HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003 (816521)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
For a Microsoft Windows 2000 version of this article, see
the following Knowledge Base article: 315055 HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000
SUMMARYYou can use Windows Server 2003 Terminal Services to access
programs in a multiple-user Terminal server environment. Communications between
the Terminal Services client computer and the server that has Terminal Services
enabled may contain sensitive information. Therefore, you may want to optimize
security between the Terminal Services client and the Terminal server. This
step-by-step article describes how to secure Terminal Services communications
by configuring the Terminal server to require varying degrees of encryption by
using the RC4 algorithm. Many organizations use standardized Internet
Protocol security (IPSec) for network security. You can configure IPSec
policies on Terminal servers to make sure that IPSec protects all the Terminal
Services communications. This article assumes that you are
configuring computers that are a part of a domain structure. If the computer is
not part of a domain structure, you may also have to configure encryption and
authentication services. For additional information about troubleshooting
IPSec, click the following article number to view the article in the Microsoft
Knowledge Base: 257225
Basic IPSec Troubleshooting in
Windows 2000
To enable IPSec protection for Terminal
Services:
- Create an IPSec filter list to match the Terminal Services
packets.
- Create an IPSec policy to enforce IPSec protection, and
then enable the policy.
- Enable the Client (respond-only) policy on the Terminal
Services clients.
back to the topHow to Create the IPSec Filter List for Terminal Services Communications- Click Start, click Run,
type gpedit.msc, and then click OK.
- Expand Computer Configuration, expand Windows Settings, expand Security Settings, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
- Click the Manage IP Filter Lists tab, and
then click Add.
- Type terminal services in the
Name box, and then type for terminal services
connections in the Description box.
- Click to clear the Use Add Wizard check
box, and then click Add.
- Click the Addressing tab, click My
IP Address in the Source address box, and then click
Any IP Address in the Destination address
box.
After you complete this step, the filter is applied to outbound
packets. - Verify that the Mirrored check box is
selected.
If this check box is selected, a packet filter is created to
match the inbound packets. You must protect all the IPSec-secured
communications in both directions. You cannot have IPSec security in only one
direction. - Click the Protocol tab, click
TCP in the Select a protocol box, and then
click From this port .
- Type 3389 in the From this
port box, click To any port, and then click
OK.
- Click Close, and then click
Close.
back to the topHow to Create and Enable IPSec Policy to Secure Terminal Services Communications- Click Start, click Run,
type gpedit.msc, and then click OK.
- Right-click IP Security Policies in the
left pane, and then click Create IP Security Policy.
- After the IP Security Policy Wizard starts, click
Next.
- On the IP Security Policy Name page, type
secure terminal services connection in the
Name box, and then click Next.
- Click to clear the Activate the default response
rule check box, and then click Next.
- On the Completing the IP Security Policy
Wizard page, verify that the Edit properties check
box is selected, and then click Finish.
- Click the Rules tab, click to clear the
Use Add Wizard check box, and then click Add.
- Click the IP Filter List tab, and then
click Terminal Services IP Filter List.
- Click the Filter Action tab, and then
click Require Security.
- Click Apply, and then click
OK .
- Verify that the Terminal Services Filter
List check box is selected, and then click Close.
- Right-click the new policy, and then click
Assign.
back to the topHow to Make Sure That Clients Respond to the Terminal Server's Requests for Security
- Click Start, click Run,
type gpedit.msc, and then click OK.
- Expand Security Settings in the left pane,
right-click the Client (respond only) policy, and then click
Assign.
back to the
top
Modification Type: | Major | Last Reviewed: | 9/24/2003 |
---|
Keywords: | kbSecurityServices kbHOWTOmaster KB816521 |
---|
|
|
©2003 Microsoft Corporation. All rights reserved.
|
|