For Windows servers, Remote Desktop Protocol (RDP) or Terminal Services is the de facto access tool. For administrators and users alike, this built-in protocol allows systems to be accessed with ease starting with Windows 2000.One of the key configuration points is the Encryption setting for remote desktop. The default encryption level is Medium for Windows Server 2003 systems and Client Compatible for Windows Server 2008 R2 systems. (Note: RDP encryption is not the same as Network Level Authentication, which is an enhancement to RDP communication.) Figure A shows the RDP encryption settings on a Windows Server 2008 R2 system. Figure A
Click the image to enlarge.
The best way to centrally manage RDP encryption for Windows Server 2003 and newer systems is to implement a Group Policy Object (GPO). To create a GPO, browse to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Encryption And Security. This is where an encryption policy can be set and deployed to the managed servers in Active Directory. (Go to TechNet for more information on this Group Policy configuration.)
This is also a configuration item that can help you on a PCI audit if one is in your future. Requirement 2.3 states to: "Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access." For Windows Servers, setting RDP to High will address this requirement for your audit; it's also a positive step to securing your environment.
If you take additional steps to protect your RDP connections, let us know what they are by posting to the discussion.
Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.