How to secure remote desktop connections using TLS/SSL based authentication

Author: Martin Kiaer

We would like to welcome Martin Kiaer to our team of authors as he presents his first article to WindowSecurity.com readers. This article shows how to enable computer based authentication using TLS/SSL, when establishing a remote desktop connection to a server running Windows Server 2003.

Whether you enable Microsoft Windows Terminal Services for end-users or enable remote desktop connectivity on a Windows Server 2003 for administrative purposes, security issues may arise depending on how you have configured your server. However, with the introduction of Service Pack 1 for Windows Server 2003, you now have the opportunity to establish a secure Remote Desktop Protocol (RDP) connection to your server using TLS/SSL based authentication.

Common threats
Let us start by looking at some common threats.

If your password policy in your domain is configured to lock user accounts after a predefined number of logon tries, then your Terminal Services (RDP) enabled server becomes an entry point for a user based DoS (Denial of Service) attack against your domain. One could easily connect to the terminal server and attempt to log on with various usernames and passwords. Depending on the password policies, the username that has been tried may get locked, thus preventing the real user to log on.

In addition, if weak passwords are used, hacking tools such as TScrack 2.0 can be used to establish a dictionary based attack against servers that have the Windows Terminal Services enabled. This tool by the way, will also perform the before mentioned DoS attack.

The threat becomes even bigger, when the server running Microsoft Windows Terminal Services is accessible from the Internet through an RDP connection on port 3389, even though you have an advanced firewall such as ISA Server in front of it. A scenario that is common especially for Microsoft Small Business Server users.

The good news however, is that you can prevent these attacks. The solution is certificate based computer authentication. If the computer cannot authenticate itself by presenting a valid certificate to the terminal server it is trying to connect to, then the RDP connection will be dropped before the user has a chance to attempt to log on.

How to enable TLS/SSL based authentication
Before we get started, there are some prerequisites you should be aware of.
On the server side the following is required:

Ensure your terminal server is running Windows Server 2003 including SP1

You also need a TLS/SSL based certificate that should be installed with the following specifications:
The certificate should be computer based
The certificate's purpose should be server authentication
The certificate’s private key should be available
Since it is a computer based certificate, it should be stored in the computer account certificate store on the terminal server
On the client side the following is required:

The client computer must be running Microsoft Windows 2000, Windows XP, Windows Server 2003 or Windows Vista


For Windows 2000, XP and Windows Server 2003, the remote desktop client version 5.2 or newer should be used. This client can be found in the following folder on a Windows Server 2003 SP1 based server:

%systemroot%\system32\clients\tsclient\win32\msrdpcli.msi
The last important requirement is that the client has to trust the root Certification Authority (CA) that has issued the computer based certificate residing on the terminal server. This will ensure that a TLS/SSL connection can be established.
Now that you know what is needed, it is time to learn how to make it all happen.

See more:
Full Detail