Microsoft KB Archive/816521

= HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows Server 2003 =

Article ID: 816521

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition

-



For a Microsoft Windows 2000 version of this article, see the following Knowledge Base article:

315055 HOW TO: Use IPSec Policy to Secure Terminal Services Communications in Windows 2000



IN THIS TASK

 * SUMMARY
 * How to Create the IPSec Filter List for Terminal Services Communications
 * How to Create and Enable IPSec Policy to Secure Terminal Services Communications
 * How to Make Sure That Clients Respond to the Terminal Server's Requests for Security



SUMMARY
You can use Windows Server 2003 Terminal Services to access programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled may contain sensitive information. Therefore, you may want to optimize security between the Terminal Services client and the Terminal server. This step-by-step article describes how to secure Terminal Services communications by configuring the Terminal server to require varying degrees of encryption by using the RC4 algorithm.

Many organizations use standardized Internet Protocol security (IPSec) for network security. You can configure IPSec policies on Terminal servers to make sure that IPSec protects all the Terminal Services communications.

This article assumes that you are configuring computers that are a part of a domain structure. If the computer is not part of a domain structure, you may also have to configure encryption and authentication services.

For additional information about troubleshooting IPSec, click the following article number to view the article in the Microsoft Knowledge Base:

257225 Basic IPSec Troubleshooting in Windows 2000

To enable IPSec protection for Terminal Services:
 * 1) Create an IPSec filter list to match the Terminal Services packets.
 * 2) Create an IPSec policy to enforce IPSec protection, and then enable the policy.
 * 3) Enable the Client (respond-only) policy on the Terminal Services clients.

back to the top

How to Create the IPSec Filter List for Terminal Services Communications

 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) Expand Computer Configuration, expand Windows Settings, expand Security Settings, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
 * 3) Click the Manage IP Filter Lists tab, and then click Add.
 * 4) Type terminal services in the Name box, and then type for terminal services connections in the Description box.
 * 5) Click to clear the Use Add Wizard check box, and then click Add.
 * 6) Click the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box.

After you complete this step, the filter is applied to outbound packets.
 * 1) Verify that the Mirrored check box is selected.

If this check box is selected, a packet filter is created to match the inbound packets. You must protect all the IPSec-secured communications in both directions. You cannot have IPSec security in only one direction.
 * 1) Click the Protocol tab, click TCP in the Select a protocol box, and then click From this port.
 * 2) Type 3389 in the From this port box, click To any port, and then click OK.
 * 3) Click Close, and then click Close.

back to the top

How to Create and Enable IPSec Policy to Secure Terminal Services Communications

 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) Right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
 * 3) After the IP Security Policy Wizard starts, click Next.
 * 4) On the IP Security Policy Name page, type secure terminal services connection in the Name box, and then click Next.
 * 5) Click to clear the Activate the default response rule check box, and then click Next.
 * 6) On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
 * 7) Click the Rules tab, click to clear the Use Add Wizard check box, and then click Add.
 * 8) Click the IP Filter List tab, and then click Terminal Services IP Filter List.
 * 9) Click the Filter Action tab, and then click Require Security.
 * 10) Click Apply, and then click OK.
 * 11) Verify that the Terminal Services Filter List check box is selected, and then click Close.
 * 12) Right-click the new policy, and then click Assign.

back to the top

How to Make Sure That Clients Respond to the Terminal Server's Requests for Security

 * 1) Click Start, click Run, type gpedit.msc, and then click OK.
 * 2) Expand Security Settings in the left pane, right-click the Client (respond only) policy, and then click Assign.

back to the top

Keywords: kbsecurityservices kbhowtomaster KB816521

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.