Sign in with
Sign up | Sign in
Your question

Remote Desktop Connection does not encrypt with ipsec

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
August 25, 2005 5:18:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I would like to encrypt the rdc connection for terminal services with an
ipsec connection to make it more secure.

I have set up a Policy on the terminal server (request security) with an ip
filter
my ip adress -> to any
tcp -> port 3389 to any
and the rule is mirrored.
It uses Kerberos Authentication.
The server is only a terminal server (Windows 2000) and not a domain
controller.

I have configured the client (WIn XP) with the client respond only security
policy.
When I am connecting from the client to the server ipsecmon shows no
encryption at all.

For testing i have configured the policy on the server that all traffic
should be encypted and it works fine.

What went wrong in my configuration?

regards
Anonymous
a b 8 Security
August 25, 2005 3:46:45 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Based on my test and experience, Your configuration steps are correct. So
regarding this, please send me a scree shot to show the status on your
ipsecmon.

To take a screen shot:
---------------------
1) Press the Pr Scrn key once on the keyboard when the error message
appears.
2) Click Start, go to Run, enter MSPAINT in the open dialog box, and then
Click OK.
3) Use Ctrl + V to paste the screenshot to the canvas.
4) From the File menu, go to Save and save it as a JPG file.
5) Send the JPG file to me as an attachment.
My mailbox: v-xuwen@microsoft.com

To verify on the earch whether the data is encrypted, I suggest you use
netmon to trace the data.
Network Monitor:
=======================
1. To obtain a time-bombed version of Network Monitor, visit the following
Microsoft Web site:
ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
2. Download the netmon2.zip file. The password for that zip is "trace" (no
quotation marks).
3. Run the qfesetup.exe file to install Network Monitor on HSMain.

Please send me the capture data. And don't forget the source MAC and Desc
MAC.

Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------
>>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
>>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
>>X-WBNR-Posting-Host: 212.79.172.242
>>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
>>Subject: Remote Desktop Connection does not encrypt with ipsec
>>Date: Thu, 25 Aug 2005 01:18:03 -0700
>>Lines: 28
>>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.win2000.security
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
>>X-Tomcat-NG: microsoft.public.win2000.security
>>
>>Hi,
>>
>>I would like to encrypt the rdc connection for terminal services with an
>>ipsec connection to make it more secure.
>>
>>I have set up a Policy on the terminal server (request security) with an
ip
>>filter
>>my ip adress -> to any
>>tcp -> port 3389 to any
>>and the rule is mirrored.
>>It uses Kerberos Authentication.
>>The server is only a terminal server (Windows 2000) and not a domain
>>controller.
>>
>>I have configured the client (WIn XP) with the client respond only
security
>>policy.
>>When I am connecting from the client to the server ipsecmon shows no
>>encryption at all.
>>
>>For testing i have configured the policy on the server that all traffic
>>should be encypted and it works fine.
>>
>>What went wrong in my configuration?
>>
>>regards
>>
>>
>>
>>
Anonymous
a b 8 Security
August 25, 2005 3:46:46 PM

Archived from groups: microsoft.public.win2000.security (More info?)

HI,

i found out that somebody promoted the server to a dc.
I know that authentication traffic during login can`t be secured (with
ipsec) but can i protect the rdc with the ruleset seen below?Or in another
way?
The client hangs when the ip filter (rdc) ist active during login.

regards

"Vincent Xu [MSFT]" wrote:

> Hello,
>
> Based on my test and experience, Your configuration steps are correct. So
> regarding this, please send me a scree shot to show the status on your
> ipsecmon.
>
> To take a screen shot:
> ---------------------
> 1) Press the Pr Scrn key once on the keyboard when the error message
> appears.
> 2) Click Start, go to Run, enter MSPAINT in the open dialog box, and then
> Click OK.
> 3) Use Ctrl + V to paste the screenshot to the canvas.
> 4) From the File menu, go to Save and save it as a JPG file.
> 5) Send the JPG file to me as an attachment.
> My mailbox: v-xuwen@microsoft.com
>
> To verify on the earch whether the data is encrypted, I suggest you use
> netmon to trace the data.
> Network Monitor:
> =======================
> 1. To obtain a time-bombed version of Network Monitor, visit the following
> Microsoft Web site:
> ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
> 2. Download the netmon2.zip file. The password for that zip is "trace" (no
> quotation marks).
> 3. Run the qfesetup.exe file to install Network Monitor on HSMain.
>
> Please send me the capture data. And don't forget the source MAC and Desc
> MAC.
>
> Best regards,
>
> Vincent Xu
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
>
> --------------------
> >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
> >>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
> >>X-WBNR-Posting-Host: 212.79.172.242
> >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
> >>Subject: Remote Desktop Connection does not encrypt with ipsec
> >>Date: Thu, 25 Aug 2005 01:18:03 -0700
> >>Lines: 28
> >>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
> >>MIME-Version: 1.0
> >>Content-Type: text/plain;
> >> charset="Utf-8"
> >>Content-Transfer-Encoding: 7bit
> >>X-Newsreader: Microsoft CDO for Windows 2000
> >>Content-Class: urn:content-classes:message
> >>Importance: normal
> >>Priority: normal
> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >>Newsgroups: microsoft.public.win2000.security
> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
> >>X-Tomcat-NG: microsoft.public.win2000.security
> >>
> >>Hi,
> >>
> >>I would like to encrypt the rdc connection for terminal services with an
> >>ipsec connection to make it more secure.
> >>
> >>I have set up a Policy on the terminal server (request security) with an
> ip
> >>filter
> >>my ip adress -> to any
> >>tcp -> port 3389 to any
> >>and the rule is mirrored.
> >>It uses Kerberos Authentication.
> >>The server is only a terminal server (Windows 2000) and not a domain
> >>controller.
> >>
> >>I have configured the client (WIn XP) with the client respond only
> security
> >>policy.
> >>When I am connecting from the client to the server ipsecmon shows no
> >>encryption at all.
> >>
> >>For testing i have configured the policy on the server that all traffic
> >>should be encypted and it works fine.
> >>
> >>What went wrong in my configuration?
> >>
> >>regards
> >>
> >>
> >>
> >>
>
>
Anonymous
a b 8 Security
August 26, 2005 10:59:08 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I'm not sure about "protect the rdc with the ruleset seen below", if you
mean RDC authentication and encryption, I have some information as below:

Remote Desktop Protocol (RDP) provides data encryption, but it does not
provide authentication to verify the identity of a terminal server. In
Windows Server 2003 Service Pack 1 (SP1), you can enhance the security of
Terminal Server by configuring Terminal Services connections to use
Transport Layer Security (TLS) 1.0 for server authentication, and to
encrypt terminal server communications. TLS is a standard protocol that is
used to provide secure Web communications on the Internet or intranets. It
enables clients to authenticate servers or, optionally, servers to
authenticate clients. It also provides a secure channel by encrypting
communications.

More detailed information, please refer to following link:

Configuring authentication and encryption
<http://www.microsoft.com/technet/prodtechnol/windowsser...
erHelp/a92d8eb9-f53d-4e86-ac9b-29fd6146977b.mspx>

In addition, I think followig article also may helps.

275727 High Encryption on a Remote Desktop or Terminal Services Session Does
http://support.microsoft.com/?id=275727


Best regards,

Vincent Xu
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security


--------------------
>>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
>>thread-index: AcWpeTz7Nwql5vA2T5SzOcpxHLV1Aw==
>>X-WBNR-Posting-Host: 212.79.172.242
>>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
>>References: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
<lAL2vqWqFHA.3676@TK2MSFTNGXA01.phx.gbl>
>>Subject: RE: Remote Desktop Connection does not encrypt with ipsec
>>Date: Thu, 25 Aug 2005 06:31:02 -0700
>>Lines: 108
>>Message-ID: <AEEE3DA0-0706-4001-B1C2-92E59D9DBB0F@microsoft.com>
>>MIME-Version: 1.0
>>Content-Type: text/plain;
>> charset="Utf-8"
>>Content-Transfer-Encoding: 7bit
>>X-Newsreader: Microsoft CDO for Windows 2000
>>Content-Class: urn:content-classes:message
>>Importance: normal
>>Priority: normal
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>Newsgroups: microsoft.public.win2000.security
>>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14993
>>X-Tomcat-NG: microsoft.public.win2000.security
>>
>>HI,
>>
>>i found out that somebody promoted the server to a dc.
>>I know that authentication traffic during login can`t be secured (with
>>ipsec) but can i protect the rdc with the ruleset seen below?Or in
another
>>way?
>>The client hangs when the ip filter (rdc) ist active during login.
>>
>>regards
>>
>>"Vincent Xu [MSFT]" wrote:
>>
>>> Hello,
>>>
>>> Based on my test and experience, Your configuration steps are correct.
So
>>> regarding this, please send me a scree shot to show the status on your
>>> ipsecmon.
>>>
>>> To take a screen shot:
>>> ---------------------
>>> 1) Press the Pr Scrn key once on the keyboard when the error message
>>> appears.
>>> 2) Click Start, go to Run, enter MSPAINT in the open dialog box, and
then
>>> Click OK.
>>> 3) Use Ctrl + V to paste the screenshot to the canvas.
>>> 4) From the File menu, go to Save and save it as a JPG file.
>>> 5) Send the JPG file to me as an attachment.
>>> My mailbox: v-xuwen@microsoft.com
>>>
>>> To verify on the earch whether the data is encrypted, I suggest you use
>>> netmon to trace the data.
>>> Network Monitor:
>>> =======================
>>> 1. To obtain a time-bombed version of Network Monitor, visit the
following
>>> Microsoft Web site:
>>> ftp://ftp.microsoft.com/PSS/Tools/NetMon/NETMON2.ZIP
>>> 2. Download the netmon2.zip file. The password for that zip is "trace"
(no
>>> quotation marks).
>>> 3. Run the qfesetup.exe file to install Network Monitor on HSMain.
>>>
>>> Please send me the capture data. And don't forget the source MAC and
Desc
>>> MAC.
>>>
>>> Best regards,
>>>
>>> Vincent Xu
>>> Microsoft Online Partner Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>>
>>> --------------------
>>> >>Thread-Topic: Remote Desktop Connection does not encrypt with ipsec
>>> >>thread-index: AcWpTYOvY/isMYd6QP+TWjhgfrKSZw==
>>> >>X-WBNR-Posting-Host: 212.79.172.242
>>> >>From: "=?Utf-8?B?UmV4IEtyZW1lcg==?=" <rex@news.postalias>
>>> >>Subject: Remote Desktop Connection does not encrypt with ipsec
>>> >>Date: Thu, 25 Aug 2005 01:18:03 -0700
>>> >>Lines: 28
>>> >>Message-ID: <B94A3101-08C1-41E9-9986-21095901FA75@microsoft.com>
>>> >>MIME-Version: 1.0
>>> >>Content-Type: text/plain;
>>> >> charset="Utf-8"
>>> >>Content-Transfer-Encoding: 7bit
>>> >>X-Newsreader: Microsoft CDO for Windows 2000
>>> >>Content-Class: urn:content-classes:message
>>> >>Importance: normal
>>> >>Priority: normal
>>> >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>>> >>Newsgroups: microsoft.public.win2000.security
>>> >>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>>> >>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>>> >>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:14984
>>> >>X-Tomcat-NG: microsoft.public.win2000.security
>>> >>
>>> >>Hi,
>>> >>
>>> >>I would like to encrypt the rdc connection for terminal services with
an
>>> >>ipsec connection to make it more secure.
>>> >>
>>> >>I have set up a Policy on the terminal server (request security) with
an
>>> ip
>>> >>filter
>>> >>my ip adress -> to any
>>> >>tcp -> port 3389 to any
>>> >>and the rule is mirrored.
>>> >>It uses Kerberos Authentication.
>>> >>The server is only a terminal server (Windows 2000) and not a domain
>>> >>controller.
>>> >>
>>> >>I have configured the client (WIn XP) with the client respond only
>>> security
>>> >>policy.
>>> >>When I am connecting from the client to the server ipsecmon shows no
>>> >>encryption at all.
>>> >>
>>> >>For testing i have configured the policy on the server that all
traffic
>>> >>should be encypted and it works fine.
>>> >>
>>> >>What went wrong in my configuration?
>>> >>
>>> >>regards
>>> >>
>>> >>
>>> >>
>>> >>
>>>
>>>
>>
!