Announcement

Collapse
No announcement yet.

Problem Configuring RDP over TLS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem Configuring RDP over TLS

    I've been trying to secure my RDP sessions using RDP over TLS using the following article:

    http://articles.techrepublic.com.com...1-6166676.html

    I've used this article before to get it to work with my Windows 2008 domain controller but can't seem to get it to work on my Windows Vista machine. At least not by the articles standards. I should be getting some certificate prompts but so far nothing. I'm trying to connect to a Windows Vista Ultimate 64-bit machine on a Windows Server 2008 Standard 64-bit domain. The client machines I've used have been Windows XP and Windows 7. When I was able to get this to work on my Windows Server 2008 machine, I was accessing it via Windows XP 32-bit.

    After researching, I came across this article:

    http://blogs.msdn.com/rds/archive/20...ns-part-2.aspx

    The comments in the article are the following:

    "RDP without TLS (added in W2K3 SP1) or CredSSP (added in Vista, and doc'ed in MS-CSSP) does not use a known static key to protect data exchanged between the client and server. Instead, the symmetric key used between the client and server is generated based on random data created by the server and client. MITM attacks exploit the fact that the signing key is known (this exploit was resolved by adding true server authentication with TLS in W2K3 SP1 in 2005). The details of the security exchange are public and available for your review in MS-RDPBCGR section 5.
    On the subject of self-signed certificates, beginning with Vista all Terminal Servers generate a self-signed certificate to use by default with TLS or CredSSP protected connections. Take a look at the following registry key to confirm this: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server\WinStations\SelfSignedCertificate. To further confirm, open up the Certificates snap-in and take a look at the machine certificates. You will see a "Remote Desktop" category that contains a self-signed certificate.
    A newly installed Vista or later Remote Desktop Host has the default setting of only allowing connections from machines that support NLA (essentially CredSSP) - take a look at the Remote settings UI. This tightens up security, only allowing authenticated users to connect (CredSSP facilitates mutual authentication).
    Hope this helps."


    I checked the key and it does show it there. I also found the following:


    http://windowshelp.microsoft.com/Win...95b291033.mspx


    It states to use certmgr.msc to manage the certificates on the local machine. I used that and could not find the certificate in the certificate store.


    Who knows, I may be off base or looking at this all wrong. I've been trying to get this to work for a while and I'm pretty much burned out and looking for some help.

  • #2
    Re: Problem Configuring RDP over TLS

    Hi,

    The basic idea is usually like this.

    You need to obtain a public key of root CA and install it as trusted CA in the TS + Worksration.

    Then you need to add a server certificate for the TS server, with the correct FQDN as common name and then apply it to the RDP.

    btw.. Please use Windows 2008 SP2 + Windows Vista SP2.


    http://www.petri.com/securing_rdp_communications.htm

    http://technet.microsoft.com/en-us/l.../cc782610.aspx
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Problem Configuring RDP over TLS

      Well, I probably won't be buying a public cert, not yet. This is just testing for now but it may evolve later. What I've been reading is that by using the instructions, the server machine (in this case Windows Vista) will use it's own self signed certificate to secure the connection. Is this not the case?

      Comment


      • #4
        Re: Problem Configuring RDP over TLS

        Please install a local CA and put the root CA in each computer.

        Request a server certificate for the TS and thats all
        Best Regards,

        Yuval Sinay

        LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

        Comment


        • #5
          Re: Problem Configuring RDP over TLS

          OK. Lets try this this another way. Lets remove the Windows 2008 server from the equation. Think of this as just a Windows XP and Windows Vista machine trying to communicate with each other. The Windows Vista machine is the server and the Windows XP machine is the client for the RDP connection. From the article that I mentioned previously, I should be able to configure the Windows Vista machine to require authentication over TLS using the self-signed certificate installed for remote desktop per the picture below. Again, after performing these steps and attempting to connect to the the Vista machine, I receive no certificate warning prompts of any kind and it seems to just connect using the normal RDP protocols without TLS. Again, think of this as a situation where someone at work wants to connect to their home Vista machine using RDP over TLS using their own self-signed certificate WITHOUT having to install a server and certificate authority. Is this possible?



          Click image for larger version

Name:	2009-06-13_1013.png
Views:	1
Size:	141.8 KB
ID:	464089

          Comment

          Working...
          X