RE: Secure / Encrypt Terminal Services

From: Eric Devine (
Date: 11/27/02

  • Next message: M. Burnett: "RE: Secure / Encrypt Terminal Services"
    Date: Wed, 27 Nov 2002 07:00:14 -0800 (PST)
    From: Eric Devine <>

    How does this sort of thing affect the ActiveX
    Terminal services option in IE? as far as I know
    there is no way to point that to a different
    port? The nice thing about the IE option is any
    computer with IE can be used and the Client is
    self installing so I don't need to keep a floppy
    disk handy.
    Hmm.. I will bet I get jumped all over in the
    reply's because whenever something is easy it is
    generally not secure :)

    Previously written Message thread

    if you change the ts port - the pocket pc clients

    definitely will not be
    able to connect, they don't seem to understand
    the server:port syntax. (not
    that you asked about pocket pcs - but i brought
    it up so i wanted to include
    these details)

    so make sure you check out this kb article...;en-us;304304

    ..which tells you how to alter the remote desktop

    client connection port.
    remote desktop client is the one which came with
    windows xp and is much
    better/more stable than the one included with
    windows 2000.

    grab the remote desktop client here...;en-us;304304

    yeah, it is REALLY annoying that the high
    encryption pack for pocket pcs
    doesn't alter the ts encryption level available
    to those clients.


    -----Original Message-----
    From: Deus, Attonbitus
    Sent: Tuesday, November 26, 2002 7:14 AM
    Subject: Re: Secure / Encrypt Terminal Services

    Hash: SHA1

    At 06:21 AM 11/21/2002,

    >Does the community have an opinion on which is
    the best way to do
    >this? Can it be done via IP-Sec? Basically we
    have a machine (tripwire
    >manager) that will have access to all our
    networks. Due to politics
    >(gotta love security made insecure by politics)
    it must be remotely
    >managed. The CIO (god bless CIO's) has decided
    that we will use terminal
    >services. Is there a way to encrypt the traffic

    so it is not flying
    >around the network in clear text? Would IP-Sec
    be the recomended solution?
    >Suggestions or links (or gentle shoves) to the
    information would be great.

    The TS sessions are encrypted by default- data is

    not sent in the
    "clear." You may set the encryption level for
    the RDP session in the
    Terminal Services Configuration mmc if you want
    to change the default
    "medium" (56bit) encryption to "high" (128bit).
    Note though, that setting
    the encryption level to "high" will break things
    like the PocketPC Terminal
    Services client, which can only use 56bit
    encryption. In environments like
    that, I'll VPN in, and then use the "medium"
    session. Funny that the
    PocketPC will support a 128bit VPN client, but
    only 56bit for a TS client.

    If this box will be on the net itself, ensure
    that you change the TS
    listening port (see Q187623;en-us;187623

    ), rename
    the administrator account and give all the
    accounts strong passwords. A
    logon banner helps too. I'd also use the IPSec
    mmc to lock down all ports
    except what is necessary for your environment.



    "Experience is something you don't get until just

    after you need it."

    Version: PGP 7.1

    -----END PGP SIGNATURE-----

    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.