Focus on Windows Server 2008 Terminal Services security issues

The biggest bright spot in Terminal Services for Windows Server 2008 (Terminal Services) is the increased overall security, one of the most commonly used remote access servers for administrators and users, and the security improvements are not surprising and welcome. In this article we will discuss how to make sure your Terminal Server (Terminal server) environment is more secure.

Using double factor validation

When we consider the network security, we need to do double factor verification.

At present, the main focus of different forms of dual-factor authentication, but the most common is the Terminal Services supported smart card. When using smart cards, users not only need to provide valid login credentials, but they must be able to provide smart cards to connect to the devices they use as remote terminals.

In order to obtain smart card authentication, you must create a Group Policy object that can be applied to a Terminal Server (Policy object). In the Group Policy object, browse Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options and enable interactive Logon:require Smart card settings. In addition, you will need to enable smart card relocation to the Terminal server, which can be checked by selecting the Smart card option in the local resources option of the Remote Desktop Connection client on the user's workgroup.

Perform network-level authentication for all clients

In the past, Terminal Services authentication was deployed on the server by connecting to a session on the server and entering the login credentials in the Windows Server logon screen. This may sound like a lot of trouble, but from a security standpoint, the ability to start the session login screen can expose information about the network (domain name, computer name, etc.) or possibly allow the server to be compromised by a denial of service attack, which comes primarily from the person who owns the server's public IP address.

Network Level Authentication (NLA) is a new feature in the Remote Desktop Connection client (Desktop Connection Client) version 6.0, which allows users to enter their logon credentials before displaying the Windows Server logon interface to the user. Windows Server 2008 enables us to take advantage of this feature and require all connection clients to use it.

To use NLA, you must use Windows 2008 Server, and your connection client must be able to support CredSSP (Windows XP SP3, Windows Vista, Windows 7), and run remote Desktop Connection 6.0 or later Remote Desktop Connection. You can also configure a Terminal server to require its clients to use NLA in several different locations:

During the initial Terminal Services role installation, when the Terminal Server screen displays the specified authentication method, select Allow connections only from computers running Remote Desktop and network Level Auth Entication (only allow connections that are sent by computers running network-level authenticated Remote Desktop) option.

In the Terminal Services Configuration MMC snap-in, right-click the Terminal server connection that your client uses, and then select Properties, select Allow connections only to computers running Remote Desktop with network Level Authentication Options

Create a Group Policy object to view Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\ Security location, enable require user authentication for remote connections by using Network Level Authentication ( Requires user authentication for remote connections using network-level authentication) settings.