RDP Security (Windows Embedded CE 6.0)
This topic provides information on Remote Desktop Protocol (RDP) security.
For Windows Embedded CE 6.0 R2, Credential Management User Interface (CredUI) is a new feature that prompts the user to enter their username and password, or their Smart Card PIN. After the user clicks Connect on the Windows Embedded CE Terminal Services Client (CETSC) user interface (UI), the RDP client calls the CredUI dialog box and displays it to the user. With CredUI, the user must enter credential information that will be passed to the remote server and validated during the authentication process.
CredUI also provides a Save my password check box that enables a user to request that the credentials be stored on the thin client. Therefore, the next time that the user connects to a server, the authentication process can start immediately, without having to retype credentials. The encrypted credentials are stored in the Credential Manager for use on later connections.
After the user provides credential information, CredUI extracts the domain and user account name from a fully qualified user name. The following list shows the supported formats:
Contains a user name string. This string is a user credential that was previously marshaled from stored credentials. The User parameter is set to this string. The Domain parameter is set to an empty string.
The User parameter is set to <UserName> and the Domain parameter is set to <DomainName>.
The User parameter is set to the whole string. The Domain parameter is set to an empty string.
The following list shows the characteristics required by a user name obtained by using CredUI:
- Maximum length of 104 characters
- ASCII characters
- Cannot contain any of the following characters: " / \ [ ] : ; | = , + * ? < >
- Can contain all other special characters. This includes spaces, periods, dashes, and underscores
The following list shows the characteristics required by a password obtained by using CredUI:
- Maximum length of 104 characters
- ASCII characters
- All characters are acceptable
CredUI is automatically included when you add the Remote Desktop Protocol (RDP) Catalog item to a thin client OS design.
Server Connection Process with CredUI
The following steps describe the process to connect to a server in RDP 6.0:
- The user initiates an RDP connection to a remote server.
- The RDP client calls CredUI.
- CredUI prompts the user for credentials.
- The user enters the credentials either by typing in the username and password, or by typing in a Smart Card PIN.
- CredUI sends the credentials to the remote server.
- The server authenticates the credentials and, if necessary, sends the credentials to the domain controller.
- If the credentials are validated, a connection to the remote server is established.
In Windows Embedded CE 6.0 R2, the Remote Desktop Connection client can be used to save a user's password on the device by default. When the user connects to a server by using Remote Desktop Connection, the CredUI dialog box appears, prompting the user for credentials. In the message box, a check box is provided that enables the user to save the password by selecting the box.
In Windows Embedded CE 6.0 R2 Update KB945975, the ability to save passwords on the Remote Desktop client is disabled by default. To enable this feature, you can change one of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
Non-zero value indicates that password saving is disabled.
This setting is disabled by default.
The Remote Desktop Connection client will first check the registry value in HKEY_LOCAL_MACHINE, and then it will check the registry value in HKEY_CURRENT_USER.
Enabling a user to save a password on the device may present a security risk.
To ensure that password saving remains disabled across a cold boot of the operating system, Windows Embedded CE 6.0 R2 must support a persistent registry. The hive-based registry stores data inside files, or hives, which can be kept on any file system. This removes the need to perform backup and restore of registry data during shutdown and startup.
SSL/TLS Protocol Support
Windows Embedded CE 6.0 R2 includes support for using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to encrypt data that is sent through an RDP channel. SSL and TLS are protocols that allow client/server applications to communicate in a way that reduces the risk of eavesdropping, data tampering, and message forgery. SSL/TSL protocols provide end-point authentication communications privacy over the Internet using cryptography. Remote Desktop clients can use TLS/SSL or RDP data encryption.
RDP does provide 128-bit data encryption, but in order to provide authentication for verifying the identity of a Terminal Server when connecting to it, a thin client must use SSL/TLS.
When communicating with a Terminal Server, thin clients can employ the highest level of encryption and authentication available by including SSL/TSL in the OS design.
To communicate using SSL/TLS, the protocol must be available on both the thin client and the Terminal Server. When attempting to connect to a Terminal Server which does not have SSL/TSL, the user will first be prompted to connect to a server without SSL/TLS support. SSL/TLS is supported only on Terminal Servers that are running either Windows Server 2003 operating system, Windows XP Professional, Windows Vista, or Windows Server 2008 operating system.
SSL/TLS is included by default when the Remote Desktop Protocol Catalog item is included in your OS design.
Network Level Authentication
Network Level Authentication (NLA) is an authentication method that completes the user authentication process before a full Remote Desktop Connection is established and the logon screen appears. With Network Level Authentication, a Terminal Services client can only connect to a Terminal Server if it is first authenticated by that server.
Network Level Authentication:
- requires fewer remote server resources. This is because the remote server uses a limited number of resources before it authenticates the thin client.
- helps improve security by reducing the risk of denial of service attacks which attempt to limit or prevent access to the Internet.
- protect users from connecting to remote computers that are set up for malicious purposes.
To use Network Level Authentication, a thin client must connect to a Terminal Server that is using Remote Desktop Connection and that has enabled Network Level Authentication by default.
To enable Network Level Authentication on the server, the IT administrator must do the following:
- Click Start, click Control Panel, and then double-click System.
- In the System Properties dialog box, click Remote.
- Choose Allow connections only from computers running Remote Desktop with Network Level Authentication.
Network Level Authentication is included by default when the Remote Desktop Protocol Catalog item is included in your OS design.
Network Level Authentication is transparent to the end-user and does not require any additional configuration of the thin client.
Server Authentication (SA) can be used to verify that a thin client is connecting to the correct remote server. Server Authentication helps prevent a thin client from connecting to a server that it was not intended to connect to. This also helps to prevent unintentionally exposing confidential information on a server in the enterprise network.
Server Authentication is available with both Windows Vista and the Windows Server 2008 operating system.
Server Authentication is enabled by default. A user can configure this on Remote Desktop Connection client by doing the following:
- Open the CETSC UI. For example, on the Windows Thin Client Shell, click Connect from the Terminal Connection Manager dialog box.
- Click Options, and then click the Advanced tab.
- Choose Don't connect if authentication fails for the highest level of Server Authentication. The three available authentication options are as follows:
- Always connect, even if authentication fails
If you enable this option, you can connect even if Remote Desktop Connection cannot verify the identity of the remote computer.
- Warn me if authentication fails
If you enable this option, when Remote Desktop Connection cannot verify the identity of the remote computer, this option warns you so that you can decide whether to continue with the connection.
- Don't connect if authentication fails
If you enable this option, you cannot connect if Remote Desktop Connection cannot verify the identify of the remote computer.
- Always connect, even if authentication fails
NTLM Security Support Provider and RDP
When you want to use the NT LAN Manager Security Support Provider (SSP) protocol (SYSGEN_AUTH_NTLM) with an RDP connection to a computer running Windows Vista, you should specify that the Negotiate security package selects NTLM instead of Kerberos as the security provider. By doing this, you can prevent a 15 second delay, or a failure to authenticate, that occurs during authentication. For more information, see RDP Registry Settings.
RDP Security Best Practices
Best practices for RDP security are as follows.
Carefully choose which files to expose in an RDP session
Enable file storage redirection and filtered file storage redirection, and carefully choose which files to expose in an RDP session. By default, the filter exposes external file storage devices, such as USB and compact flash devices.
For more information, see Filtered File Storage Redirection.
Warn the user when a script is about to be executed, or disable the alternate shell
RDP connection file and registry properties may pose a security threat if they are used to run an unauthorized script. Because the RDP client does not warn the user before it starts to run a script, the user may not recognize an attack until it has been executed.
To minimize security threat, do one of the following:
- Disable the alternate shell in your OS design. For more information on AlternateShell, see Terminal Services Client Configuration through the .rdp File.
- Add a dialog box that displays a warning when a script is about to be executed. For example, "RDP client is attempting to run a script on target device. Do you want to allow it? (Y/N)."
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation.
For information on RDP registry settings, see RDP Registry Settings.