of that selection against the risk of a man-in-the-middle attack, as determined in the previous task. If the benefit outweighs the cost, implement certificates.
Task 4: Determine Whether to Encapsulate with HTTPs
If the clients connect using RDP, port 3389 must be open on the external firewall. Many organizations strive to limit the number of ports that are open to the Internet, often limiting it to ports 80 (http) and 443 (https).
Determine whether policy requires that only ports 80 and 443 can be open in the external firewall, and if that is the case, implement HTTPs communications using the TS Gateway role service.
The security implementation between the clients and the terminal server has been determined. Record this in the farm design job aid (Appendix C).
Windows Server 2008 Security Guide, available at http://www.microsoft.com/technet/security/prodtech/windowsserver2008/default.mspx