Windows

Configure RDP encryption via Group Policy for Windows servers

Windows server administrators can encrypt RDP authentication to protect the username and password exchange. Rick Vanover shows you how.

For Windows servers, Remote Desktop Protocol (RDP) or Terminal Services is the de facto access tool. For administrators and users alike, this built-in protocol allows systems to be accessed with ease starting with Windows 2000.

One of the key configuration points is the Encryption setting for remote desktop. The default encryption level is Medium for Windows Server 2003 systems and Client Compatible for Windows Server 2008 R2 systems. (Note: RDP encryption is not the same as Network Level Authentication, which is an enhancement to RDP communication.) Figure A shows the RDP encryption settings on a Windows Server 2008 R2 system. Figure A

Click the image to enlarge.

The best way to centrally manage RDP encryption for Windows Server 2003 and newer systems is to implement a Group Policy Object (GPO). To create a GPO, browse to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Encryption And Security. This is where an encryption policy can be set and deployed to the managed servers in Active Directory. (Go to TechNet for more information on this Group Policy configuration.)

This is also a configuration item that can help you on a PCI audit if one is in your future. Requirement 2.3 states to: "Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access." For Windows Servers, setting RDP to High will address this requirement for your audit; it's also a positive step to securing your environment.

If you take additional steps to protect your RDP connections, let us know what they are by posting to the discussion.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

10 comments
tbrothers
tbrothers

Is there a way to "verify" high level encryption? For auditing I need to "show evidence" that my sessions are encrypted. Thanks, Terry

bill.gorman
bill.gorman

You can also use the same GPO in Win XP if you are concerned about the security of a remote connection to a workstation.

Neon Samurai
Neon Samurai

I'd love to simply wrap ssh/autossh around my rdp traffic but lacking that option, is there a way to encrypt the traffic for versions previous to server 2008?

b4real
b4real

This is the best bet to increase RDP security outside of firewalls and security zones.

b4real
b4real

Works for WS2K3, but not Windows 2000 IIRC.

Neon Samurai
Neon Samurai

RDP and VNC each have there own advantages and issues but UVNC+AES can be a good free alternative to unencrypted traffice pre-2008.

Neon Samurai
Neon Samurai

Now I just need a win32 sshfs build that works with it.

Editor's Picks