WS2008: Network Level Authentication and Encryption | Ask …

Welcome to Day Sixteen. Were continuing on with our series on Windows Server 2008 in preparation for the launch. Today, were going to look at Terminal Server security in Windows Server 2008 specifically Network Level Authentication and Encryption.

Terminal Server security may be enhanced by providing user authentication earlier in the connection process when a client connects to a Terminal Server. This early user authentication method is referred to as Network Level Authentication. This is a new authentication method that completes user authentication before you establish a Remote Desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. The advantages to Network Level Authentication are:

There are specific requirements to use Network Level Authentication:

The Terminal Server can be configured to only support connections from clients running Network Level Authentication. This setting can be configured in a couple of different ways:

To determine if a system is running a version of Remote Desktop Connection software that supports Network Level Authentication, start the Remote Desktop Connection client application, click the icon in the upper-left corner of the Remote Desktop Connection dialog box and click About. Look for the phrase, "Network Level Authentication" in the About window as shown below.

By default, Terminal Services sessions use native Remote Desktop Protocol (RDP) encryption. However, RDP does not provide authentication to verify the identity of a Terminal Server. You can enhance the security of Terminal Services sessions by using Transport Layer Security (TLS) 1.0 for server authentication and to encrypt Terminal Server communications. The Terminal Server and client system must be configured correctly for TLS to provide enhanced security. There are three available security layers outlined in the table below:

When SSL (TLS 1.0) is used to secure communications between a client and Terminal Server, a certificate is needed. You can select a certificate that you have already installed on the Terminal Server or you can use the default self-signed certificate.

For Terminal Services connections, data encryption protects data by encrypting it on the communications link. By default, Terminal Services connections are encrypted at the highest available level of security 128-bit. However, some older versions of the Terminal Services client application do not support this high level of encryption. The encryption level of the connection may be configured to send and receive data using different encryption levels to support legacy clients. There are four configuration options as outlined below:

These encryption levels are stored in the MinEncryptionLevel value in the following registry key: HKLMSYSTEMCurrentControlSetControlTerminalServerWinStationsRDP-Tcp. There are four possible values for MinEncryptionLevel that correspond to the settings in the table above:

And with that we come to the end of this post. In tomorrows post, well take a look at Terminal Server printing. Until next time

CC Hameed

More:
WS2008: Network Level Authentication and Encryption | Ask ...