PCI compliance: using SSL as transport layer for RDP (Terminal Service)

views:

260

answers:

PCI compliance: using SSL as transport layer for RDP (Terminal Service)

My client failed her PCI compliance audit. The server supports Remote Desktop (Terminal Service) but only provides encryption and not authentication. This exposes the server to Man-In-The-Middle attacks.

The supposed solution is to force SSL as the transport layer for RDP.

Anyone know how to do this?

The server runs Windows 2003.

You might get a better answer on SuperUser, but here's the first Google hit. It at least looks intelligible.

ig0774 2010-04-12 19:59:08

thanks for the answer! i gave michael the right answer because he provided helpful commentary in addition to reviewing the instructions in the link you provided.

Crashalot 2010-04-13 19:35:02

hi igo0774, i installed an SLL certificate using the following instructions, http://support.microsoft.com/kb/816794#3. but the certificate does not appear when i click "edit" from the "RDP-tcp Properties" dialog (when specifying a certificate for the SSL connection). any clues?

Crashalot 2010-04-13 20:24:38

The 'old' RDP indeed does not perform authentication, but I'd be careful using SelfSSL proposed in the link sent by @ig0774 (the rest of the data in the link is correct!) If authentication is what you care about, then have your client get a real server authentication SSL/TLS certificate from VeriSign or Thawte or someone else listen in the list of Windows trusted CAs.

I somehow doubt PCI will allow self-signed certs. But I'm happy to stand corrected!

Michael Howard-MSFT 2010-04-12 22:52:06

hi michael, i installed an SLL certificate using the following instructions, http://support.microsoft.com/kb/816794#3. but the certificate does not appear when i click "edit" from the "RDP-tcp Properties" dialog (when specifying a certificate for the SSL connection). any clues?

Crashalot 2010-04-13 20:24:23

where did you get the cert from? is it from a trusted cert authority? If not, you will need to copy the cert or the issuer's cert to your cert store. normally, double-clicking on the cert will add it to the correct store in Windows. lemme know.

Michael Howard-MSFT 2010-04-13 21:18:36

the cert is from a trusted cert authority (rapidssl). we use it for SSL purposes to encrypt transactions for the web server. however, the cert won't appear in the "RDP-tcp Properties" dialog, even though i followed the instructions for importing into the personal store for the server. any clues?

Crashalot 2010-04-14 23:13:14

It looks like rapidssl, is a subordinate CA to GeoTrust, which is support in Windows by default, but you should double beck by going here https://www.rapidssl.com/test/rapidssl.htm - if you get no errors then the root CA cert is installed. If it is, are you sure the TS server is setup for SSL/TLS? http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

Michael Howard-MSFT 2010-04-15 13:54:46

ansaurus

tags:

views:

answers:

PCI compliance: using SSL as transport layer for RDP (Terminal Service)

related questions