RE: Secure / Encrypt Terminal Services

From: Brian W. Spolarich (bspolarich@nephrostherapeutics.com)
Date: 11/26/02

  • Next message: NetFilter: "Re: Exchange in the DMZ" 
    Date: Tue, 26 Nov 2002 09:32:23 -0500
From: "Brian W. Spolarich" <bspolarich@nephrostherapeutics.com>
To: <ohnonono@hushmail.com>, <focus-ms@securityfocus.com>

    ohnonono@hushmail.com wrote:

    > Does the community have an opinion on which is the best way
    > to do this? Can it be done via IP-Sec? Basically we have a
    > machine (tripwire manager) that will have access to all our
    > networks. Due to politics (gotta love security made insecure
    > by politics) it must be remotely managed. The CIO (god bless
    > CIO's) has decided that we will use terminal services. Is
    > there a way to encrypt the traffic so it is not flying around
    > the network in clear text? Would IP-Sec be the recomended solution?

      I use IPSEC (Cisco VPN Concentrator + Cisco Client) for remote access to my networks in general, and use the TS RDP client over that.

      The Windows RDP protocol does support session encryption, which is set to medium by default. You can configure the encryption setting from the Terminal Services Configuration MMC snapin. Right-click on the Connections->RDP-TCP connection object, and select Properties. The encryption setting is under the General tab. I wouldn't recommend using anything other than High encryption, which uses 128-bit keys, and requires either the W2K High Encryption pack, or SP2 or later.

      You'll want to apply the patch for Q324380 "MS02-051: Cryptographic Flaw in RDP Protocol Can Cause Information Disclosure", described here:

      http://support.microsoft.com/default.aspx?scid=kb;en-us;324380

      This is a post-SP3 patch.

      You'll want to also apply W2KSP3 if possible to the server, as there are a number of issues and fixes since SP2:

      http://support.microsoft.com/default.aspx?scid=kb;en-us;Q324956

      Regards,

      -bws

    • Quantcast