6

I have a 2008 DC and a 2008 AD CS server and a Windows 7 client. What I would like is to require the certificate to be used when RDPing to the server.

The certificate is valid, and if I connect using the FQDN I am shown that i was authenticated by both the certificate and Kerberos as expected. When I connect with just the hostname I am allowed to connect and am only authenticated by Kerberos, even though I have Require TLS 1.0 set on the server that I am RDPing to. I fully understand that the certificate will not be valid unless the server is accessed by FQDN, what I want to do is disallow connections that do not use the certificate AND Kerberos.

I thought that setting Require TLS 1.0 would do it. What am I missing?

MDMarra
  • 100,734
  • 32
  • 197
  • 329

3 Answers3

10
  1. Start -> Administrative Tools -> Terminal Services -> Terminal Services Configuration
  2. Right click RDP-Tcp and choose Properties
  3. "Security Layer" defaults to "Negotiate" and must be changed to "SSL (TLS 1.0)"
  4. "Encryption Level" must be set to "High" or "FIPS Compliant"

Reference: http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

edit: The Microsoft Technet article indicates that TLS cannot be enabled via Group Policy. However, I have done some experimentation with Process Monitor and Regedit and have determined that you can change these settings by setting the appropriate registry values, as follows.

To set Minimum Encryption Level to "High" instead of "Client Compatible":

HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel REG_DWORD Value: 3

To set Security Layer to "SSL (TLS 1.0)" instead of "Negotiate":

HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer
REG_DWORD Value: 2

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
1

To test your scenario, here is what I did:

  • I have Windows Server 2008 R2 DC
  • Installed Roles -> Active Directory Certificate Services, Active Directory Domain Services, Remote Desktop Services -> Remote Desktop Web Access, Web Server (IIS). Since this is my only DC, I have DNS Server and DHCP Server installed as well
  • Installed Server Authentication Certificate on my IIS Web site, it also hosts RDWeb application
  • Change Authentication on RDWeb from Anonymous to Windows Authentication
  • accessed the Web site from the server itself, URL: https://localhost/rdweb. Works fine
  • From my client (which is Windows Server 2008 R2), tried accessing URL: https://fqdn/rdweb works. Also, tried URL: https://server_name/rdweb.. works.

NOTE: we are still not sure if it's using TLS 1.0

Now, to force RDWeb to work on TLS only:

  1. Open Regedit
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Create a new Binary Value and name it SSLCertificateSHA1Hash
  4. Copy the thumbprint from the SSL Certificate and add it as the value of SSLCertificateSHA1Hash

e.g.:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SSLCertificateSHA1Hash"="hex:‎23,91,fc,0e,95,ad,e9,3e,fa,df,3d,54,54,f0,99,dc,cd,70,5c,5c"

Now, accessed the website URL: https://fqdn/rdweb while tracing it using fiddler, we see all HTTPS connection with Cipher: 0x2F. Tried using the URL: https://server_name the same result.

According to https://www.rfc-editor.org/rfc/rfc5289,
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xC0,0x2F};

Also, check this RDP with custom certificate in Windows 7? (No tsconfig.msc or Group Policy setting)

For WMI, you can check the article Win32_TSGeneralSetting Class

Community
  • 1
Vivek Kumbhar
  • 3,073
  • 1
  • 18
  • 13
0

Have you confirmed with a packet capture that the client is not negotiating a TLS connection? That is the only way I know to definitively verify it is working as expected.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82