Guest Goku 316 Posted June 14, 2008 Posted June 14, 2008 We have 2 TS farms both containing 2003 sp2 servers. For the general part the clients are outsiders with windows xp and higher. Also Mac clients are connected with the old and new rdp software from mactopia website. Worried about secure communication between the server and the clients. Want to avoid DoS attacks, dictionary password cracking as well as man in the middle scenarios. As it stands the Encryption level (in RDP-TCP properties) is set to “Client Compatible”. Will setting the encryption level to high be enough to be safe? It is 128 bit encryption. (I am aware of the SSL cert setup but trying to avoid this since the clients are all outsiders and applying the cert to each computer is a killer.) Thanks in advance. -- Goku 316
Guest Eugene Sukhodolin Posted June 14, 2008 Posted June 14, 2008 Re: Guide for Secure communication between client and TS > Worried about secure communication between the server and the > clients. Want > to avoid DoS attacks, dictionary password cracking as well as man in > the > middle scenarios. MITM attacks can only be prevented by the SSL/TLS mode. Native RDP encryption modes are vulnerable to MITM. > As it stands the Encryption level (in RDP-TCP properties) is set to > “Client > Compatible”. > Will setting the encryption level to high be enough to be safe? It > is 128 > bit encryption. You need to set "High" or "FIPS". But i'm not sure if Mac clients support FIPS. > (I am aware of the SSL cert setup but trying to avoid this since the > clients > are all outsiders and applying the cert to each computer is a > killer.) Actually, SSL/TLS is the safest mode. -- Sincerely, Eugene Sukhodolin CTO, TSFactory Inc. http://www.tsfactory.com
Guest Goku 316 Posted June 15, 2008 Posted June 15, 2008 Re: Guide for Secure communication between client and TS Thank you for your response! My question then is that if I get a cert from Verisign will the client automatically get the cert installed since Verisign Root certs are shipped with almost all operating systems? The clients all work from home so that is why I am asking. We will have to guide 100+ clients on how to preinstall the cert if needed. However with a Verisign cert it may make it easier. I am applying the same principle as I did with the SSL setup with outlook web access. Our consultant gave us a cert from another non famous dealer but it was hell. I obtained one from Verisign and it was a smooth setup. I really appreciate your prompt response. -- Goku 316 "Eugene Sukhodolin" wrote: > > Worried about secure communication between the server and the > > clients. Want > > to avoid DoS attacks, dictionary password cracking as well as man in > > the > > middle scenarios. > > MITM attacks can only be prevented by the SSL/TLS mode. Native RDP > encryption modes are vulnerable to MITM. > > > As it stands the Encryption level (in RDP-TCP properties) is set to > > “Client > > Compatible”. > > Will setting the encryption level to high be enough to be safe? It > > is 128 > > bit encryption. > > You need to set "High" or "FIPS". But i'm not sure if Mac clients > support FIPS. > > > (I am aware of the SSL cert setup but trying to avoid this since the > > clients > > are all outsiders and applying the cert to each computer is a > > killer.) > > Actually, SSL/TLS is the safest mode. > > -- > Sincerely, > Eugene Sukhodolin > CTO, TSFactory Inc. > http://www.tsfactory.com > >
Guest austbear Posted September 2, 2008 Posted September 2, 2008 Re: Guide for Secure communication between client and TS If you get a certificate from a well-known CA such as Verisign then there is a 99.9% chance that you don't have to install the certificate mannually on the clients. If you have configured your Outlook Web Access then the process is very similar (infact you may use the same certificate if want to Remote Desktop to te same server). "Goku 316" wrote: > Thank you for your response! > > My question then is that if I get a cert from Verisign will the client > automatically get the cert installed since Verisign Root certs are shipped > with almost all operating systems? > > The clients all work from home so that is why I am asking. We will have to > guide 100+ clients on how to preinstall the cert if needed. However with a > Verisign cert it may make it easier. > > I am applying the same principle as I did with the SSL setup with outlook > web access. > Our consultant gave us a cert from another non famous dealer but it was > hell. I obtained one from Verisign and it was a smooth setup. > > I really appreciate your prompt response. > > -- > Goku 316 > > > "Eugene Sukhodolin" wrote: > > > > Worried about secure communication between the server and the > > > clients. Want > > > to avoid DoS attacks, dictionary password cracking as well as man in > > > the > > > middle scenarios. > > > > MITM attacks can only be prevented by the SSL/TLS mode. Native RDP > > encryption modes are vulnerable to MITM. > > > > > As it stands the Encryption level (in RDP-TCP properties) is set to > > > “Client > > > Compatible”. > > > Will setting the encryption level to high be enough to be safe? It > > > is 128 > > > bit encryption. > > > > You need to set "High" or "FIPS". But i'm not sure if Mac clients > > support FIPS. > > > > > (I am aware of the SSL cert setup but trying to avoid this since the > > > clients > > > are all outsiders and applying the cert to each computer is a > > > killer.) > > > > Actually, SSL/TLS is the safest mode. > > > > -- > > Sincerely, > > Eugene Sukhodolin > > CTO, TSFactory Inc. > > http://www.tsfactory.com > > > >
Recommended Posts