PCI compliance: using SSL as transport layer for RDP (Terminal Service)

Question

My client failed her PCI compliance audit. The server supports Remote Desktop (Terminal Service) but only provides encryption and not authentication. This exposes the server to Man-In-The-Middle attacks.

The supposed solution is to force SSL as the transport layer for RDP.

Anyone know how to do this?

The server runs Windows 2003.

score 5 · Accepted Answer · edited Jan 14 '12 at 06:52

5

http://support.microsoft.com/kb/895433

If the server has a cert from a trusted CA / Enterprise CA, skip to the section:

Step 2: Configure TLS authentication and encryption

edited Jan 14 '12 at 06:52

Skyhawk

14,149
3
52
95

answered Apr 12 '10 at 22:00

hi yummy, i installed an SLL certificate using the following instructions, http://support.microsoft.com/kb/816794#3. but the certificate does not appear when i click "edit" from the "RDP-tcp Properties" dialog (when specifying a certificate for the SSL connection). any clues? – Crashalot Apr 13 '10 at 20:28

score 1 · Answer 2 · edited Jan 14 '12 at 06:54

1

Upgrade to Windows Server 2008. Seriously - new RDP protocol, and TLS security is standard (at least I always get asked about whether to accept the unknown certificate between our domains - I have two domains that are not otherwise linked).

edited Jan 14 '12 at 06:54

Skyhawk

14,149
3
52
95

answered Apr 13 '10 at 04:06

TomTom

50,857
7
52
134

score 1 · Answer 3 · answered Apr 13 '10 at 04:19

1

This is exactly what the addition of Network Level Authentiation to RDP solves. I believe MS added it in Server 2008.

answered Apr 13 '10 at 04:19

EEAA

108,414
18
172
242

PCI compliance: using SSL as transport layer for RDP (Terminal Service)

3 Answers3