Remote Desktop Connection does not encrypt with ipsec

[Guest]

Hi,

I would like to encrypt the rdc connection for terminal services with an
ipsec connection to make it more secure.

I have set up a Policy on the terminal server (request security) with an ip
filter
my ip adress -> to any
tcp -> port 3389 to any
and the rule is mirrored.
It uses Kerberos Authentication.
The server is only a terminal server (Windows 2000) and not a domain
controller.

I have configured the client (WIn XP) with the client respond only security
policy.
When I am connecting from the client to the server ipsecmon shows no
encryption at all.

For testing i have configured the policy on the server that all traffic
should be encypted and it works fine.

What went wrong in my configuration?

regards

 

[Vincent Xu [MSFT]]

Hello,

Based on my test and experience, Your configuration steps are correct. So
regarding this, please send me a scree shot to show the status on your
ipsecmon.

To take a screen shot:
---------------------
1) Press the Pr Scrn key once on the keyboard when the error message
appears.
2) Click Start, go to Run, enter MSPAINT in the open dialog box, and then
Click OK.
3) Use Ctrl + V to paste the screenshot to the canvas.
4) From the File menu, go to Save and save it as a JPG file.
5) Send the JPG file to me as an attachment.
My mailbox: (e-mail address removed)

To verify on the earch whether the data is encrypted, I suggest you use
netmon to trace the data.
Network Monitor:
=======================
1. To obtain a time-bombed version of Network Monitor, visit the following
Microsoft Web site:
ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
2. Download the netmon2.zip file. The password for that zip is "trace" (no
quotation marks).
3. Run the qfesetup.exe file to install Network Monitor on HSMain.

Please send me the capture data. And don't forget the source MAC and Desc
MAC.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------

 

[Guest]

HI,

i found out that somebody promoted the server to a dc.
I know that authentication traffic during login can`t be secured (with
ipsec) but can i protect the rdc with the ruleset seen below?Or in another
way?
The client hangs when the ip filter (rdc) ist active during login.

regards

 

[Vincent Xu [MSFT]]

Hi,

I'm not sure about "protect the rdc with the ruleset seen below", if you
mean RDC authentication and encryption, I have some information as below:

Remote Desktop Protocol (RDP) provides data encryption, but it does not
provide authentication to verify the identity of a terminal server. In
Windows Server 2003 Service Pack 1 (SP1), you can enhance the security of
Terminal Server by configuring Terminal Services connections to use
Transport Layer Security (TLS) 1.0 for server authentication, and to
encrypt terminal server communications. TLS is a standard protocol that is
used to provide secure Web communications on the Internet or intranets. It
enables clients to authenticate servers or, optionally, servers to
authenticate clients. It also provides a secure channel by encrypting
communications.

More detailed information, please refer to following link:

Configuring authentication and encryption
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/a92d8eb9-f53d-4e86-ac9b-29fd6146977b.mspx>

In addition, I think followig article also may helps.

275727 High Encryption on a Remote Desktop or Terminal Services Session Does
http://support.microsoft.com/?id=275727


Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------