Guide for Secure communication between client and TS

  • Thread starter Thread starter Goku 316
  • Start date Start date
G

Goku 316

Guest
We have 2 TS farms both containing 2003 sp2 servers.
For the general part the clients are outsiders with windows xp and higher.
Also Mac clients are connected with the old and new rdp software from
mactopia website.

Worried about secure communication between the server and the clients. Want
to avoid DoS attacks, dictionary password cracking as well as man in the
middle scenarios.

As it stands the Encryption level (in RDP-TCP properties) is set to “Client
Compatible”.
Will setting the encryption level to high be enough to be safe? It is 128
bit encryption.

(I am aware of the SSL cert setup but trying to avoid this since the clients
are all outsiders and applying the cert to each computer is a killer.)

Thanks in advance.

--
Goku 316
 
Re: Guide for Secure communication between client and TS

> Worried about secure communication between the server and the
> clients. Want
> to avoid DoS attacks, dictionary password cracking as well as man in
> the
> middle scenarios.

MITM attacks can only be prevented by the SSL/TLS mode. Native RDP
encryption modes are vulnerable to MITM.

> As it stands the Encryption level (in RDP-TCP properties) is set to
> “Client
> Compatible”.
> Will setting the encryption level to high be enough to be safe? It
> is 128
> bit encryption.

You need to set "High" or "FIPS". But i'm not sure if Mac clients
support FIPS.

> (I am aware of the SSL cert setup but trying to avoid this since the
> clients
> are all outsiders and applying the cert to each computer is a
> killer.)

Actually, SSL/TLS is the safest mode.

--
Sincerely,
Eugene Sukhodolin
CTO, TSFactory Inc.
http://www.tsfactory.com
 
Re: Guide for Secure communication between client and TS

Thank you for your response!

My question then is that if I get a cert from Verisign will the client
automatically get the cert installed since Verisign Root certs are shipped
with almost all operating systems?

The clients all work from home so that is why I am asking. We will have to
guide 100+ clients on how to preinstall the cert if needed. However with a
Verisign cert it may make it easier.

I am applying the same principle as I did with the SSL setup with outlook
web access.
Our consultant gave us a cert from another non famous dealer but it was
hell. I obtained one from Verisign and it was a smooth setup.

I really appreciate your prompt response.

--
Goku 316


"Eugene Sukhodolin" wrote:

> > Worried about secure communication between the server and the
> > clients. Want
> > to avoid DoS attacks, dictionary password cracking as well as man in
> > the
> > middle scenarios.
>
> MITM attacks can only be prevented by the SSL/TLS mode. Native RDP
> encryption modes are vulnerable to MITM.
>
> > As it stands the Encryption level (in RDP-TCP properties) is set to
> > “Client
> > Compatible”.
> > Will setting the encryption level to high be enough to be safe? It
> > is 128
> > bit encryption.
>
> You need to set "High" or "FIPS". But i'm not sure if Mac clients
> support FIPS.
>
> > (I am aware of the SSL cert setup but trying to avoid this since the
> > clients
> > are all outsiders and applying the cert to each computer is a
> > killer.)
>
> Actually, SSL/TLS is the safest mode.
>
> --
> Sincerely,
> Eugene Sukhodolin
> CTO, TSFactory Inc.
> http://www.tsfactory.com
>
>
 
Re: Guide for Secure communication between client and TS

If you get a certificate from a well-known CA such as Verisign then there is
a 99.9% chance that you don't have to install the certificate mannually on
the clients. If you have configured your Outlook Web Access then the process
is very similar (infact you may use the same certificate if want to Remote
Desktop to te same server).

"Goku 316" wrote:

> Thank you for your response!
>
> My question then is that if I get a cert from Verisign will the client
> automatically get the cert installed since Verisign Root certs are shipped
> with almost all operating systems?
>
> The clients all work from home so that is why I am asking. We will have to
> guide 100+ clients on how to preinstall the cert if needed. However with a
> Verisign cert it may make it easier.
>
> I am applying the same principle as I did with the SSL setup with outlook
> web access.
> Our consultant gave us a cert from another non famous dealer but it was
> hell. I obtained one from Verisign and it was a smooth setup.
>
> I really appreciate your prompt response.
>
> --
> Goku 316
>
>
> "Eugene Sukhodolin" wrote:
>
> > > Worried about secure communication between the server and the
> > > clients. Want
> > > to avoid DoS attacks, dictionary password cracking as well as man in
> > > the
> > > middle scenarios.
> >
> > MITM attacks can only be prevented by the SSL/TLS mode. Native RDP
> > encryption modes are vulnerable to MITM.
> >
> > > As it stands the Encryption level (in RDP-TCP properties) is set to
> > > “Client
> > > Compatible”.
> > > Will setting the encryption level to high be enough to be safe? It
> > > is 128
> > > bit encryption.
> >
> > You need to set "High" or "FIPS". But i'm not sure if Mac clients
> > support FIPS.
> >
> > > (I am aware of the SSL cert setup but trying to avoid this since the
> > > clients
> > > are all outsiders and applying the cert to each computer is a
> > > killer.)
> >
> > Actually, SSL/TLS is the safest mode.
> >
> > --
> > Sincerely,
> > Eugene Sukhodolin
> > CTO, TSFactory Inc.
> > http://www.tsfactory.com
> >
> >
 
Back
Top