To use Network Level Authentication, you must meet the following requirements:
- The client computer must be using at least Remote Desktop Connection 6.0.
- The client computer must be using an operating system, such as Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
- The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.
- On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection, and then click Properties.
- On the General tab, select the Allow connections only from computers running Remote Desktop with Network Level Authentication check box.
- Clikc OK
To disable (Alternative method):
If you want, you can disable NLA by running tsconfig.msc on your 2008 R2 server, and deselecting the "Allow connection only from computers running Remote Desktop with Network Level Authentication" option under the RDP service.
To enable NLA in XP machines; first install XP SP3, then edit the registry settings on the XP client machine to allow NLA
- Click Start, click Run, type regedit, and then press ENTER.
- In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- In the details pane, right-click Security Packages, and then click Modify.
- In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
- In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
- In the details pane, right-click SecurityProviders, and then click Modify.
- In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
- Exit Registry Editor.
- Restart the computer.
RDP mechanisms supported on different Server OS versions
|
Server OS Version
| ||||
| Client OS |
| |||
| Windows XP SP2 and earlier |
| |||
| Windows XP SP3*, Windows Vista, Windows Vista SP1 |
|
Pure SSL/TLS is a standard mechanism that enables clients to authenticate to servers and provides a secure channel by encrypting communications. To use SSL/TLS, you must obtain certificates issued by a trusted Certificate Authority and configure them on each terminal server on which you want to have server authentication.
Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.
Solution :
- Force the use of SSL as a transport layer for this service if supported, or/and
- Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.
Reference:
[1] http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx
[2] https://technet.microsoft.com/en-gb/library/cc732713.aspx
0 comments:
Post a Comment