To secure all data being transferred to and from the Windows server, the Windows connector supports built-in RDP network security and enhanced network security options. The built-in RDP security uses the RC4 cipher, which encrypts data of varying size with a 56-bit or a 128-bit key. The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP.
The Windows connector uses RSA Security's RC4 cipher to secure all data being transferred to and from the Windows system. This cipher encrypts data of varying size with a 56-bit or a 128-bit key.
Table 18.7, “Encryption Levels for Network Security” lists the four levels of encryption that can be configured on the Windows system.
Table 18.7. Encryption Levels for Network Security
Level | Description |
---|---|
Low | All data from client to server is encrypted based on maximum key strength supported by the client. |
Client-compatible | All data between client and server in both directions is encrypted based on the maximum key strength supported by the client. |
High | All data between the client and server in both directions is encrypted based on the server's maximum key strength. Clients that do not support this strength of encryption cannot connect. |
FIPS-Compliant | FIPS-compliant encryption is not supported. |
Data encryption is bidirectional except at the Low setting, which encrypts data only from the client to the server.
The enhanced network security options include TLS/SSL (with optional server verification) and Network Level Authentication (NLA) using CredSSP. These options protect the Windows session from malicious users and software before a full session connection is established.
For TLS/SSL support, the RDP host must be running Windows Server 2003, Windows 7, or
Windows Server 2008. And, in order to connect to a Windows host with TLS/SSL peer
verification enabled (-j VerifyPeer:on
), you must add the root certificate
to the client's OpenSSL cert store or specify an additional search path/PEM file by using
the -j CAPath:
or path
-j
CAfile:
options of the
uttsc command. pem-file
For NLA support, the RDP host must be running Windows 7 or
Windows 2008 R2, and you must use the -u
and
-p
options with the uttsc
command.
For both TLS/SSL and NLA support, the Windows system's security layer must be configured as "SSL (TLS 1.0)" or "Negotiate."
Table 18.8, “Command Line Examples for Enhanced Network Security” provides a list of uttsc command line examples that show which security mechanism is used when the Windows Remote Desktop Service is configured to negotiate with the client. A result of "RDP" means that the built-in RDP security is used.
Table 18.8. Command Line Examples for Enhanced Network Security
uttsc Command Line Examples | Windows XP | Windows Server 2003 | Windows 7 | Windows Server 2008 |
---|---|---|---|---|
| RDP | SSL/TLS | NLA | NLA |
| RDP | SSL/TLS | SSL/TLS | SSL/TLS |
| RDP | SSL/TLS | NLA | NLA |
| RDP | RDP | RDP | RDP |
You can enforce NLA security on a Windows system. For example, when using Windows
Server 2008, select the following option on the Remote tab of the System Properties window:
"Allow connections only from computers running Remote Desktop with Network Level
Authentication (more secure)". With this option selected, users must use the
-u
and -p
options with the uttsc
command to connect to the server.
TLS/SSL connections require a certificate to be present on the Windows system. If that is not the case, the connection might fall back to the built-in RDP security (if allowed) or fail.