To secure all data being transferred to and from the Windows server, the Windows connector supports built-in RDP network security and enhanced network security options. The built-in RDP security uses the RC4 cipher, which encrypts data of varying size with a 56-bit or a 128-bit key. The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP.
The Windows connector uses RSA Security's RC4 cipher to secure all data being transferred to and from the Windows system. This cipher encrypts data of varying size with a 56-bit or a 128-bit key.
Table 15.3, “Encryption Levels for Network Security” lists the four levels of encryption that can be configured on the Windows system.
Table 15.3. Encryption Levels for Network Security
Level | Description |
---|---|
Low | All data from client to server is encrypted based on maximum key strength supported by the client. |
Client-compatible | All data between client and server in both directions is encrypted based on the maximum key strength supported by the client. |
High | All data between the client and server in both directions is encrypted based on the server's maximum key strength. Clients that do not support this strength of encryption cannot connect. |
FIPS-Compliant | FIPS-compliant encryption is not supported. |
Data encryption is bidirectional except at the Low setting, which encrypts data only from the client to the server.
The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP. These options protect the Windows session from malicious users and software before a full session connection is established.
For TLS/SSL support, the RDP host must be running Windows 2003
R2, Windows 7, or Windows 2008 R2. And, in order to connect to
a Windows host with TLS/SSL peer verification enabled
(-j VerifyPeer:on
), you must add the root
certificate to the client's OpenSSL cert store or specify an
additional search path/PEM file by using the -j
CAPath:
or path
-j
CAfile:
options of the
uttsc command.
pem-file
For NLA support, the RDP host must be running Windows 7 or
Windows 2008 R2, and you must use the -u
and -p
options with the
uttsc command.
For both TLS/SSL and NLA support, the Windows server's security layer must be configured as "SSL (TLS 1.0)" or "Negotiate."
Table 15.4, “Command Line Examples for Enhanced Network Security” provides a list of uttsc command line examples that show which security mechanism is used when the Windows Remote Desktop Service is configured to negotiate with the client. A result of "RDP" means that the built-in RDP security is used.
Table 15.4. Command Line Examples for Enhanced Network Security
uttsc Command Line Examples | Windows XP | Windows 2003 R2 | Windows 7 | Windows 2008 R2 |
---|---|---|---|---|
| RDP | SSL/TLS | NLA | NLA |
| RDP | SSL/TLS | SSL/TLS | SSL/TLS |
| RDP | SSL/TLS | NLA | NLA |
| RDP | RDP | RDP | RDP |
You can enforce NLA security on a Windows server. For
example, on a Windows 2008 R2 server, select the following
option on the Remote tab of the System Properties window:
"Allow connections only from computers running Remote
Desktop with Network Level Authentication (more secure)".
With this option selected, users must use the
-u
and -p
options with
the uttsc command to connect to the
server.
TLS/SSL connections require a certificate to be present on the Windows server. If that is not the case, the connection might fall back to the built-in RDP security (if allowed) or fail.