How To Use IPSec Policy to Secure Terminal Services Communications in Windows 2000

You can use Windows 2000 Terminal Services to gain access to programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled can contain sensitive information; therefore, you may want to optimize security between the Terminal Services client and the Terminal server. This step-by-step article describes how to configure the Terminal server to require varying degrees of encryption by using the RC4 algorithm to secure Terminal Services communications.

Many organizations use standardized Internet Protocol security (IPSec) for network security. You can configure IPSec policies on Terminal servers to force all Terminal Services communications to be protected by IPSec.

This article assumes that you are configuring computers that are a part of a domain structure. If the computer is not part of a domain structure, you may also have to configure encryption and authentication services.

For additional information about troubleshooting IPSec, click the article number below to view the article in the Microsoft Knowledge Base: To enable IPSec protection for Terminal Services:

1. Create an IPSec filter list to match Terminal Services packets.
2. Create an IPSec policy to enforce IPSec protection, and then enable the policy.
3. Enable the Client (respond-only) policy on the Terminal Services clients.

How to Create the IPSec Filter List for Terminal Services Communications

1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
2. Click to expand Security Settings, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
3. Click the Manage IP Filter Lists tab, and then click Add.
4. Type terminal services in the Name box, and then type for terminal services connections in the Description box.
5. Click to clear the Use Add Wizard check box, and then click Add .
6. Click the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box.
   
   After you complete this step, the filter is applied to outbound packets.
7. Verify that the Mirrored check box is selected.
   
   If this check box is selected, a packet filter is created to match inbound packets. All IPSec-secured communications must be protected in both directions; you cannot have unidirectional IPSec security.
8. Click the Protocol tab, click TCP in the Select a protocol type box, and then click From this port
9. Type 3389 in the From this port box, click To any port, and then click OK.
10. Click Close, and then click Close.

How to Create and Enable IPSec Policy to Secure Terminal Services Communications

1. Start the Local Security Settings Microsoft Management Console (MMC), right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
2. After the IP Security Policy Wizard starts, click Next.
3. On the IP Security Policy Name page, type secure terminal services connection in the Name box, and then click Next.
4. Click to clear the Activate the default response rule check box, and then click Next.
5. On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
6. Click the Rules tab, click to clear the Use Add Wizard check box, and then click Add.
7. Click the IP Filter List tab, and then click Terminal Services IP Filter List.
8. Click the Filter Action tab, and then click Require Security.
9. Click Apply, and then click OK.
10. Verify that the Terminal Services Filter List check box is selected, and then click Close.
11. Right-click the new policy, and then click Assign.

How to Ensure That Clients Respond to the Terminal Server's Requests for Security

1. Click Start, point to Programs, point to the Administrative Tools, and then click Local Security Policy.
2. Click to expand Security Settings in the left pane, right-click the Client (respond only) policy, and then click Assign.

Troubleshooting

To verify that IPSec is working, use the IPSec Monitor utility.

For additional information about IPSec Monitor, click the article number below to view the article in the Microsoft Knowledge Base: