Enforce network-level authentication
Before the release of Windows Server 2008, to authenticate into Terminal Services -- now Remote Desktop Services -- users had to use the Remote Desktop Client to establish a session with the terminal server. From there, the user would enter his credentials at the Windows login screen. This approach to user authentication seems benign, however, it;s somewhat risky from a security standpoint. After all, a Terminal Services session must actually be established before a user can be authenticated.
Simply establishing a Terminal Services session exposes certain information about the network, such as domain name and the terminal server's name, to the remote desktop client. This also makes it easy for someone to launch a denial-of-service attack against the terminal server, even if the attacker doesn't have a valid set of authentication credentials.
In Windows Server 2008, Microsoft introduced Network Level Authentication. This new security feature requires a user to provide a set of credentials before a session is established, helping make the authentication process more secure.
Enabling enabling Network Level Authentication isn't that difficult, but certain prerequisites must be met. The terminal servers must have either Windows Server 2008 or Windows Server 2008 R2, and the client computers must have Windows XP with Service Pack 3 or higher, Vista, or Windows 7. The client computers must also be running Version 6.0 or higher of the Remote Desktop client.
There are several different methods for configuring Terminal Services to require network-level authentication. You can enable Network Level Authentication during the initial Terminal Services role installation, or you can manually enable it through the Terminal Services Configuration console by right-clicking on the connection used by your clients, choosing the Properties command from the shortcut menu, and then selecting the "Allow connections only from computers running Remote Desktop with Network Level Authentication" option. However, generally, a better practice would be to enable network-level authentication by enabling a Group Policy object.
To do so, open the Group Policy Object Editor and choose the policy you want to edit. Navigate through the console tree to Computer Configuration | Administrative Templates | Windows Components | Terminal Services | Terminal Server | Security and enable the Require user authentication for remote connections by using Network Level Authentication setting, as shown in Figure 1.
Changing the RDP Port
By default, Terminal Services uses Port 3389 for Remote Desktop Protocol (RDP) traffic. Since this has been the case for a long time, most hackers know if they want to break into your terminal server, they can establish a session through this port. Therefore, changing the RDP port number is one of the most effective ways to improve security.
But be aware that this technique requires you to edit the Windows registry. Making registry modifications is dangerous, and making a mistake can destroy Windows. Therefore, I recommend making a full system backup before attempting this procedure.
Pick out the new port number you want to use, and convert that number to hexadecimal format. If you are a little rusty on decimal-to-hexadecimal conversions, the calculator that comes with Windows can help.
Once you know the hexadecimal value for the port number , open the Registry Editor on your terminal server and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Terminal Server\WinStations\RDP-TCP. Double-click on the Port Number key and replace the existing value with the hexadecimal representation of the port number that you have chosen.
Note that after you change the default port number, you need to make your Remote Desktop clients aware of the new number. The easiest way to do this is by appending the new port number to the IP address on the connection screen. For example, suppose you have a terminal server named "TS.lab.com," and its IP address is 18.104.22.168. Let's also assume you changed the port number to 5678 (this is a random number, not a recommendation). Rather than entering the terminal server's fully qualified domain name (TS.lab.com) into the Computer field on the Remote Desktop client, you could enter the terminal server's IP address followed by a colon and the port number (22.214.171.124:5678).
Although Windows Terminal Services has always been considered to be relatively secure, certain things can be done to make it even more secure. These steps should help you enforce network-level authentication use and change the default RDP port.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.
This was first published in March 2010