How do I tell if my connection is encrypted?

[ToddAndMargo]

Hi All,

This seems too easy. Click on my icon and over the
Internet I am connected to my remote Terminal Server.
It seems too easy from a security standpoint. How
do I tell if my connection is encrypted?

Many thanks,
-T

 

[Vera Noest [MVP]]

ToddAndMargo wrote on 12 okt 2009:

> Hi All,
>
> This seems too easy. Click on my icon and over the
> Internet I am connected to my remote Terminal Server.
> It seems too easy from a security standpoint. How
> do I tell if my connection is encrypted?
>
> Many thanks,
> -T

You can check (and set) the security level and the encryption on the
server, in rdp-tcp properties, on the "General" tab.

816594 - HOW TO: Secure Communication Between a Client and Server
with Terminal Services
http://support.microsoft.com/?kbid=816594

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[ToddAndMargo]

Vera Noest [MVP] wrote:
> ToddAndMargo wrote on 12 okt 2009:
>
>> Hi All,
>>
>> This seems too easy. Click on my icon and over the
>> Internet I am connected to my remote Terminal Server.
>> It seems too easy from a security standpoint. How
>> do I tell if my connection is encrypted?
>>
>> Many thanks,
>> -T
>
> You can check (and set) the security level and the encryption on the
> server, in rdp-tcp properties, on the "General" tab.
>
> 816594 - HOW TO: Secure Communication Between a Client and Server
> with Terminal Services
> http://support.microsoft.com/?kbid=816594

Hi Vera,

Thank you for the link.

In my "General" tab:
Security layer: Negotiate
Encryption Level: Client Compatible

Does this mean I am always encrypted?

Many thanks,
-T

 

[ToddAndMargo]

ToddAndMargo wrote:
> Vera Noest [MVP] wrote:
>> ToddAndMargo wrote on 12 okt 2009:
>>
>>> Hi All,
>>>
>>> This seems too easy. Click on my icon and over the
>>> Internet I am connected to my remote Terminal Server.
>>> It seems too easy from a security standpoint. How
>>> do I tell if my connection is encrypted?
>>>
>>> Many thanks,
>>> -T
>>
>> You can check (and set) the security level and the encryption on the
>> server, in rdp-tcp properties, on the "General" tab.
>>
>> 816594 - HOW TO: Secure Communication Between a Client and Server with
>> Terminal Services
>> http://support.microsoft.com/?kbid=816594
>
> Hi Vera,
>
> Thank you for the link.
>
> In my "General" tab:
> Security layer: Negotiate
> Encryption Level: Client Compatible
>
> Does this mean I am always encrypted?
>
> Many thanks,
> -T

My concern is that with "Security layer: Negotiate", a client
could negotiate "none".

-T

 

[Vera Noest [MVP]]

ToddAndMargo wrote on 13 okt 2009:

> ToddAndMargo wrote:
>> Vera Noest [MVP] wrote:
>>> ToddAndMargo wrote on 12 okt 2009:
>>>
>>>> Hi All,
>>>>
>>>> This seems too easy. Click on my icon and over the
>>>> Internet I am connected to my remote Terminal Server.
>>>> It seems too easy from a security standpoint. How
>>>> do I tell if my connection is encrypted?
>>>>
>>>> Many thanks,
>>>> -T
>>>
>>> You can check (and set) the security level and the encryption
>>> on the server, in rdp-tcp properties, on the "General" tab.
>>>
>>> 816594 - HOW TO: Secure Communication Between a Client and
>>> Server with Terminal Services
>>> http://support.microsoft.com/?kbid=816594
>>
>> Hi Vera,
>>
>> Thank you for the link.
>>
>> In my "General" tab:
>> Security layer: Negotiate
>> Encryption Level: Client Compatible
>>
>> Does this mean I am always encrypted?
>>
>> Many thanks,
>> -T
>
> My concern is that with "Security layer: Negotiate", a client
> could negotiate "none".
>
> -T

Yes. The only thing that is guaranteed to be encrypted with your
settings is the password, and you're open for man-in-the-middle
attacks. Did you click on the "More information" link in the window
where the settings are made? It leads to this page:

http://technet.microsoft.com/en-us/library...610(WS.10).aspx

which explains what you can and should do to improve security.


_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

 

[ToddAndMargo]

Vera Noest [MVP] wrote:

>> My concern is that with "Security layer: Negotiate", a client
>> could negotiate "none".
>>
>> -T
>
> Yes. The only thing that is guaranteed to be encrypted with your
> settings is the password, and you're open for man-in-the-middle
> attacks. Did you click on the "More information" link in the window
> where the settings are made? It leads to this page:
>
> http://technet.microsoft.com/en-us/library...610(WS.10).aspx
>
> which explains what you can and should do to improve security.

Reading over that article, I am not finding any reference
to whether a "none" connection is possible. Just that
some are higher than others. What am I missing?

-T

 

[Vera Noest [MVP]]

ToddAndMargo wrote on 13 okt 2009 in
microsoft.public.windows.terminal_services:

> Vera Noest [MVP] wrote:
>
>>> My concern is that with "Security layer: Negotiate", a client
>>> could negotiate "none".
>>>
>>> -T
>>
>> Yes. The only thing that is guaranteed to be encrypted with
>> your settings is the password, and you're open for
>> man-in-the-middle attacks. Did you click on the "More
>> information" link in the window where the settings are made? It
>> leads to this page:
>>
>> http://technet.microsoft.com/en-us/library...610(WS.10).aspx
>>
>> which explains what you can and should do to improve security.
>
> Reading over that article, I am not finding any reference
> to whether a "none" connection is possible. Just that
> some are higher than others. What am I missing?

"None" is the default. From that article:
"By default, Terminal Server uses native RDP encryption and does
not authenticate the server."

and:

"Set the Security layer to Negotiate. If you use this
configuration, TLS authentication is only enabled if the client
supports it."

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Services
RDS troubleshooting: http://ts.veranoest.net

 

[ToddAndMargo]

Vera Noest [MVP] wrote:
> "None" is the default. From that article:
> "By default, Terminal Server uses native RDP encryption and does
> not authenticate the server."
>
> and:
>
> "Set the Security layer to Negotiate. If you use this
> configuration, TLS authentication is only enabled if the client
> supports it."

With mostly XP clients, which setting would you use if you
wanted to guaranty at least some encryption?

Many thanks,
-T

 

[Vera Noest [MVP]]

ToddAndMargo wrote on 14 okt 2009 in
microsoft.public.windows.terminal_services:

> Vera Noest [MVP] wrote:
> > "None" is the default. From that article:
>> "By default, Terminal Server uses native RDP encryption and does
>> not authenticate the server."
>>
>> and:
>>
>> "Set the Security layer to Negotiate. If you use this
>> configuration, TLS authentication is only enabled if the client
>> supports it."
>
> With mostly XP clients, which setting would you use if you
> wanted to guaranty at least some encryption?
>
> Many thanks,

Authentication and encryption are 2 different things.
I would set the encryption level to high.
If you also want server authentication, you'll need a certificate.

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Services
RDS troubleshooting: http://ts.veranoest.net