Remote Desktop Connection does not encrypt with ipsec

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I would like to encrypt the rdc connection for terminal services with an
ipsec connection to make it more secure.

I have set up a Policy on the terminal server (request security) with an ip
filter
my ip adress -> to any
tcp -> port 3389 to any
and the rule is mirrored.
It uses Kerberos Authentication.
The server is only a terminal server (Windows 2000) and not a domain
controller.

I have configured the client (WIn XP) with the client respond only security
policy.
When I am connecting from the client to the server ipsecmon shows no
encryption at all.

For testing i have configured the policy on the server that all traffic
should be encypted and it works fine.

What went wrong in my configuration?

regards
3 answers Last reply
More about remote desktop connection encrypt ipsec
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello,

    Based on my test and experience, Your configuration steps are correct. So
    regarding this, please send me a scree shot to show the status on your
    ipsecmon.

    To take a screen shot:
    ---------------------
    1) Press the Pr Scrn key once on the keyboard when the error message
    appears.
    2) Click Start, go to Run, enter MSPAINT in the open dialog box, and then
    Click OK.
    3) Use Ctrl + V to paste the screenshot to the canvas.
    4) From the File menu, go to Save and save it as a JPG file.
    5) Send the JPG file to me as an attachment.
    My mailbox: v-xuwen@microsoft.com

    To verify on the earch whether the data is encrypted, I suggest you use
    netmon to trace the data.
    Network Monitor:
    =======================
    1. To obtain a time-bombed version of Network Monitor, visit the following
    Microsoft Web site:
    ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
    2. Download the netmon2.zip file. The password for that zip is "trace" (no
    quotation marks).
    3. Run the qfesetup.exe file to install Network Monitor on HSMain.

    Please send me the capture data. And don't forget the source MAC and Desc
    MAC.

    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
    >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
    >>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
    >>X-WBNR-Posting-Host: 212.79.172.242
    >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
    >>Subject: Remote Desktop Connection does not encrypt with ipsec
    >>Date: Thu, 25 Aug 2005 01:18:03 -0700
    >>Lines: 28
    >>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="Utf-8"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>Content-Class: urn:content-classes:message
    >>Importance: normal
    >>Priority: normal
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >>Newsgroups: microsoft.public.win2000.security
    >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
    >>X-Tomcat-NG: microsoft.public.win2000.security
    >>
    >>Hi,
    >>
    >>I would like to encrypt the rdc connection for terminal services with an
    >>ipsec connection to make it more secure.
    >>
    >>I have set up a Policy on the terminal server (request security) with an
    ip
    >>filter
    >>my ip adress -> to any
    >>tcp -> port 3389 to any
    >>and the rule is mirrored.
    >>It uses Kerberos Authentication.
    >>The server is only a terminal server (Windows 2000) and not a domain
    >>controller.
    >>
    >>I have configured the client (WIn XP) with the client respond only
    security
    >>policy.
    >>When I am connecting from the client to the server ipsecmon shows no
    >>encryption at all.
    >>
    >>For testing i have configured the policy on the server that all traffic
    >>should be encypted and it works fine.
    >>
    >>What went wrong in my configuration?
    >>
    >>regards
    >>
    >>
    >>
    >>
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    HI,

    i found out that somebody promoted the server to a dc.
    I know that authentication traffic during login can`t be secured (with
    ipsec) but can i protect the rdc with the ruleset seen below?Or in another
    way?
    The client hangs when the ip filter (rdc) ist active during login.

    regards

    "Vincent Xu [MSFT]" wrote:

    > Hello,
    >
    > Based on my test and experience, Your configuration steps are correct. So
    > regarding this, please send me a scree shot to show the status on your
    > ipsecmon.
    >
    > To take a screen shot:
    > ---------------------
    > 1) Press the Pr Scrn key once on the keyboard when the error message
    > appears.
    > 2) Click Start, go to Run, enter MSPAINT in the open dialog box, and then
    > Click OK.
    > 3) Use Ctrl + V to paste the screenshot to the canvas.
    > 4) From the File menu, go to Save and save it as a JPG file.
    > 5) Send the JPG file to me as an attachment.
    > My mailbox: v-xuwen@microsoft.com
    >
    > To verify on the earch whether the data is encrypted, I suggest you use
    > netmon to trace the data.
    > Network Monitor:
    > =======================
    > 1. To obtain a time-bombed version of Network Monitor, visit the following
    > Microsoft Web site:
    > ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
    > 2. Download the netmon2.zip file. The password for that zip is "trace" (no
    > quotation marks).
    > 3. Run the qfesetup.exe file to install Network Monitor on HSMain.
    >
    > Please send me the capture data. And don't forget the source MAC and Desc
    > MAC.
    >
    > Best regards,
    >
    > Vincent Xu
    > Microsoft Online Partner Support
    >
    > Get Secure! - www.microsoft.com/security
    >
    >
    > --------------------
    > >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
    > >>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
    > >>X-WBNR-Posting-Host: 212.79.172.242
    > >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
    > >>Subject: Remote Desktop Connection does not encrypt with ipsec
    > >>Date: Thu, 25 Aug 2005 01:18:03 -0700
    > >>Lines: 28
    > >>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
    > >>MIME-Version: 1.0
    > >>Content-Type: text/plain;
    > >> charset="Utf-8"
    > >>Content-Transfer-Encoding: 7bit
    > >>X-Newsreader: Microsoft CDO for Windows 2000
    > >>Content-Class: urn:content-classes:message
    > >>Importance: normal
    > >>Priority: normal
    > >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >>Newsgroups: microsoft.public.win2000.security
    > >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
    > >>X-Tomcat-NG: microsoft.public.win2000.security
    > >>
    > >>Hi,
    > >>
    > >>I would like to encrypt the rdc connection for terminal services with an
    > >>ipsec connection to make it more secure.
    > >>
    > >>I have set up a Policy on the terminal server (request security) with an
    > ip
    > >>filter
    > >>my ip adress -> to any
    > >>tcp -> port 3389 to any
    > >>and the rule is mirrored.
    > >>It uses Kerberos Authentication.
    > >>The server is only a terminal server (Windows 2000) and not a domain
    > >>controller.
    > >>
    > >>I have configured the client (WIn XP) with the client respond only
    > security
    > >>policy.
    > >>When I am connecting from the client to the server ipsecmon shows no
    > >>encryption at all.
    > >>
    > >>For testing i have configured the policy on the server that all traffic
    > >>should be encypted and it works fine.
    > >>
    > >>What went wrong in my configuration?
    > >>
    > >>regards
    > >>
    > >>
    > >>
    > >>
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    I'm not sure about "protect the rdc with the ruleset seen below", if you
    mean RDC authentication and encryption, I have some information as below:

    Remote Desktop Protocol (RDP) provides data encryption, but it does not
    provide authentication to verify the identity of a terminal server. In
    Windows Server 2003 Service Pack 1 (SP1), you can enhance the security of
    Terminal Server by configuring Terminal Services connections to use
    Transport Layer Security (TLS) 1.0 for server authentication, and to
    encrypt terminal server communications. TLS is a standard protocol that is
    used to provide secure Web communications on the Internet or intranets. It
    enables clients to authenticate servers or, optionally, servers to
    authenticate clients. It also provides a secure channel by encrypting
    communications.

    More detailed information, please refer to following link:

    Configuring authentication and encryption
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
    erHelp/a92d8eb9-f53d-4e86-ac9b-29fd6146977b.mspx>

    In addition, I think followig article also may helps.

    275727 High Encryption on a Remote Desktop or Terminal Services Session Does
    http://support.microsoft.com/?id=275727


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security


    --------------------
    >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
    >>thread-index: AcWpeTz7Nwql5vA2T5SzOcpxHLV1Aw==
    >>X-WBNR-Posting-Host: 212.79.172.242
    >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
    >>References: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
    <lAL2vqWqFHA.3676@TK2MSFTNGXA01.phx.gbl>
    >>Subject: RE: Remote Desktop Connection does not encrypt with ipsec
    >>Date: Thu, 25 Aug 2005 06:31:02 -0700
    >>Lines: 108
    >>Message-ID: <AEEE3DA0-0706-4001-B1C2-92E59D9DBB0F@microsoft.com>
    >>MIME-Version: 1.0
    >>Content-Type: text/plain;
    >> charset="Utf-8"
    >>Content-Transfer-Encoding: 7bit
    >>X-Newsreader: Microsoft CDO for Windows 2000
    >>Content-Class: urn:content-classes:message
    >>Importance: normal
    >>Priority: normal
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >>Newsgroups: microsoft.public.win2000.security
    >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14993
    >>X-Tomcat-NG: microsoft.public.win2000.security
    >>
    >>HI,
    >>
    >>i found out that somebody promoted the server to a dc.
    >>I know that authentication traffic during login can`t be secured (with
    >>ipsec) but can i protect the rdc with the ruleset seen below?Or in
    another
    >>way?
    >>The client hangs when the ip filter (rdc) ist active during login.
    >>
    >>regards
    >>
    >>"Vincent Xu [MSFT]" wrote:
    >>
    >>> Hello,
    >>>
    >>> Based on my test and experience, Your configuration steps are correct.
    So
    >>> regarding this, please send me a scree shot to show the status on your
    >>> ipsecmon.
    >>>
    >>> To take a screen shot:
    >>> ---------------------
    >>> 1) Press the Pr Scrn key once on the keyboard when the error message
    >>> appears.
    >>> 2) Click Start, go to Run, enter MSPAINT in the open dialog box, and
    then
    >>> Click OK.
    >>> 3) Use Ctrl + V to paste the screenshot to the canvas.
    >>> 4) From the File menu, go to Save and save it as a JPG file.
    >>> 5) Send the JPG file to me as an attachment.
    >>> My mailbox: v-xuwen@microsoft.com
    >>>
    >>> To verify on the earch whether the data is encrypted, I suggest you use
    >>> netmon to trace the data.
    >>> Network Monitor:
    >>> =======================
    >>> 1. To obtain a time-bombed version of Network Monitor, visit the
    following
    >>> Microsoft Web site:
    >>> ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
    >>> 2. Download the netmon2.zip file. The password for that zip is "trace"
    (no
    >>> quotation marks).
    >>> 3. Run the qfesetup.exe file to install Network Monitor on HSMain.
    >>>
    >>> Please send me the capture data. And don't forget the source MAC and
    Desc
    >>> MAC.
    >>>
    >>> Best regards,
    >>>
    >>> Vincent Xu
    >>> Microsoft Online Partner Support
    >>>
    >>> Get Secure! - www.microsoft.com/security
    >>>
    >>>
    >>> --------------------
    >>> >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
    >>> >>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
    >>> >>X-WBNR-Posting-Host: 212.79.172.242
    >>> >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
    >>> >>Subject: Remote Desktop Connection does not encrypt with ipsec
    >>> >>Date: Thu, 25 Aug 2005 01:18:03 -0700
    >>> >>Lines: 28
    >>> >>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
    >>> >>MIME-Version: 1.0
    >>> >>Content-Type: text/plain;
    >>> >> charset="Utf-8"
    >>> >>Content-Transfer-Encoding: 7bit
    >>> >>X-Newsreader: Microsoft CDO for Windows 2000
    >>> >>Content-Class: urn:content-classes:message
    >>> >>Importance: normal
    >>> >>Priority: normal
    >>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >>> >>Newsgroups: microsoft.public.win2000.security
    >>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    >>> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >>> >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
    >>> >>X-Tomcat-NG: microsoft.public.win2000.security
    >>> >>
    >>> >>Hi,
    >>> >>
    >>> >>I would like to encrypt the rdc connection for terminal services with
    an
    >>> >>ipsec connection to make it more secure.
    >>> >>
    >>> >>I have set up a Policy on the terminal server (request security) with
    an
    >>> ip
    >>> >>filter
    >>> >>my ip adress -> to any
    >>> >>tcp -> port 3389 to any
    >>> >>and the rule is mirrored.
    >>> >>It uses Kerberos Authentication.
    >>> >>The server is only a terminal server (Windows 2000) and not a domain
    >>> >>controller.
    >>> >>
    >>> >>I have configured the client (WIn XP) with the client respond only
    >>> security
    >>> >>policy.
    >>> >>When I am connecting from the client to the server ipsecmon shows no
    >>> >>encryption at all.
    >>> >>
    >>> >>For testing i have configured the policy on the server that all
    traffic
    >>> >>should be encypted and it works fine.
    >>> >>
    >>> >>What went wrong in my configuration?
    >>> >>
    >>> >>regards
    >>> >>
    >>> >>
    >>> >>
    >>> >>
    >>>
    >>>
    >>
Ask a new question

Read More

Connection Security Windows