RDS TOOLS blog
September 4, 2023
August 11, 2023
RDS, Remote Desktop Services, relies on RDP. For many years, Remote Desktop Protocol (RDP) has been an essential tool for remote access including RDS, allowing users to connect to Windows machines across networks. Ensuring the security of these connexions is paramount to safeguard sensitive data and prevent unauthorised access.
In this article, we delve into the differences between two crucial components of RDP security: RDP Security Layer and the Negotiate setting. We will also discuss TLS and other related security aspects before pointing to some of the great advantages brought by RDS-Tools Advanced Security to any RDS set-up.
RDP operates on a client-server model, enabling users to control remote systems as if they were physically present. The security of RDP connexions involves two distinct aspects: how the connexion is established and how the connexion is secured.
Before initiating a remote desktop connexion, servers and clients must authenticate each other. This process is critical to preventing unauthorised access and reveals perhaps the protocol’s biggest weakness.
In brief, Negotiate and RDP Security Layer are two mechanisms used to achieve this authentication. The third is generally TLS. Security Layer is less secure than TLS, but not all devices support TLS, even though more and more do. Negotiate therefore provides a way for the server to choose, between Security Layer and TLS, the security process available to both server and client.
RDP Security Layer involves native RDP encryption for securing communications between the client and the RD Session Host server. Security Layer is native and all Windows machines should therefore support it. This method is straightforward and efficient, but it does not provide server authentication. Unfortunately, it is made less secure by this lack of authentication. I expand on why further down.
TLS is the protocol used by HTTPS for encryption. It is the step up from SSL (Secure Sockets Layer). Its function is to check the identity of the server and client before establishing a connexion between them. This prior verification is what makes it so secure compared to Secure Layer.
Amidst these, the Negotiate setting is the default for RDP connexions. It enables negotiation between the client and server to determine the most secure authentication method supported by the client. If the client supports Transport Layer Security (TLS), version 1.0 or more, then TLS is used for server authentication. If TLS is not supported, then native RDP encryption is employed, even though server authentication is consequently not performed.
RDP Security Layer uses native RDP encryption to protect data during transmission. However, because it lacks server authentication, it is highly susceptible to man-in-the-middle attacks. Indeed, if the connexion has been established with a malicious party instead of the intended client or server and the connexion is therefore already compromised, no level of encryption will serve as protection.
It may be important to note that using the RDP Security Layer precludes the use of Network Level Authentication (NLA), another more secure connexion method.
As a setting, Negotiate offers potential enhanced security by selecting the most secure authentication method supported by the client. If TLS is available, it is used for server authentication. If not, native RDP encryption is employed. For this setting to provide better security, it is essential to ensure TLS is supported on both the client and server sides.
By setting TLS as the security level, encryption is guaranteed. Bear in mind the connexion will not be established if TLS is not supported. Some clients may therefore not be able to remotely access certain servers due to one or the other not meeting requirements. Yet, that is a small price to pay for peace of mind.
As you can see, selecting the appropriate security layer depends on your specific needs and environment. For heightened security, I recommend TLS, or at least Negotiate. No surprise that TLS has become generalised. This approach, combining robust encryption with server authentication, minimises vulnerabilities.
To bolster the security of your RDP connexions, consider implementing these best practices:
These are only some basic guidelines and you will find there are many more ways of strengthening your infrastructure against cyberattacks.
For instance, here is our tool to ensure top-tier security for your Remote Desktop Services (RDS) infrastructure then our comprehensive cybersecurity solution. RDS Advanced Security is a robust toolbox. It combines cutting-edge features to create an impenetrable defence against external threats.
The choice between RDP Security Layer, TLS and Negotiate has significant implications for the security of your remote desktop connexions. While RDP Security Layer offers simplicity and TLS safer communications, the Negotiate method provides a balanced approach by negotiating the most secure authentication method available.
By understanding this and your infrastructure, you are all set to implement the most secure settings for your enterprise. With the addition of the mentioned best practices, now is the time to ensure the safety of your RDP connexions and protect your sensitive data from potential threats. You can secure your RDS infrastructure comprehensively and effortlessly. Safeguard your remote servers with RDS Advanced Security starting with a free trial today.