Jump to content

"Certificate" property & Connect security

Guest Dmitry N.Ananyev

By Guest Dmitry N.Ananyev
in Windows NT Server

 Share

Recommended Posts

Guest Dmitry N.Ananyev

Guest Dmitry N.Ananyev

Posted
Posted

I am add "Server Authentication Certificate" to my Terminal Service

 

like there http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

 

but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?" :-)

 

But I want that remote users without "secret Certificate" can not connect to Terminal Service.

 

Is it possible?

 

Thanks.

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Helge Klein

Guest Helge Klein

Posted
Posted

Re: "Certificate" property & Connect security

 

Re: "Certificate" property & Connect security

 

I think you misunderstood this feature. It is called _server_

authentication and provides a means for a TS client to verify a

server's identity by means of a digital certificate installed on the

server, and the server only.

 

If you want to restrict the number of users who are able to log on to

a TS then configure membership in the group "Remote Desktop Users" on

the TS accordingly.

 

I hope this helps.

 

Helge

 

On 16 Aug., 13:39, "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote:

> I am add "Server Authentication Certificate" to my Terminal Service

>

> like there http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-...

>

> but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?" :-)

>

> But I want that remote users without "secret Certificate" can not connect to Terminal Service.

>

> Is it possible?

>

> Thanks.

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Certificate" property & Connect security

 

Check if this helps:

 

How to secure remote desktop connections using TLS/SSL based

authentication

http://www.windowsecurity.com/articles/Secure-remote-desktop-

connections-TLS-SSL-based-authentication.html

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

 

"Dmitry N.Ananyev" <dtc.98@relcom.ru> wrote on 16 aug 2007 in

microsoft.public.windows.terminal_services:

> I am add "Server Authentication Certificate" to my Terminal

> Service

>

> like there

> http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f

> 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

>

> but remote users without any "Certificates" can connect to my

> Terminal Server with message - "Terminal Server have certificate

> - Ignore?" :-)

>

> But I want that remote users without "secret Certificate" can

> not connect to Terminal Service.

>

> Is it possible?

>

> Thanks.

Guest Helge Klein

Guest Helge Klein

Posted
Posted

Re: "Certificate" property & Connect security

 

Re: "Certificate" property & Connect security

 

Vera, I admit I did not know of that article but I was troubled to

have misunderstood the Server Authentication feature of terminal

services. I just read the article you mentioned and think the method

described there has a serious flaw. By design a TLS or SSL server

certificate can only be used to enable a client to verify the server's

identity. If client authentication is desired then (normally) client

certificates are used - but terminal services do not support that.

 

The "hack" described in the article only works if the client does not

trust the CA that issued the TS certificate. While this might be a

workaround it is by no means secure - a user would just have to copy

the server certificate from a co-worker's PC and be granted access to

the TS. Also, in larger organizations, there tends to be an enterprise-

wide CA/PKI in place and thus the root CA would be available to all

computers.

 

I hope this does not sound like gibberish. I still think there is no

"clean" solution to TS client authentication - maybe there are third-

party tools around that do the job.

 

Helge

 

==================

Please visit my blog:

http://it-from-inside.blogspot.com

==================

 

On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove-

this.hem.utfors.se> wrote:

> Check if this helps:

>

> How to secure remote desktop connections using TLS/SSL based

> authenticationhttp://www.windowsecurity.com/articles/Secure-remote-desktop-

> connections-TLS-SSL-based-authentication.html

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in

> microsoft.public.windows.terminal_services:

>

> > I am add "Server Authentication Certificate" to my Terminal

> > Service

>

> > like there

> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f

> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

>

> > but remote users without any "Certificates" can connect to my

> > Terminal Server with message - "Terminal Server have certificate

> > - Ignore?" :-)

>

> > But I want that remote users without "secret Certificate" can

> > not connect to Terminal Service.

>

> > Is it possible?

>

> > Thanks.

Guest Dmitry N.Ananyev

Guest Dmitry N.Ananyev

Posted
Posted

Re: "Certificate" property & Connect security

 

Re: "Certificate" property & Connect security

 

I am agree the article is not work.

> The "hack" described in the article only works if the client does not

> trust the CA that issued the TS certificate.

 

What is the "article's hack" ?

*****

Here's what you need to do. Per default, the certificate trust list can be

found in %systemroot%\system32\certsrv\CertEnroll and the file has the .CRT

extension. This is also the file being downloaded, when you click on the

"Download Certificate Trust Lists" on the web interface for Microsoft

Certificate Services. Simply move the file to a protected location or ensure

that only trusted users are allowed to read the CRT file.

*****

 

1) After removed these files - they are restored automaticaly after restart

CA.

2) In all cases - even .CRT were removed - TS client connect, view

certificate, install it successfully.

May be it trust early :-)

 

Dmitry

 

PS.

I think about another way for clients restrictions - may I use IPsec only

for TS and not for Web IIS remoute users?

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: "Certificate" property & Connect security

 

Re: "Certificate" property & Connect security

 

Helge,

I think that you are absolutely right.

I was confused as well by the article, because, like you, I had

always understood that TLS only provides for server authentication,

not client authentication.

To be honest, I didn't read the article carefully enough, and I

assume that the author knew better, given the site that hosted the

article.

Sorry for referring to misleading information!

 

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

*----------- Please reply in newsgroup -------------*

 

Helge Klein <Helge.Klein@googlemail.com> wrote on 16 aug 2007:

> Vera, I admit I did not know of that article but I was troubled

> to have misunderstood the Server Authentication feature of

> terminal services. I just read the article you mentioned and

> think the method described there has a serious flaw. By design a

> TLS or SSL server certificate can only be used to enable a

> client to verify the server's identity. If client authentication

> is desired then (normally) client certificates are used - but

> terminal services do not support that.

>

> The "hack" described in the article only works if the client

> does not trust the CA that issued the TS certificate. While this

> might be a workaround it is by no means secure - a user would

> just have to copy the server certificate from a co-worker's PC

> and be granted access to the TS. Also, in larger organizations,

> there tends to be an enterprise- wide CA/PKI in place and thus

> the root CA would be available to all computers.

>

> I hope this does not sound like gibberish. I still think there

> is no "clean" solution to TS client authentication - maybe there

> are third- party tools around that do the job.

>

> Helge

>

> ==================

> Please visit my blog:

> http://it-from-inside.blogspot.com

> ==================

>

> On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove-

> this.hem.utfors.se> wrote:

>> Check if this helps:

>>

>> How to secure remote desktop connections using TLS/SSL based

>> authenticationhttp://www.windowsecurity.com/articles/Secure-remo

>> te-desktop- connections-TLS-SSL-based-authentication.html

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > I am add "Server Authentication Certificate" to my Terminal

>> > Service

>>

>> > like there

>> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9

>> >-f

>> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

>>

>> > but remote users without any "Certificates" can connect to my

>> > Terminal Server with message - "Terminal Server have

>> > certificate - Ignore?" :-)

>>

>> > But I want that remote users without "secret Certificate" can

>> > not connect to Terminal Service.

>>

>> > Is it possible?

>>

>> > Thanks.

 Share
Go to topic listing
×
×
  • Create New...