Scribd
Upload
82 views

HP Thinpro: Security Layers For RDP Connections

hp

Uploaded by

marisfl
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
82 views

HP Thinpro: Security Layers For RDP Connections

hp

Uploaded by

marisfl
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Technical white paper

HP ThinPro
Security Layers for RDP Connections

Table of contents
Introduction .................................................................................................................................................................................... 2
Security layers ................................................................................................................................................................................ 2
RDP security layer ..................................................................................................................................................................... 2
SSL/TLS security layer ............................................................................................................................................................. 2
Security layer negotiation ....................................................................................................................................................... 2
NLA security layer ..................................................................................................................................................................... 2
Configuring the server for NLA ................................................................................................................................................... 3
Configuring the thin client (optional) ........................................................................................................................................ 3
For more information ................................................................................................................................................................... 4

Introduction
In the default configuration, the Windows server running Remote Desktop Services (RDS) employs a flexible set of
requirements on encrypted RDP connections. With some simple configuration, it is possible to require stronger encryption.
This paper assumes that the Windows Server 2012 R2 infrastructure is in use, but the same techniques can be applied to
Windows Server 2012 and Windows Server 2008 R2.

Security layers
The following security layers are available:
RDP security layer
SSL/TLS
Negotiation
Network Level Authentication (NLA)

RDP security layer


The RDP security layer is the oldest and most basic of the available security layers. It is also the only option available before
Windows Server 2003 SP1. Use of the RDP Security Layer is discouraged.
CAUTION
The RDP security layer has a known vulnerability to a Man-in-the-Middle (MITM) attack. A MITM attack means that an
attacker can transparently intercept data between client and server and have access to all the session data, including
credentials. Use of this security layer is best done only when other steps are in place to mitigate the MITM attack. For more
information on this vulnerability, see the following guide:
http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-preventman-in-the-middle-attacks.aspx
Due to this issues, production deployments should prefer the SSL/TLS or NLA security layers, which are not vulnerable to
this attack. Mitigations should be put in place if the RDP security layer is required.

SSL/TLS security layer


The SSL/TLS security layer leverages the same technology used for web HTTPS traffic to encrypt the session data. For RDP,
this security layer was introduced with Windows Server 2003 SP1.

Security layer negotiation


Negotiation is not directly a security layer. Instead, it is a mode that says that the server is flexible in terms of what it will
accept for the security layer. This is also the default setting. In this mode, the server will accept connections using any of the
RDP, SSL, or NLA security layers.

NLA security layer


The NLA security layer is an extension to the SSL/TLS security layer and provides the highest available level of security. For
this reason, the NLA security layer is the recommended configuration. This security layer is available in Windows Server
2008 and later.

Configuring the server for NLA


1.

On the server, edit Group Policy at the desired level.


Note: This document shows examples at the Local level. Local group policy can be edited by launching the following
command: gpedit.msc

2.

Navigate to the following location:


Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services >
Remote Desktop Session Host > Security

3.

For the policy Require use of specific security layer for remote (RDP) connections, select Enabled and SSL (TLS
1.0).
Note: Because NLA is built upon SSL/TLS, we must choose SSL (TLS 1.0) here.

4.

For the Policy Require user authentication for remote connections by using Network Level Authentication, select
Enabled.

Configuring the thin client (optional)


This step is redundant because the procedure described in Configuring the server for NLA enforces NLA on the server, but
this step helps ensure that the RDP security layer is not in use.
1.

On the thin client running HP ThinPro, navigate to or create a new RDP connection.

2.

On the Options page of the wizard, ensure that the option Enable deprecated RDP encryption is not selected.

For more information


For more information about HP thin client software, go to the following:
HP thin client software and operating system website:

http://www8.hp.com/us/en/thin-clients/software-and-os.html
HP Support Center (for documentation, search for the thin client model and see the corresponding Manuals page):

http://www.hp.com/go/hpsc

Sign up for updates


hp.com/go/getupdated
Copyright 2014 Hewlett-Packard Development Company, L.P.
Microsoft, Windows, and Windows Server are trademarks of the Microsoft Group of companies.
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's
standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
First Edition: December 2014

You might also like