Changes to Terminal Service Security Related Group Policy Settings in Windows Vista and Longhorn Server
Ask anyone in Redmond, and they will tell you that Microsoft’s primary emphasis in creating Windows Vista and Longhorn Server was to tighten security. One of the ways that Microsoft has accomplished this is by creating additional group policy settings beyond those that previously existed. Windows Server 2003 running Service Pack 1 offered about 1700 different group policy settings that you could use to lock down client operating systems. In contrast, Windows Vista and Longhorn Server contain about 2400 group policy settings. One of the areas that has received the most attention in regards to these new group policy settings is the Terminal Services. In this article, I will discuss the Terminal Service security related group policy settings found in Windows Vista and Longhorn Server.
If you stop and think about it, it is kind of ironic that the main purpose of group policies is to provide security, and yet there are only three group policy settings in Windows Server 2003 that are specifically related to terminal service security, while there are dozens of other group policy settings used to regulate other aspects of Terminal Service sessions.
To see what I mean, open the Group Policy Object Editor in Windows 2003 and navigate through the console tree to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Encryption and Security. As you can see in Figure A, the Encryption and Security container only contains two group policy setting. There is also a sub-container named RPC Security Policy that exists beneath the Encryption and Security container, and it contains a single group policy setting.
Figure A: Windows Server 2003 only offers three group policy settings that are specifically related to Terminal Service security
In contrast, Windows Vista and Longhorn Server contain seven group policy settings related to Terminal Service security. As you can see in Figure B, the path to the Terminal Service security related group policy settings has changed slightly. The Encryption and Security container has been renamed to Security.
Figure B: Windows Vista and Longhorn Server contain seven group policy settings related to Terminal Service security
Always Prompt Client for Password Upon Connection
The Always Prompt Client for Password Upon Connection group policy setting exists in both Windows Server 2003 and in Windows Vista and Longhorn Server. As such, this group policy setting works with Windows XP and Windows Server 2003, as well as Longhorn and Vista. This group policy setting is designed to prevent clients from automatically establishing a Terminal Service session.
Under normal circumstances, a client can establish a Terminal Service session by entering a password into a remote desktop client. This password is then used to authenticate the user and establish the session. The problem is that the terminal server has no way of knowing whether the user actually entered the password or if it was supplied automatically by a single sign on process. If you would like a little bit more security, you can enable this group policy setting, which requires users to manually enter their Terminal Service password when the session is connected.
Set Client Connection Encryption Level
This group policy setting allows you to require that a specific level of encryption be used by Terminal Service sessions. Again, this group policy setting is a leftover from Windows Server 2003, so it will work with Windows XP, Server 2003, Vista, and Longhorn Server.
If you enable the Set Client Connection Encryption Level group policy setting, you will be asked to select the desired level of encryption. Windows gives you three choices; High, Low, or Client Compatible.
The High Encryption option uses 128 bit encryption for traffic between network clients and the terminal server. If you were to set the encryption level to Low, then the encryption strength would be reduced to 56 bit.
The Client Compatible option is designed to give you the best of both worlds. Ideally, you probably want to use the high encryption option, but high encryption is not an option for you if you have clients on your network that do not support 128 bit encryption. If you do have clients that do not support 128 bit encryption, you could require low encryption, but then even clients that could perform 128 bit encryption will only use 56 bit encryption. Setting the encryption level to Client Compatible sets the encryption strength according to each client’s individual capabilities.
Secure Server (Require Security)
Windows Server 2003 introduced a group policy setting named Secure Server (Require Security). In Windows Vista and Longhorn Server, this setting has been renamed to Require Secure RPC Communication. In spite of its new name though, this setting continues to be backward compatible with Windows Server 2003. Because this is a server level setting, compatibility with Windows XP is not an issue.
The basic idea behind this group policy setting is that you can strengthen security by requiring secure RPC communications. This means that if you enable this setting, then the Terminal Services will only accept requests from clients that support secure RPC requests.
Server Authentication Certificate Template
The Server Authentication Certificate Template setting is new to Longhorn Server and Windows Vista, and is therefore not backward compatible with Windows XP and Windows Server 2003. This policy setting lets you enter the name of the template that is used to determine which certificate is used to authenticate the Terminal Server when using SSL or TLS 1.0 encryption.
Entering the name of a template allows automatic certificate selection to occur. Once a template name has been entered, then certificates that were created using that template are considered, and one of the eligible certificates is automatically selected for use. Of course automatic certificate selection is unnecessary if a certificate has been manually assigned.
In case you are wondering, if multiple certificates match the template, then Windows makes a selection based on the certificate’s expiration date (longer validity periods take precedence over shorter ones) and on the server name that is bound to the certificate. If no certificate is found, then the server will issue an enrollment request in an effort to obtain a certificate.
Require the Use of Specific Security Layer for Remote RDP Connections
In spite of its rather cryptic name, the Require the Use of Specific Security Layer for Remote RDP Connections setting essentially allows you to choose the type of encryption that will be used during RDP sessions. If you enable this setting, then you have three choices; RDP, SSL, or Negotiate.
The RDP option uses the native RDP encryption, while the SSL option uses SSL (TLS 1.0 encryption). The Negotiate option checks to see if TLS 1.0 is supported by the client. If so, then TLS 1.0 encryption is used, if not then RDP encryption is used.
This is another setting that is new to Windows Vista and Longhorn Server, and therefore only works on clients running Windows Vista.
Do Not Allow Local Administrators to Customize Permissions
The preferred method of managing user access to a terminal server involves adding users to the Remote Desktop Users group. Even so, permissions can also be granted through the Terminal Services Configuration Tool. If you are interested in making sure that terminal service permissions are managed in a consistent manner, then you can enable the Do Not Allow Administrators to Customize Permissions setting. Doing so grays out the security descriptors in the Terminal Service Configuration Tool.
This setting is new to Longhorn Server and Windows Vista, and is not backward compatible with Windows Server 2003 or Windows XP.
Require User Authentication Using RDP 6.0 for Remote Connections
As the name implies, this setting allows you to require that users authenticate with the terminal server using RDP 6.0. The advantage of doing so is that when the RDP 6.0 protocol is in use, then authentication occurs earlier in the connection process. The most important thing to know about this setting is that it only works with Windows Vista and Longhorn Server. If you enable this setting, then clients using Windows XP or Windows Server 2003 will be unable to connect to the terminal server.
In this article, I have explained that there are a number of Terminal Service related group policy object settings that were introduced in Windows Vista and Longhorn Server. I then went on to discuss those settings that were related to Terminal Service Security.