Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Configuring Terminal Servers for Server Authentication to Prevent …

Configuring Terminal Servers for Server Authentication to Prevent … — Tue, 22 Jul 2008 19:58:27 GMT

PingBack from http://allstarnic.com/ssl-certificates-news/configuring-terminal-servers-for-server-authentication-to-prevent.htm

Interesting Links – 7/25/2008

Matt Johnson's Technical Adventures — Fri, 25 Jul 2008 17:39:36 GMT

You Had Me At EHLO... : Where does the time go? -519 Jet_errLogSequenceEnd Microsoft Advanced Windows

Creating Kerberos Identity for RD Session Host Farms Part I: using the Remote Desktop Services provider for Windows PowerShell

Terminal Services Team Blog — Thu, 21 May 2009 06:05:26 GMT

Why create Kerberos Identity for farms? In Windows 2008, it is possible to provide server authentication

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Hari — Tue, 15 Sep 2009 19:25:19 GMT

Hi,

Can anyone please explain what is the difference between NLA with SSL/TLS and pure SSL/TLS?

Also, it is mentioned that NLA with SSL/TLS cannot be used on client skus as TS servers. Is it possible to use pure SSL/TLS on client skus as TS server?

thanks,

Hari

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Sergey Kuzin — Thu, 17 Sep 2009 03:57:00 GMT

NLA uses CREDSSP protocol (see http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-CSSP].pdf)

CredSSP is a complex protocol that performs TLS handshake and then either Kerberos or NTLM handshake. So, a server can be authenticated by either its SSL certificate or by Kerberos.

In som scenarios Kerberos does not work (see "NLA with TLS/SSL" section above). In these cases the only way to authenticate a server is by using its certificate. By default each server is supplied with a self-signed certificate which, obviously, not trusted by clients. So you need to replace this certificate with a trusted one.

It is possible to install a certificate on both, client and server SKU, but the OS version on the client SKU should be at least Vista. On client SKU there is no tsconfig.msc, so you'll have to use WMI to configure the certificate (see http://msdn.microsoft.com/en-us/library/aa383799(VS.85).aspx)

"Pure SSL/TLS" simply means TLS protocol used for server authentication only.

Pure SSL/TLS is supported by Win 2003 SP1 and up (both, client and server SKU), but it's not supported on XP.

You can use pure SSL/TLS to authenticate a client SKU (starting with Vista), but it has to be configured with a proper certificate.

I hope I clarified it at least a little bit :-)

Thx,

Sergey.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Sergey Kuzin — Thu, 17 Sep 2009 04:00:56 GMT

"Why create Kerberos Identity for farms? In Windows 2008, it is possible to provide server authentication"

It is not possible to authenticate a Windows 2008 farm unless each server on the farm is configured with a farm certificate.

Enabling Kerberos Identity is much simpler.

Thx,

Sergey.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

MikeH — Mon, 02 Nov 2009 21:37:16 GMT

After reading and searching for over 3 hours now, I think I'm on the right spot.

All I want to do is, get a secure remote desktop connection from one win7 to another win7 machine.

Using the default settings I get a security warning, that the remote server is not trusted. So far so good.

But how can I successfully install the certificate on the client computer to trust the certificate of the other win7 machine?!?

How can something be secure if such simple tasks are impossible to do? It seems everyone who has these troubles just lowers the security settings. This is the wrong way!

Please shed some light on the issue. Not from the enterprise but from the normal users point of view! Thanks.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Olga — Mon, 02 Nov 2009 22:26:12 GMT

Hi Mike!

Are both of your client machines domain joined or are they personal home machines? inside the domain you'll be able to get Kerberos auth but without that, you do have to configure certificates for server authentication over internet.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Sergey Kuzin — Tue, 03 Nov 2009 21:56:16 GMT

Mike,

You can install the server's certificate on your client machine, so it would trust the server.

However, you have to install it into your computer account's certificate store instead of user's certificate store.

If you already have it installed in your user store, you can simply copy it over to the computer store.

Thx,

Sergey.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Bruno — Mon, 21 Dec 2009 21:15:39 GMT

Hello,

I've followed the instructions to enable TLS for RDP on Vista (Enterprise) at http://articles.techrepublic.com.com/5100-10878_11-6166676.html

Essentially, this consists of setting the RDP parameters using group policies (via gpedit.msc).

Although this seems to work, I'm unable to configure an existing certificate I have for this host: it always regenerates its own self-signed certificate. I'm able to see this self-signed certificate using mmc.exe -> add Certificate snap-in, and then Certificates -> Remote Desktop -> Certificates. I've tried to delete it and to leave only the one I want to use (emitted by a CA) there, but this doesn't work.

How is it possible to select which certificate to use for the RDP server on Windows Vista? That's something I've been able to do quite easily on Windows Server (using tsconfig.msc as described in this article).

Best wishes,

Bruno.

re: Configuring Terminal Servers for Server Authentication to Prevent “Man in the Middle” Attacks

Bruno — Thu, 24 Dec 2009 00:01:04 GMT

Hello,

I've set up a certificate for TLS authentication on a Windows 2008 Server (and on another Vista Enterprise machine), and I've tried a few clients combinations (for which this certificate hadn't been set up), to see what they were actually checking.

In the Advanced/Connection tab (RDP client 6.1 or 7.0), I've selected "Warn me". Since the certificate is new to the clients I've tested, it should show a warning box saying something like "the remote computer could not be authenticated due to problems with its security certificate [...]", looking like this: http://blogs.msdn.com/photos/ts/images/1980609/original.aspx

I do get this box using RDP client under:

- Windows XP Pro

- Windows Vista Enterprise

However, whether I choose "warn" or "don't connect" if the server's identity can't be verified, there's absolutely no warning using the client under:

- Windows XP Home

- Windows Vista Home Premium

- OSX (RDP 2 client)

The clients running on Home editions or OSX have the same advanced options to check the certificate but do absolutely nothing when they encounter a certificate they can't possibly know (either self-signed or an unknown CA).

Is this really normal?

Best wishes,

Bruno.