Guest Dmitry N.Ananyev Posted August 16, 2007 Posted August 16, 2007 I am add "Server Authentication Certificate" to my Terminal Service like there http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?" :-) But I want that remote users without "secret Certificate" can not connect to Terminal Service. Is it possible? Thanks.
Guest Helge Klein Posted August 16, 2007 Posted August 16, 2007 Re: "Certificate" property & Connect security Re: "Certificate" property & Connect security I think you misunderstood this feature. It is called _server_ authentication and provides a means for a TS client to verify a server's identity by means of a digital certificate installed on the server, and the server only. If you want to restrict the number of users who are able to log on to a TS then configure membership in the group "Remote Desktop Users" on the TS accordingly. I hope this helps. Helge On 16 Aug., 13:39, "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote: > I am add "Server Authentication Certificate" to my Terminal Service > > like there http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-... > > but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?" :-) > > But I want that remote users without "secret Certificate" can not connect to Terminal Service. > > Is it possible? > > Thanks.
Guest Vera Noest [MVP] Posted August 16, 2007 Posted August 16, 2007 Re: "Certificate" property & Connect security Check if this helps: How to secure remote desktop connections using TLS/SSL based authentication http://www.windowsecurity.com/articles/Secure-remote-desktop- connections-TLS-SSL-based-authentication.html _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net ___ please respond in newsgroup, NOT by private email ___ "Dmitry N.Ananyev" <dtc.98@relcom.ru> wrote on 16 aug 2007 in microsoft.public.windows.terminal_services: > I am add "Server Authentication Certificate" to my Terminal > Service > > like there > http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true > > but remote users without any "Certificates" can connect to my > Terminal Server with message - "Terminal Server have certificate > - Ignore?" :-) > > But I want that remote users without "secret Certificate" can > not connect to Terminal Service. > > Is it possible? > > Thanks.
Guest Helge Klein Posted August 16, 2007 Posted August 16, 2007 Re: "Certificate" property & Connect security Re: "Certificate" property & Connect security Vera, I admit I did not know of that article but I was troubled to have misunderstood the Server Authentication feature of terminal services. I just read the article you mentioned and think the method described there has a serious flaw. By design a TLS or SSL server certificate can only be used to enable a client to verify the server's identity. If client authentication is desired then (normally) client certificates are used - but terminal services do not support that. The "hack" described in the article only works if the client does not trust the CA that issued the TS certificate. While this might be a workaround it is by no means secure - a user would just have to copy the server certificate from a co-worker's PC and be granted access to the TS. Also, in larger organizations, there tends to be an enterprise- wide CA/PKI in place and thus the root CA would be available to all computers. I hope this does not sound like gibberish. I still think there is no "clean" solution to TS client authentication - maybe there are third- party tools around that do the job. Helge ================== Please visit my blog: http://it-from-inside.blogspot.com ================== On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove- this.hem.utfors.se> wrote: > Check if this helps: > > How to secure remote desktop connections using TLS/SSL based > authenticationhttp://www.windowsecurity.com/articles/Secure-remote-desktop- > connections-TLS-SSL-based-authentication.html > _________________________________________________________ > Vera Noest > MCSE, CCEA, Microsoft MVP - Terminal Server > TS troubleshooting: http://ts.veranoest.net > ___ please respond in newsgroup, NOT by private email ___ > > "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in > microsoft.public.windows.terminal_services: > > > I am add "Server Authentication Certificate" to my Terminal > > Service > > > like there > >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f > > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true > > > but remote users without any "Certificates" can connect to my > > Terminal Server with message - "Terminal Server have certificate > > - Ignore?" :-) > > > But I want that remote users without "secret Certificate" can > > not connect to Terminal Service. > > > Is it possible? > > > Thanks.
Guest Dmitry N.Ananyev Posted August 17, 2007 Posted August 17, 2007 Re: "Certificate" property & Connect security Re: "Certificate" property & Connect security I am agree the article is not work. > The "hack" described in the article only works if the client does not > trust the CA that issued the TS certificate. What is the "article's hack" ? ***** Here's what you need to do. Per default, the certificate trust list can be found in %systemroot%\system32\certsrv\CertEnroll and the file has the .CRT extension. This is also the file being downloaded, when you click on the "Download Certificate Trust Lists" on the web interface for Microsoft Certificate Services. Simply move the file to a protected location or ensure that only trusted users are allowed to read the CRT file. ***** 1) After removed these files - they are restored automaticaly after restart CA. 2) In all cases - even .CRT were removed - TS client connect, view certificate, install it successfully. May be it trust early :-) Dmitry PS. I think about another way for clients restrictions - may I use IPsec only for TS and not for Web IIS remoute users?
Guest Vera Noest [MVP] Posted August 17, 2007 Posted August 17, 2007 Re: "Certificate" property & Connect security Re: "Certificate" property & Connect security Helge, I think that you are absolutely right. I was confused as well by the article, because, like you, I had always understood that TLS only provides for server authentication, not client authentication. To be honest, I didn't read the article carefully enough, and I assume that the author knew better, given the site that hosted the article. Sorry for referring to misleading information! _________________________________________________________ Vera Noest MCSE, CCEA, Microsoft MVP - Terminal Server TS troubleshooting: http://ts.veranoest.net *----------- Please reply in newsgroup -------------* Helge Klein <Helge.Klein@googlemail.com> wrote on 16 aug 2007: > Vera, I admit I did not know of that article but I was troubled > to have misunderstood the Server Authentication feature of > terminal services. I just read the article you mentioned and > think the method described there has a serious flaw. By design a > TLS or SSL server certificate can only be used to enable a > client to verify the server's identity. If client authentication > is desired then (normally) client certificates are used - but > terminal services do not support that. > > The "hack" described in the article only works if the client > does not trust the CA that issued the TS certificate. While this > might be a workaround it is by no means secure - a user would > just have to copy the server certificate from a co-worker's PC > and be granted access to the TS. Also, in larger organizations, > there tends to be an enterprise- wide CA/PKI in place and thus > the root CA would be available to all computers. > > I hope this does not sound like gibberish. I still think there > is no "clean" solution to TS client authentication - maybe there > are third- party tools around that do the job. > > Helge > > ================== > Please visit my blog: > http://it-from-inside.blogspot.com > ================== > > On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove- > this.hem.utfors.se> wrote: >> Check if this helps: >> >> How to secure remote desktop connections using TLS/SSL based >> authenticationhttp://www.windowsecurity.com/articles/Secure-remo >> te-desktop- connections-TLS-SSL-based-authentication.html >> _________________________________________________________ >> Vera Noest >> MCSE, CCEA, Microsoft MVP - Terminal Server >> TS troubleshooting: http://ts.veranoest.net >> ___ please respond in newsgroup, NOT by private email ___ >> >> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in >> microsoft.public.windows.terminal_services: >> >> > I am add "Server Authentication Certificate" to my Terminal >> > Service >> >> > like there >> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9 >> >-f >> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true >> >> > but remote users without any "Certificates" can connect to my >> > Terminal Server with message - "Terminal Server have >> > certificate - Ignore?" :-) >> >> > But I want that remote users without "secret Certificate" can >> > not connect to Terminal Service. >> >> > Is it possible? >> >> > Thanks.
Recommended Posts