Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003

HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003

For a Microsoft Windows 2000 version of this article, see the following Knowledge Base article:
315055 HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000

↑ Back to the top

Summary

You can use Windows Server 2003 Terminal Services to access programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled may contain sensitive information. Therefore, you may want to optimize security between the Terminal Services client and the Terminal server. This step-by-step article describes how to secure Terminal Services communications by configuring the Terminal server to require varying degrees of encryption by using the RC4 algorithm.

Many organizations use standardized Internet Protocol security (IPSec) for network security. You can configure IPSec policies on Terminal servers to make sure that IPSec protects all the Terminal Services communications.

This article assumes that you are configuring computers that are a part of a domain structure. If the computer is not part of a domain structure, you may also have to configure encryption and authentication services.

For additional information about troubleshooting IPSec, click the following article number to view the article in the Microsoft Knowledge Base:
257225 Basic IPSec Troubleshooting in Windows 2000


To enable IPSec protection for Terminal Services:
  1. Create an IPSec filter list to match the Terminal Services packets.
  2. Create an IPSec policy to enforce IPSec protection, and then enable the policy.
  3. Enable the Client (respond-only) policy on the Terminal Services clients.
back to the top

How to Create the IPSec Filter List for Terminal Services Communications

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
  3. Click the Manage IP Filter Lists tab, and then click Add.
  4. Type terminal services in the
    Name box, and then type for terminal services connections in the Description box.
  5. Click to clear the Use Add Wizard check box, and then click Add.
  6. Click the Addressing tab, click My IP Address in the Source address box, and then click
    Any IP Address in the Destination addressbox.

    After you complete this step, the filter is applied to outbound packets.
  7. Verify that the Mirrored check box is selected.

    If this check box is selected, a packet filter is created to match the inbound packets. You must protect all the IPSec-secured communications in both directions. You cannot have IPSec security in only one direction.
  8. Click the Protocol tab, click
    TCP in the Select a protocol box, and then click From this port .
  9. Type 3389 in the From this port box, click To any port, and then click
    OK.
  10. Click Close, and then click
    Close.
back to the top

How to Create and Enable IPSec Policy to Secure Terminal Services Communications

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
  3. After the IP Security Policy Wizard starts, click
    Next.
  4. On the IP Security Policy Name page, type
    secure terminal services connection in the
    Name box, and then click Next.
  5. Click to clear the Activate the default response rule check box, and then click Next.
  6. On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
  7. Click the Rules tab, click to clear the
    Use Add Wizard check box, and then click Add.
  8. Click the IP Filter List tab, and then click Terminal Services IP Filter List.
  9. Click the Filter Action tab, and then click Require Security.
  10. Click Apply, and then click
    OK .
  11. Verify that the Terminal Services Filter List check box is selected, and then click Close.
  12. Right-click the new policy, and then click
    Assign.
back to the top

How to Make Sure That Clients Respond to the Terminal Server's Requests for Security

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Expand Security Settings in the left pane, right-click the Client (respond only) policy, and then click
    Assign.
back to the top

↑ Back to the top

Keywords: kb, kbhowtomaster, kbsecurityservices, kbbillprodsweep

↑ Back to the top

Article Info
Article ID : 816521
Revision : 6
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 119