Windows Server 2003 Service Pack 1 new features : Authentication and Encryption for Terminal Services Connections
In Windows Server 2003 SP1, you can enhance the security of Terminal Server by configuring Terminal Services connections to use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications. The version used by Terminal Services in Windows Server 2003 SP1 is TLS 1.0.
In order for SSL (TLS) authentication to function correctly, terminal servers must meet the following prerequisites:
- Terminal servers must run Windows Server 2003 with SP1.
- You must obtain a certificate for the terminal server. You can do this by doing any of the following:
- Use Windows Server 2003 Certificate Services Web Pages (http://go.microsoft.com/fwlink/?LinkID=45371) or Use Windows 2000 Certificate Services Web Pages (http://go.microsoft.com/fwlink/?LinkID=45372).
- Use the Windows Server 2003 Certificate Request Wizard or Windows Server 2000 Certificate Request Wizard.
- Purchase a certificate from a non-Microsoft vendor and install the certificate manually.
If you plan to obtain a certificate by using the Certificate Web pages or Certificate Request Wizard, a public key infrastructure (PKI) must be configured correctly to issue SSL-compatible X.509 certificates to the terminal server. Each certificate must be configured as follows:
- The certificate is a computer certificate.
- The intended purpose of the certificate is server authentication.-The certificate has a corresponding private key.
- The certificate is stored in the terminal server’s personal store. You can view this store by using the Certificates snap-in.
- The certificate has a cryptographic service provider (CSP) that can be used for the SSL (TLS) protocol (for example Microsoft RSA SChannel Cryptographic Provider).
For more information, see Microsoft Cryptographic Service Providers (http://go.microsoft.com/fwlink/?LinkID=40983).
In order for SSL (TLS) authentication to function correctly, clients must meet the following prerequisites:
- Clients must run Windows 2000 or Windows XP.
- Clients must be upgraded to use the Remote Desktop Protocol (RDP) 5.2 (Windows Server 2003) client. You can install this client-side Remote Desktop Connection package by using the %systemdrive\system32\clients\tsclient\win32\msrdpcli.msi file. The msrdpcli.msi file is located on Windows Server 2003 terminal servers. Installing this file from the terminal server installs the 5.2 version of Remote Desktop Connection to the %systemdrive\Program files\Remote Desktop folder on the destination computer. For more information, see Remote Desktop Connection for Windows Server 2003 [5.2.3790] (http://go.microsoft.com/fwlink/?LinkID=41068).
- Clients must trust the root of the server’s certificate. That is, clients must have the certificate of the CA that issued the server certificate in their Trusted Root Certification Authorities store. You can view the certificate by using the Certificates snap-in.
Because RDP runs on port 3389, when using SSL (TLS) to secure RDP, SSL (TLS) will run on port 3389.
Why is this Change Important?
By default, Terminal Server uses native Remote Desktop Protocol (RDP), which provides data encryption, but does not provide authentication to verify the identity of a terminal server.
For more information about Terminal Services and security protocol settings, see the following:
- Configure Authentication and Encryption (http://go.microsoft.com/fwlink/?LinkId=45407)
- How to configure a Windows Server 2003 terminal server to use SSL (TLS) for server authentication (http://go.microsoft.com/fwlink/?LinkId=45408)