SSL encryption 3389 Remote Desktop Connection

Source: Internet
Author: User
Tags remote desktop access windows remote desktop

Microsoft has integrated a program named "Remote Desktop" into the operating system since Windows server. With this "Remote Desktop", network administrators can easily control the company's servers at the other end of the network, perform operations on the above, delete the program, and run the same command as on the local computer. Therefore, the "Remote Desktop" function greatly facilitates the work of network administrators and is favored by more and more network administrators after its launch. However, with the popularization of the network, the security of the network has been paid more and more attention by enterprises. Many network administrators have found that using Windows Remote Desktop to operate servers poses certain security risks. That is to say, the security level of data transmission is not high enough, although some information is encrypted, hackers can easily reduce the cost of information. Due to the lack of Remote Desktop Security, some network administrators began to seek other remote control tools, such as remote admin and PC any where.

Microsoft is very interested in the market of remote control software. To improve the security level of Remote Desktop and ensure that data is not stolen by hackers, a Secure Authentication Remote Desktop function is added to the latest patch package SP1 in Windows2003. With this function, we can use SSL encrypted information to transmit and control the data of remote servers, thus making up for the original security defects of the Remote Desktop function.

Tip: if you are using Windows2003, but you have not installed the latest SP1 Patch, you still cannot use SSL-encrypted remote desktop authentication. Therefore, it is recommended that companies upgrade their servers to Windows2003 + SP1 immediately.

I. Personally crack connection information in a dangerous situation:

How dangerous is the Remote Desktop authentication method that does not use SSL to Encrypt transmission information? Today, we will follow senior network engineers to check whether it is possible.

Lab environment:
The Unit server is Windows Server + SP4 patch pack. The network condition is the 10 m exit of the optical fiber. The computer in the home is a Windows XP Pro + SP2 patch package, and the network condition is Beijing Netcom ADSL 512kb. Use the Remote Desktop Connection function that does not contain SSL authentication to control the server that comes with XP in your home.

Cracking Process:
Step 1: Install the sniffer data packet analysis tool on your computer at home and select the NIC as the local Nic. (1)

Figure 1 click to view the large imagePrompt: In fact, it is no problem to install the sniffer tool on a computer in the same subnet as the computer in the home for monitoring. It can also monitor the data information mentioned below.
Step 2: Use "Capture-> Start" in the sniffer menu to start the monitoring function. Of course, the start arrow of the shortcut button is the same.
Step 3: Start the Remote Desktop Connection Program of XP to access the company's server.
Step 4: log on to the server, enter the correct user name and password to enter the desktop, and then exit.
Step 5: After logging on to the server, return to the sniffer program of the Local Computer and click "Capture-> stop and display" in the menu to stop monitoring and display the results. (2)

Figure 2. Step 6: click the "objects" tab on the left of the displayed result window, if you use a Broadband Router to share the Internet with multiple computers, you will see the IP address of the server to be accessed in the "objects" window, of course, for those who only have one computer and access the Internet through the ADSL cat, because the ADLs cat acts as an IP address translation and filtering job, the local Nic information will only be seen in the "objects" window. Select the IP address of the local Nic or server and click the "decode" label below to analyze the data packets. (3)

Figure 3. Step 7: In the "decode" label, we can analyze the detected data packets. Analyze the destination address from the top. The IP address of the server is displayed when there are 23rd packets. These packets need to be analyzed carefully. (4)

Figure 4. Step 8: when we continue to analyze 26th data packets, we can clearly see the username "softer" entered when logging on to the server from the bottom data information. (5)

Figure 5 Click to see the big picture. Step 9: when the data packets 28th and 29 are analyzed, the encrypted password information is displayed in the data information area. (6) Although we cannot identify, hackers can decompile the ciphertext. The compilation process is long, similar to the exhaustive method. (7)

Figure 6 click to view the large image

Figure 7 click to see the big picture. Although the Remote Desktop Connection transmission information is different from FTP and telnet, the plaintext transmission is used, however, the plaintext transmission of user names and simple encryption of passwords still pose a great security risk, and data packets can be easily hacked and cracked. Therefore, we need to implement Remote Desktop Security to the end.
Ii. Use Certificates to encrypt and authenticate copper walls:
First, upgrade the server to the latest version of Windows2003, and then install the service packet 1 patch package through Windows Update or website. Only Windows2003 with SP1 installed has the Remote Desktop function encrypted by SSL. All of the following operations are performed on the server. The client can connect to the server through the Remote Desktop Access Program only after the server is set to support SSL encryption authentication.
1. Install the Certificate Service:
Step 1: by default, the certificate service is not installed in Windows2003. We can install the "Certificate Service" by adding/deleting Windows Components in the control panel ". (8)

Figure 8. Click to view the larger picture. Step 2: Select "independent Root CA" in the CA certificate type, and click "Next" to continue. (9)

Figure 9. Click to see the big picture. Step 3: In the CA identification information window, set a public name-Softer for the installed ca. You can tell that the name suffix is blank, the validity period must be set to 5 years by default. (10)

Figure 10 click to see the big picture Step 4: Keep the default value in the certificate database settings window, because only the default directory (Windows/system32/certlog) is guaranteed) the system will automatically classify and call according to the certificate type. Click "Next" to continue. (11)

Figure 11 click to see the big picture. Step 5: After the parameters required for installing the certificate are configured, the system will start to install the component. Of course, during the installation process, the system will prompt you to insert the Windows2003 system disc. (12)

Figure 12 click here to see the big picture. Step 6: insert the disc and find the system file to continue the installation. At the end of the installation, the system will prompt "to enable iis asp function for certificate service ", select "yes" to enable ASP. (13)

Figure 13. Step 7: complete the installation of the Windows component of the CA certificate service. (14)

Figure 14. Click to view the large image. If the IIS component is not installed in Windows2003, install the IIS component as described above.
2. Set Certificate Service parameters:
By default, the certificate type is not required for this operation, so you need to modify it.
Step 1: Go to Start> program> Administrative Tools> Certificate Authority on the taskbar to open the certificate settings window. (15)

Figure 15 click to view the larger picture. Step 2: If no computer is displayed in the Certificate Authority, we need to load the Certificate Service for the local computer through the settings in the File menu. (16)

Figure 16. Click to view the big picture. Step 3: Right-click the computer softer and select "properties". Then, click the "rule mode" tab, there is also an "attribute" button under the rule mode quick tag. (17)

Figure 17 Step 4: Click the property button and modify the default settings in the Set Request Processing window to "if possible, follow the settings in the certificate template. Otherwise, the certificate will be issued automatically ". (18)

Figure 183. Apply for a certificate
After IIS is started, we can apply for a certificate through the web page.
Step 1: Open IE and enter

Http: // ip/certsrv/

. For example, if the server address is, enter

Http: //

If IIS works properly and the Certificate Service is correctly installed, the Microsoft Certificate Service Interface is displayed. (19)

Figure 19 click to view the larger picture. Step 2: Select "apply for a certificate" on the page ".
Step 3: Select "Advanced Certificate Application" on the Certificate Application page ". (20)

Figure 20 click to see the big picture Step 4: on the Advanced Certificate Application page, select "Create and submit an application to this ca ". (21)

Figure 21. Click here to see the big picture. Step 5: on the Advanced Certificate Application page, we need to modify many items. First, enter the name. The name must be the IP address of the server.
Prompt: If the name of the Advanced Certificate is filled with other information, the configuration information does not match the server name When configuring SSL encryption authentication. Therefore, you must enter the IP address of the server.
Step 6: enter email and Company, department, and region information at will.
Step 7: Select "Server Authentication Certificate" for the required certificate type ".
Step 8: Set the key option to "Create a new key set ".
Step 9: Set the key user to "Switch ".
Step 10: Check the bottom mark key as exported and save the certificate to local computer storage. The parameters for applying for the advanced certificate have been filled in. (22)

Figure 22. Click to view the larger image. Step 2: after submitting the application, a "potential script conflict" prompt will appear. You can simply select "yes" instead. (23)

Figure 23 Step 3: after the application is submitted, a certificate suspension prompt is displayed. The system prompts that your application information has been suspended. Wait for the Administrator to issue the certificate and the serial number of the Application ID is displayed. (24)

Figure 24 Click here to see the big picture. Now we have completed the certificate application. Next we need to issue the applied certificate. We can use it only after it is issued.
4. issue a certificate:
The following describes how to issue the certificate you just applied.
Step 1: Go to Start> program> Administrative Tools> Certificate Authority on the taskbar to open the certificate settings window.
Step 2: In the pending application under the Local Computer softer, you will see an application with the ID number 2. This is the application just now.
Step 3: Right-click the application and choose "all tasks"> "issue". After the application is issued, the certificate we applied for can be used. (25)

Figure 25 click to view the larger picture 5. Install the certificate:
The certificate has been approved by the server. Next we will install the certificate we applied for on the server. Only with a certificate can we make the data transmitted in remote access more secure.
Step 1: Open IE and enter

Http: // ip/certsrv/

. For example, if the server address is, enter

Http: //

If IIS works properly and the Certificate Service is correctly installed, the Microsoft Certificate Service Interface is displayed.
Step 2: Select "view pending Certificate Application Status". Here we will see the original "server authentication certificate. (26)

Figure 26 Click here to see the big picture Step 3: click the "Server Authentication Certificate" and a prompt is displayed that the certificate has been issued. Click "install this certificate ". (27)

Figure 27 click to see the big picture Step 4: the system will pop up the "potential script conflict" prompt, we just need to ignore it and click "yes. The system automatically installs the certificate on the server. (28)

Figure 28 click to see the big picture. Step 5: After the installation is complete, the system will send the "Certificate installed" information to the user in the form of a webpage. (29)

29. Click to view the big picture. Summary: This article explains the security risks of Remote Desktop Connection and introduces "service installation" and "set Certificate" in "Putting Remote Desktop Security to the end ", "Apply for Certificate", "issue Certificate", and "Install certificate ". Of course, "putting Remote Desktop Security to the end" involves a lot of content. In the lower part, I will introduce you to "encryption settings for Remote Desktop Connection on servers ", "Install the client with the encrypted remote desktop function" and "Install the client certificate.

I. Server Remote desktop settings:
By default, the Remote Desktop function does not support SSL encryption authentication, even if we apply for and install a certificate.
Step 1: Start the TSCC terminal service configuration window through "START-> Program-> management tools-> terminal service configuration" in the taskbar. (1)

Figure 1 click to see the big picture. Step 2: In the TSCC terminal service configuration window, click "terminal servers?> Connection. The terminal service is displayed in the right window. Right-click the terminal service and choose Properties ". (2)

Figure 2. Click to view the larger picture. Step 3: click "edit" next to the certificate settings in the General tab. Click this button to open the certificate settings window. Then, view the certificate and find the certificate we installed in the previous article (the Certificate Name Is ). (3)

Figure 3 click to see the big picture Step 4: After selecting the certificate, you also need to set the security level in the general label. We will set the security layer to "SSL ", set the encryption level to "high ". After confirmation, complete the remote desktop settings for all servers. (4)

Figure 4Ii. Install the certificate on the client:
Since certificates are used on the server for SSL encryption authentication, you also need to install these certifications on the client. Remote Desktop Access cannot be performed without installation. There are two ways to obtain the certificate. We will introduce it one by one.
1. Export the certificate from the TS Server:
Step 1: run the task bar and enter MMC to start the MMC snap-in. (5)

Figure 5 Step 2: After opening the MMC snap-in, we need to load the certificate service by using "file-> Add/delete snap-in" in the console menu ". (6)

Figure 6. Click to view the larger picture. Step 3: Find the Certificate Management Unit from the available independent management unit, and click "add" to load the management unit. (7)

Figure 7 click to view the larger picture Step 4: Select "Computer Account" in the certificate management unit and click "Next ". (8)

Figure 8. Step 5: click "Local Computer" in the select computer window to complete the operation. (9)

Figure 9. Step 6: Return to the console page and choose Console Root Node> certificate (Local Computer)> personal> certificate ", in the right window, all certificates currently installed on the server are displayed. We found the certificate used for SSL encrypted connections. (10)

Figure 10 Step 7: Right-click the certificate and select "open". On the Certificate Information Page, select "details ", click Copy to file to copy the certificate. (11)

Figure 11 Step 8: Open the certificate export wizard and click "Next ". (12)

Figure 12 step 9: Select "No, do not export private key" at the export key ". (13)

Figure 13 Step 10: Select der-encoded binary X.509 (. CER) for the exported file format )". (14)

Figure 14 Step 4: select the path to save the exported file. Generally, select the desktop directly. (15)

Figure 15 Step 4: complete the certificate export wizard configuration and save the Certificate file. (16)

Figure 16 Step 4: copy the Certificate file to another computer after saving the file to the desktop. All clients preparing to connect to the server through remote desktop need to install the certificate.
Step 2: double-click the Certificate file to install it. The "general" tab contains the "Install Certificate" button. (17)

Figure 17 Step 1: click the "Install Certificate" button to enter the certificate import wizard. Select "automatically select certificate Storage Based on the certificate type" and click "Next ". (18)

Figure 18 Step 1: complete the certificate import. (19)

Figure 192. Install the certificate on the certificate page:
We also have another method to install certificates on the client.
Step 1: Open the browser on the client and enter

Http: // ip/certsrv/

. For example, if the server address is, enter

Http: //

. The certificate application page is displayed in the browser. (20)

Figure 20 click to view the larger picture. Step 2: select to download the CA certificate and click "install this CA certificate chain ". (21)

Figure 21 Click here to see the big picture Step 3: The system will automatically install the CA certificate, and a prompt is displayed after the installation is completed. (22)

Figure 22 the client with the certificate installed can access the remote server through the SSL encryption function of the Remote Desktop Connection.
3. client programs should be complete:
If you are eager to use the SSL encryption mode to control the remote server, you will find a problem, that is, remote desktop tools in XP and 2000 have no place to set the security mode. This is because the SSL encryption mode is a new feature added in 2003sp1. To use this feature, you need to install a new Remote Desktop Connection Tool.
1. win2003 system:
The Remote Desktop Connection Program in the 2003 system has a security label. With this label, we can directly set the SSL encryption mode to access the remote server.
2. Other systems:
For other systems, you need to install the new version of the Remote Desktop Connection Program, which is stored in the Windows system CD and stored in the path I:/support/tools. The program name is msrdpcli.exe. (23) run the program directly. (24)

Figure 23 click to view the big image

Figure 243. Use the new version of the program:
After installing the new version of the Remote Desktop program, we need to configure it to use SSL to access the remote server.
Step 1: start the new version of Remote Desktop Connection Program.
Step 2: you will find an extra "security" label. (25)

Figure 25 Step 3: Change the authentication method to require authentication in the "Security" tab ". (26)

Figure 26 Step 4: click the "Connect" button after the setting to access the server with the SSL encryption mode configured remotely.
TIPS: the three options in the security label are "no identity authentication" (access to the remote server in normal mode) and "try to authenticate" (access the server with SSL encrypted identity first, if it fails, use the traditional mode) and "authentication required" (use SSL encryption mode to access the server, and exit if it fails ).
Iv. Common Faults:
Because SSL-encrypted remote desktop access is different from traditional Remote Desktop Access, this problem may occur in actual use. The author summarizes the most typical introduction to you.
1. The client cannot establish a connection with a remote computer:
If you use an earlier version of the Remote Desktop Connection Program to access a server configured with encrypted SSL mode, the message "cannot establish a connection with a remote computer" appears. The solution is to upgrade the Desktop Connection Program to the new version. (27)

Figure 272. Remote Computer requires authentication before connecting:
If the new desktop connection program is installed but the "Security" label parameter is not set, the message "remote computer requires authentication before connecting" appears, we can use the "Security" label to set the authentication method to "Require Authentication" or "Try authentication. (28)

Figure 283. An error occurred while verifying the remote computer certificate:
If the SSL encryption mode is configured on the server but the certificate installed on the client is incorrect, or if the certificate name is not written according to the IP address information but is filled with another name, the message "Verification remote computer certificate encountered error-server name error on Certificate" appears. The solution is to re-apply for a certificate and install the certificate on the client. Enter the IP address of the server in the Certificate Name field. (29)

Figure 29 Summary: after the client connects to the server in SSL encryption mode and controls the server, all the information transmitted over the network is encrypted, hackers cannot capture available data packets using tools such as sniffer. In this way, the security of the Remote Desktop is implemented. The SSL encryption icon is also displayed on the remote operation interface. (30)



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.