Configure Server Authentication and Encryption Levels

Applies To: Windows Server 2008 R2

By default, Remote Desktop Services sessions are configured to negotiate the encryption level from the client to the RD Session Host server. You can enhance the security of Remote Desktop Services sessions by requiring the use of Transport Layer Security (TLS) 1.0. TLS 1.0 verifies the identity of the RD Session Host server and encrypts all communication between the RD Session Host server and the client computer. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security.

Note

For more information about RD Session Host, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (https://go.microsoft.com/fwlink/?LinkId=140438).

Three security layers are available.

Security layer Description

SSL (TLS 1.0)

SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.

Negotiate

This is the default setting.

The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used.

RDP Security Layer

Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.

A certificate, used to verify the identity of the RD Session Host server and encrypt communication between the RD Session Host and the client, is required to use the TLS 1.0 security layer. You can select a certificate that you have installed on the RD Session Host server, or you can use a self-signed certificate.

Warning

We recommend that you obtain and install a certificate issued by one of the trusted public certification authorities that participate in the Microsoft Root Certificate Program Members program.

By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.

Four encryption levels are available.

Encryption level Description

FIPS Compliant

This level encrypts and decrypts data sent from the client to the server and from the server to the client by using Federal Information Process Standard (FIPS) 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect.

High

This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. Use this level when the RD Session Host server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption will not be able to connect.

Client Compatible

This is the default setting.

This level encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this level when the RD Session Host server is running in an environment containing mixed or legacy clients.

Low

This level encrypts data sent from the client to the server by using 56-bit encryption. Data sent from the server to the client is not encrypted.

Use the following procedure to configure the server authentication and encryption settings for a connection on the RD Session Host server.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To configure the server authentication and encryption settings for a connection

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.

  2. Under Connections, right-click the name of the connection, and then click Properties.

  3. In the Properties dialog box for the connection, on the General tab, select the server authentication and encryption settings that are appropriate for your environment, based on your security requirements and the level of security that your client computers can support.

  4. If you select SSL (TLS 1.0), either select a certificate that is installed on the RD Session Host server, or click Default to generate a self-signed certificate. If you are using a self-signed certificate, the name of the certificate will display as Auto generated.

  5. Click OK.

You can also configure server authentication and encryption settings by applying the following Group Policy settings:

  • Set client connection encryption level

  • Require use of specific security layer for remote (RDP) connections

  • Server Authentication Certificate Template

  • Require user authentication for remote connections by using Network Level Authentication

These Group Policy settings are located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that these Group Policy settings will take precedence over the settings configured in Remote Desktop Session Host Configuration, with the exception of the Server Authentication Certificate Template policy setting.

You can configure the RD Session Host server to use FIPS as the encryption level by applying the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options and can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC). Note that this Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration and takes precedence over the Set client connection encryption level policy setting.

For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (https://go.microsoft.com/fwlink/?LinkId=138134).

Additional references