Require TLS on RDP for all connections

windows-server-2008 rdp tls
22,421

Solution 1

  1. Start -> Administrative Tools -> Terminal Services -> Terminal Services Configuration
  2. Right click RDP-Tcp and choose Properties
  3. "Security Layer" defaults to "Negotiate" and must be changed to "SSL (TLS 1.0)"
  4. "Encryption Level" must be set to "High" or "FIPS Compliant"

Reference: http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

edit: The Microsoft Technet article indicates that TLS cannot be enabled via Group Policy. However, I have done some experimentation with Process Monitor and Regedit and have determined that you can change these settings by setting the appropriate registry values, as follows.

To set Minimum Encryption Level to "High" instead of "Client Compatible":

HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel REG_DWORD Value: 3

To set Security Layer to "SSL (TLS 1.0)" instead of "Negotiate":

HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer
REG_DWORD Value: 2

Solution 2

To test your scenario, here is what I did:

  • I have Windows Server 2008 R2 DC
  • Installed Roles -> Active Directory Certificate Services, Active Directory Domain Services, Remote Desktop Services -> Remote Desktop Web Access, Web Server (IIS). Since this is my only DC, I have DNS Server and DHCP Server installed as well
  • Installed Server Authentication Certificate on my IIS Web site, it also hosts RDWeb application
  • Change Authentication on RDWeb from Anonymous to Windows Authentication
  • accessed the Web site from the server itself, URL: https://localhost/rdweb. Works fine
  • From my client (which is Windows Server 2008 R2), tried accessing URL: https://fqdn/rdweb works. Also, tried URL: https://server_name/rdweb.. works.

NOTE: we are still not sure if it's using TLS 1.0

Now, to force RDWeb to work on TLS only:

  1. Open Regedit
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Create a new Binary Value and name it SSLCertificateSHA1Hash
  4. Copy the thumbprint from the SSL Certificate and add it as the value of SSLCertificateSHA1Hash

e.g.:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SSLCertificateSHA1Hash"="hex:‎23,91,fc,0e,95,ad,e9,3e,fa,df,3d,54,54,f0,99,dc,cd,70,5c,5c"

Now, accessed the website URL: https://fqdn/rdweb while tracing it using fiddler, we see all HTTPS connection with Cipher: 0x2F. Tried using the URL: https://server_name the same result.

According to https://www.rfc-editor.org/rfc/rfc5289,
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xC0,0x2F};

Also, check this RDP with custom certificate in Windows 7? (No tsconfig.msc or Group Policy setting)

For WMI, you can check the article Win32_TSGeneralSetting Class

Share:
22,421

Related videos on Youtube

MDMarra
Author by

MDMarra

Updated on September 17, 2022

Comments

  • MDMarra
    MDMarra over 1 year

    I have a 2008 DC and a 2008 AD CS server and a Windows 7 client. What I would like is to require the certificate to be used when RDPing to the server.

    The certificate is valid, and if I connect using the FQDN I am shown that i was authenticated by both the certificate and Kerberos as expected. When I connect with just the hostname I am allowed to connect and am only authenticated by Kerberos, even though I have Require TLS 1.0 set on the server that I am RDPing to. I fully understand that the certificate will not be valid unless the server is accessed by FQDN, what I want to do is disallow connections that do not use the certificate AND Kerberos.

    I thought that setting Require TLS 1.0 would do it. What am I missing?

  • MDMarra
    MDMarra about 14 years
    Hmm, no GPO support? Do you happen to know if this feature is exposed via WMI, so that it can be scripted in powershell?
  • Hecter
    Hecter about 14 years
    Mark: I don't know offhand, but I'll let you know if I come up with a supported or unsupported method.
  • Hecter
    Hecter about 14 years
    Mark: Added registry key info for scripting.
  • Hecter
    Hecter about 14 years
    @Mark: Has this worked well for you? Just let me know if there's anything else you need.
  • MDMarra
    MDMarra about 14 years
    Haven't had a chance to test yet
  • MDMarra
    MDMarra about 14 years
    I'm not using remote desktop web access. Just regular RDP with TLS.
  • MikeT
    MikeT about 14 years
    @MarkM: I hope you have already checked blogs.technet.com/askperf/archive/2008/10/31/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows Server 2008 R2 random black screen on rdp and console
RDP prompting for user/password with saved credentials
TermDD - Error 50
Bypassing GPO for "set time limit for disconnected sessions"
Windows Server 2008 r2: Updating RDP 6.1 to 7.1
How to disable SSLv1/SSLv2/SSLv3 protocols to block Poodle to Apache 2.4.9 on Windows Server 2008 R2?
Can't log anymore with RDP on my server after adding it in my domain
Auto Enroll all servers for RDP certificate
Troubleshoot large number of TCP retransmits / dup ack / segment lost
Remote Desktop Software with low latency