Windows NT "Certificate" property & Connect security

[Dmitry N.Ananyev]

I am add "Server Authentication Certificate" to my Terminal Service

like there http://technet2.microsoft.com/windo...f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true

but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?"

But I want that remote users without "secret Certificate" can not connect to Terminal Service.

Is it possible?

Thanks.

 

[Helge Klein]

Re: "Certificate" property & Connect security

I think you misunderstood this feature. It is called _server_
authentication and provides a means for a TS client to verify a
server's identity by means of a digital certificate installed on the
server, and the server only.

If you want to restrict the number of users who are able to log on to
a TS then configure membership in the group "Remote Desktop Users" on
the TS accordingly.

I hope this helps.

Helge

On 16 Aug., 13:39, "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote:
> I am add "Server Authentication Certificate" to my Terminal Service
>
> like there http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-...
>
> but remote users without any "Certificates" can connect to my Terminal Server with message - "Terminal Server have certificate - Ignore?"
>
> But I want that remote users without "secret Certificate" can not connect to Terminal Service.
>
> Is it possible?
>
> Thanks.

 

[Vera Noest [MVP]]

Check if this helps:

How to secure remote desktop connections using TLS/SSL based
authentication
http://www.windowsecurity.com/articles/Secure-remote-desktop-
connections-TLS-SSL-based-authentication.html
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"Dmitry N.Ananyev" <dtc.98@relcom.ru> wrote on 16 aug 2007 in
microsoft.public.windows.terminal_services:

> I am add "Server Authentication Certificate" to my Terminal
> Service
>
> like there
> http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f
> 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
>
> but remote users without any "Certificates" can connect to my
> Terminal Server with message - "Terminal Server have certificate
> - Ignore?"
>
> But I want that remote users without "secret Certificate" can
> not connect to Terminal Service.
>
> Is it possible?
>
> Thanks.

 

[Helge Klein]

Re: "Certificate" property & Connect security

Vera, I admit I did not know of that article but I was troubled to
have misunderstood the Server Authentication feature of terminal
services. I just read the article you mentioned and think the method
described there has a serious flaw. By design a TLS or SSL server
certificate can only be used to enable a client to verify the server's
identity. If client authentication is desired then (normally) client
certificates are used - but terminal services do not support that.

The "hack" described in the article only works if the client does not
trust the CA that issued the TS certificate. While this might be a
workaround it is by no means secure - a user would just have to copy
the server certificate from a co-worker's PC and be granted access to
the TS. Also, in larger organizations, there tends to be an enterprise-
wide CA/PKI in place and thus the root CA would be available to all
computers.

I hope this does not sound like gibberish. I still think there is no
"clean" solution to TS client authentication - maybe there are third-
party tools around that do the job.

Helge

==================
Please visit my blog:
http://it-from-inside.blogspot.com
==================

On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove-
this.hem.utfors.se> wrote:
> Check if this helps:
>
> How to secure remote desktop connections using TLS/SSL based
> authenticationhttp://www.windowsecurity.com/articles/Secure-remote-desktop-
> connections-TLS-SSL-based-authentication.html
> _________________________________________________________
> Vera Noest
> MCSE, CCEA, Microsoft MVP - Terminal Server
> TS troubleshooting: http://ts.veranoest.net
> ___ please respond in newsgroup, NOT by private email ___
>
> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in
> microsoft.public.windows.terminal_services:
>
> > I am add "Server Authentication Certificate" to my Terminal
> > Service
>
> > like there
> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f
> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
>
> > but remote users without any "Certificates" can connect to my
> > Terminal Server with message - "Terminal Server have certificate
> > - Ignore?"
>
> > But I want that remote users without "secret Certificate" can
> > not connect to Terminal Service.
>
> > Is it possible?
>
> > Thanks.

 

[Dmitry N.Ananyev]

Re: "Certificate" property & Connect security

I am agree the article is not work.

> The "hack" described in the article only works if the client does not
> trust the CA that issued the TS certificate.

What is the "article's hack" ?
*****
Here's what you need to do. Per default, the certificate trust list can be
found in %systemroot%\system32\certsrv\CertEnroll and the file has the .CRT
extension. This is also the file being downloaded, when you click on the
"Download Certificate Trust Lists" on the web interface for Microsoft
Certificate Services. Simply move the file to a protected location or ensure
that only trusted users are allowed to read the CRT file.
*****

1) After removed these files - they are restored automaticaly after restart
CA.
2) In all cases - even .CRT were removed - TS client connect, view
certificate, install it successfully.
May be it trust early

Dmitry

PS.
I think about another way for clients restrictions - may I use IPsec only
for TS and not for Web IIS remoute users?

 

[Vera Noest [MVP]]

Re: "Certificate" property & Connect security

Helge,
I think that you are absolutely right.
I was confused as well by the article, because, like you, I had
always understood that TLS only provides for server authentication,
not client authentication.
To be honest, I didn't read the article carefully enough, and I
assume that the author knew better, given the site that hosted the
article.
Sorry for referring to misleading information!

_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
*----------- Please reply in newsgroup -------------*

Helge Klein <Helge.Klein@googlemail.com> wrote on 16 aug 2007:

> Vera, I admit I did not know of that article but I was troubled
> to have misunderstood the Server Authentication feature of
> terminal services. I just read the article you mentioned and
> think the method described there has a serious flaw. By design a
> TLS or SSL server certificate can only be used to enable a
> client to verify the server's identity. If client authentication
> is desired then (normally) client certificates are used - but
> terminal services do not support that.
>
> The "hack" described in the article only works if the client
> does not trust the CA that issued the TS certificate. While this
> might be a workaround it is by no means secure - a user would
> just have to copy the server certificate from a co-worker's PC
> and be granted access to the TS. Also, in larger organizations,
> there tends to be an enterprise- wide CA/PKI in place and thus
> the root CA would be available to all computers.
>
> I hope this does not sound like gibberish. I still think there
> is no "clean" solution to TS client authentication - maybe there
> are third- party tools around that do the job.
>
> Helge
>
> ==================
> Please visit my blog:
> http://it-from-inside.blogspot.com
> ==================
>
> On 16 Aug., 22:16, "Vera Noest [MVP]" <vera.no...@remove-
> this.hem.utfors.se> wrote:
>> Check if this helps:
>>
>> How to secure remote desktop connections using TLS/SSL based
>> authenticationhttp://www.windowsecurity.com/articles/Secure-remo
>> te-desktop- connections-TLS-SSL-based-authentication.html
>> _________________________________________________________
>> Vera Noest
>> MCSE, CCEA, Microsoft MVP - Terminal Server
>> TS troubleshooting: http://ts.veranoest.net
>> ___ please respond in newsgroup, NOT by private email ___
>>
>> "Dmitry N.Ananyev" <dtc...@relcom.ru> wrote on 16 aug 2007 in
>> microsoft.public.windows.terminal_services:
>>
>> > I am add "Server Authentication Certificate" to my Terminal
>> > Service
>>
>> > like there
>> >http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9
>> >-f
>> > 53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
>>
>> > but remote users without any "Certificates" can connect to my
>> > Terminal Server with message - "Terminal Server have
>> > certificate - Ignore?"
>>
>> > But I want that remote users without "secret Certificate" can
>> > not connect to Terminal Service.
>>
>> > Is it possible?
>>
>> > Thanks.