Windows Server 2003 SP1 introduces a new feature to the mix, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.
Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.
Server-side
- The TS must run 2003 SP1
- The TS must have a certificate from a Windows CA or a 3rd Party CA
The certificate must meet the following criteria
- Certificate is a computer certificate
- Certificate is for server authentication
- Certificate must have a private key
- Certificate is stored in the TS personal store
- Certificate has a Crytographic Service Provider that can be sued for TLS/SSL
Client-side criteria
- Must run Windows 2000, Windows XP, Windows 2003 or Windows Vista
- Must use RDP Client 5.2 or higher, this can be found on the 2003 SP1 server under %systemroot%\system32\tsclient\win32\msrdpcli.msi
- Must trust the root CA for the certificate
Once the SSL cert is installed open up Terminal Services Configuration and right-click the RDP-Tcp connection and select Properties.
Click Edit next to the Certificate box on the General Tab. Select the SSL certificate you would like to use and click OK.
Now back at the RDP-Tcp Properties page change the Security Layer to SSL.
With that in place launch a new RDP session from another 2003 SP1 machine. You will notice that there is a new tab on the Remote Desktop Connection called Security. The Security tab allows us to specify one of three levels of authentication. No authentication which will connect the "old fashioned" way, Attempt authentication in which it will try to connect via SSL and if it fails fall back to no authentication and lastly, Require Authentication. With Require Authentication, if is cannot connect via RDP over SSL it will fail.
Click Connect and you will be prompted to accept the certificate. Click Yes to accept the certificate and connect to the Terminal Server.
