Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • HP Thinpro: Security Layers For RDP Connections

    Cargado por

    marisfl
    43 vistas4 páginas
    hp

    Título original

    Document

    Derechos de autor

    © © All Rights Reserved

    Formatos disponibles

    PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    hp

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    43 vistas4 páginas

    HP Thinpro: Security Layers For RDP Connections

    Cargado por

    marisfl
    hp

    Copyright:

    © All Rights Reserved
    Descargue como PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 4

    Technical white paper

    HP ThinPro
    Security Layers for RDP Connections

    Table of contents
    Introduction .................................................................................................................................................................................... 2
    Security layers ................................................................................................................................................................................ 2
    RDP security layer ..................................................................................................................................................................... 2
    SSL/TLS security layer ............................................................................................................................................................. 2
    Security layer negotiation ....................................................................................................................................................... 2
    NLA security layer ..................................................................................................................................................................... 2
    Configuring the server for NLA ................................................................................................................................................... 3
    Configuring the thin client (optional) ........................................................................................................................................ 3
    For more information ................................................................................................................................................................... 4

    Introduction
    In the default configuration, the Windows server running Remote Desktop Services (RDS) employs a flexible set of
    requirements on encrypted RDP connections. With some simple configuration, it is possible to require stronger encryption.
    This paper assumes that the Windows Server 2012 R2 infrastructure is in use, but the same techniques can be applied to
    Windows Server 2012 and Windows Server 2008 R2.

    Security layers
    The following security layers are available:
    RDP security layer
    SSL/TLS
    Negotiation
    Network Level Authentication (NLA)

    RDP security layer


    The RDP security layer is the oldest and most basic of the available security layers. It is also the only option available before
    Windows Server 2003 SP1. Use of the RDP Security Layer is discouraged.
    CAUTION
    The RDP security layer has a known vulnerability to a Man-in-the-Middle (MITM) attack. A MITM attack means that an
    attacker can transparently intercept data between client and server and have access to all the session data, including
    credentials. Use of this security layer is best done only when other steps are in place to mitigate the MITM attack. For more
    information on this vulnerability, see the following guide:
    http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-preventman-in-the-middle-attacks.aspx
    Due to this issues, production deployments should prefer the SSL/TLS or NLA security layers, which are not vulnerable to
    this attack. Mitigations should be put in place if the RDP security layer is required.

    SSL/TLS security layer


    The SSL/TLS security layer leverages the same technology used for web HTTPS traffic to encrypt the session data. For RDP,
    this security layer was introduced with Windows Server 2003 SP1.

    Security layer negotiation


    Negotiation is not directly a security layer. Instead, it is a mode that says that the server is flexible in terms of what it will
    accept for the security layer. This is also the default setting. In this mode, the server will accept connections using any of the
    RDP, SSL, or NLA security layers.

    NLA security layer


    The NLA security layer is an extension to the SSL/TLS security layer and provides the highest available level of security. For
    this reason, the NLA security layer is the recommended configuration. This security layer is available in Windows Server
    2008 and later.

    Configuring the server for NLA


    1.

    On the server, edit Group Policy at the desired level.


    Note: This document shows examples at the Local level. Local group policy can be edited by launching the following
    command: gpedit.msc

    2.

    Navigate to the following location:


    Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services >
    Remote Desktop Session Host > Security

    3.

    For the policy Require use of specific security layer for remote (RDP) connections, select Enabled and SSL (TLS
    1.0).
    Note: Because NLA is built upon SSL/TLS, we must choose SSL (TLS 1.0) here.

    4.

    For the Policy Require user authentication for remote connections by using Network Level Authentication, select
    Enabled.

    Configuring the thin client (optional)


    This step is redundant because the procedure described in Configuring the server for NLA enforces NLA on the server, but
    this step helps ensure that the RDP security layer is not in use.
    1.

    On the thin client running HP ThinPro, navigate to or create a new RDP connection.

    2.

    On the Options page of the wizard, ensure that the option Enable deprecated RDP encryption is not selected.

    For more information


    For more information about HP thin client software, go to the following:
    HP thin client software and operating system website:

    http://www8.hp.com/us/en/thin-clients/software-and-os.html
    HP Support Center (for documentation, search for the thin client model and see the corresponding Manuals page):

    http://www.hp.com/go/hpsc

    Sign up for updates


    hp.com/go/getupdated
    Copyright 2014 Hewlett-Packard Development Company, L.P.
    Microsoft, Windows, and Windows Server are trademarks of the Microsoft Group of companies.
    Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial
    Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's
    standard commercial license.
    The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty
    statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
    technical or editorial errors or omissions contained herein.
    First Edition: December 2014

    También podría gustarte