On my Windows Server 2008 R2 machine I need to disable all RC4 ciphers to pass PCI scans. We know that disabling TLS 1.0 will break RDP Remote Desktop, we've been locked out of our server doing this. But what about removing just the RC4 ciphers, all Microsoft documentation I found about the RDP mentions RC4 and does not mention it supports other Ciphers.
how to crack windows server 2008 terminal services
Do you know if Microsoft will be updating Remote Desktop services in Windows Server 2008 R2 to support TLS 1.1 or 1.2? We have to cease using TLS 1.0 in just 10 months according to the PCI-DSS, and 2008 R2 does not work with TLS 1.1 or 1.2 yet. So this issue will be back again in a few months. Its a bit of a nightmare for us.
When a group is selected in the tree view, the servers underneath it are displayed in a thumbnail view. The thumbnails can show the actual server windows or simply the connection status. Global thumbnail view properties can be adjusted via the [Tools.Options.Client Area] tab while group/server-specific settings are in Display Settings.
This has been an issue on everyone of the thousands of servers I hve run since at least server 2003. through every update and through every new server overhaul. It also has happened on the client side of every version of windows from xp through windows 11, pro versions, home version etc etc etc... Microsoft has yet to address the isue, because every experienced network engineer knows the work around.. So in thier laziness, they let it be..
2. Pure SSL/TLS is a standard mechanism that enables clients to authenticate to servers and provides a secure channel by encrypting communications. To use SSL/TLS, you must obtain certificates issued by a trusted Certificate Authority and configure them on each terminal server on which you want to have server authentication.
Strong server authentication, which prevents MITM attacks can be achieved on Windows Server 2003 SP1 and higher, using the two server authentication mechanisms described above. Pure SSL/TLS can be used for Windows Server 2003 SP1 and Windows Server 2008. In addition, Windows Server 2008 uses NLA for clients that support it.
As shown in the table above, TLS/SSL certificates can only be deployed on Windows Server 2003 SP1 and later, while NLA is available only on Windows Server 2008. Windows Server 2003 without SP1 and earlier does not support NLA or pure SSL/TLS server authentication mechanisms. Therefore, on earlier Server versions, you will need to use network level protection mechanisms (such as IPSec) to get mutual authentication and protect RDP traffic against MITM attacks. Alternatively, you can set up a VPN tunnel for your connection.
If you are connecting remotely to client operating systems, then only Windows Vista and Windows Vista SP1 that support Network Level Authentication will be able to provide strong server authentication with Kerberos as Windows Server 2008 described above. NLA with SSL/TLS is not possible on Client SKUs. On a downlevel client OS, you can configure VPN to secure your communications. See this KB article on configuring VPN on Windows XP.
Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier,[1] is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session[2] on a remote computer or virtual machine over a network connection. RDS was first released in 1998 as Terminal Server in Windows NT 4.0 Terminal Server Edition, a stand-alone edition of Windows NT 4.0 Server that allowed users to log in remotely. Starting with Windows 2000, it was integrated under the name of Terminal Services as an optional component in the server editions of the Windows NT family of operating systems,[3] receiving updates and improvements with each version of Windows.[4] Terminal Services were then renamed to Remote Desktop Services with Windows Server 2008 R2[5] in 2009.
The key server component of RDS is Terminal Server (termdd.sys), which listens on TCP port 3389. When a Remote Desktop Protocol (RDP) client connects to this port, it is tagged with a unique SessionID and associated with a freshly spawned console session (Session 0, keyboard, mouse and character mode UI only). The login subsystem (winlogon.exe) and the GDI graphics subsystem is then initiated, which handles the job of authenticating the user and presenting the GUI. These executables are loaded in a new session, rather than the console session. When creating the new session, the graphics and keyboard/mouse device drivers are replaced with RDP-specific drivers: RdpDD.sys and RdpWD.sys. The RdpDD.sys is the device driver and it captures the UI rendering calls into a format that is transmittable over RDP. RdpWD.sys acts as keyboard and mouse driver; it receives keyboard and mouse input over the TCP connection and presents them as keyboard or mouse inputs. It also allows creation of virtual channels, which allow other devices, such as disc, audio, printers, and COM ports to be redirected, i.e., the channels act as replacement for these devices. The channels connect to the client over the TCP connection; as the channels are accessed for data, the client is informed of the request, which is then transferred over the TCP connection to the application. This entire procedure is done by the terminal server and the client, with the RDP mediating the correct transfer, and is entirely transparent to the applications.[13] RDP communications are encrypted using 128-bit RC4 encryption. Windows Server 2003 onwards, it can use a FIPS 140 compliant encryption schemes.[6]
Once a client initiates a connection and is informed of a successful invocation of the terminal services stack at the server, it loads up the device as well as the keyboard/mouse drivers. The UI data received over RDP is decoded and rendered as UI, whereas the keyboard and mouse inputs to the Window hosting the UI is intercepted by the drivers, and transmitted over RDP to the server. It also creates the other virtual channels and sets up the redirection. RDP communication can be encrypted; using either low, medium or high encryption. With low encryption, user input (outgoing data) is encrypted using a weak (40-bit RC4) cipher. With medium encryption, UI packets (incoming data) are encrypted using this weak cipher as well. The setting "High encryption (Non-export)" uses 128-bit RC4 encryption and "High encryption (Export)" uses 40-bit RC4 encryption.[14]
Terminal Server is the server component of Terminal services. It handles the job of authenticating clients, as well as making the applications available remotely. It is also entrusted with the job of restricting the clients according to the level of access they have. The Terminal Server respects the configured software restriction policies, so as to restrict the availability of certain software to only a certain group of users. The remote session information is stored in specialized directories, called Session Directory which is stored at the server. Session directories are used to store state information about a session, and can be used to resume interrupted sessions. The terminal server also has to manage these directories. Terminal Servers can be used in a cluster as well.[6]
In Windows Server 2008, it has been significantly overhauled. While logging in, if the user logged on to the local system using a Windows Server Domain account, the credentials from the same sign-on can be used to authenticate the remote session. However, this requires Windows Server 2008 to be the terminal server OS, while the client OS is limited to Windows Server 2008, Windows Vista and Windows 7. In addition, the terminal server may be configured to allow connection to individual programs, rather than the entire desktop, by means of a feature named RemoteApp. Terminal Services Web Access (TS Web Access) makes a RemoteApp session invocable from the web browser. It includes the TS Web Access Web Part control which maintains the list of RemoteApps deployed on the server and keeps the list up to date. Terminal Server can also integrate with Windows System Resource Manager to throttle resource usage of remote applications.[4]
RemoteApp (or TS RemoteApp) is a special mode of RDS, available in Windows Server 2008 R2 and later, where remote session configuration is integrated into the client operating system. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users,[23] Windows Vista SP1 and Windows Server 2008. The UI for the RemoteApp is rendered in a window over the local desktop, and is managed like any other window for local applications. The end result of this is that remote applications behave largely like local applications. The task of establishing the remote session, as well as redirecting local resources to the remote application, is transparent to the end user.[24] Multiple applications can be started in a single RemoteApp session, each with their own windows.[25]
A RemoteApp can be packaged either as a .rdp file or distributed via an .msi Windows Installer package. When packaged as an .rdp file (which contains the address of the RemoteApp server, authentication schemes to be used, and other settings), a RemoteApp can be launched by double clicking the file. It will invoke the Remote Desktop Connection client, which will connect to the server and render the UI. The RemoteApp can also be packaged in a Windows Installer database, installing which can register the RemoteApp in the Start menu as well as create shortcuts to launch it. A RemoteApp can also be registered as handler for file types or URIs. Opening a file registered with RemoteApp will first invoke Remote Desktop Connection, which will connect to the terminal server and then open the file. Any application which can be accessed over Remote Desktop can be served as a RemoteApp.[24]
In Windows Vista onwards, Terminal Services also includes a multi-party desktop sharing capability known as Windows Desktop Sharing. Unlike Terminal Services, which creates a new user session for every RDP connection, Windows Desktop Sharing can host the remote session in the context of the currently logged in user without creating a new session, and make the Desktop, or a subset of it, available over RDP.[27] Windows Desktop Sharing can be used to share the entire desktop, a specific region, or a particular application.[28] Windows Desktop Sharing can also be used to share multi-monitor desktops. When sharing applications individually (rather than the entire desktop), the windows are managed (whether they are minimized or maximized) independently at the server and the client side.[28] 2ff7e9595c
Comments