HOW TO: Secure Communication Between a Client and Server with Terminal Services

For a Microsoft Windows 2000 version of this article, see
306561 .



This step-by-step article describes how to secure communications between a client computer and a server by using Windows Server 2003 Terminal Services.

Windows Server 2003 Terminal Services supports four levels of encryption: Low, Client Compatible, FIPS Compliant, and High. The following list describes what the encryption levels do:
  • Low: This level encrypts data sent from the client to the server using 56-bit encryption, helps secure the user logon information and data that is sent to the server, but does not encrypt the data that is sent from the server to the client. Microsoft recommends that you use this encryption level in an intranet environment.
  • Client Compatible: This level encrypts data sent between the client and the server at the maximum key strength that the client supports. Use this level when the terminal server runs in an environment that contains mixed or earlier-version clients.
  • FIPS Compliant: This level encrypts and decrypts data sent from a client to the server and from the server to a client with the Federal Information Processing Standard (FIPS) encryption algorithms by using the Microsoft cryptographic modules.
  • High: By default, Windows Server 2003 uses this level of encryption. High encryption encrypts the data transmission in both directions by using a 128-bit key. Microsoft recommends that you use this encryption level if the network is not secure and is located in North America. Use this level when the terminal server runs in an environment that contains 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption cannot connect.
back to the top

To Secure Communications

To modify the encryption setting:
  1. Click Start, point to
    Administrative Tools, and then click Terminal Services Configuration.
  2. In the left pane, click Connections, and then double-click the connection whose encryption level you want to change.
  3. Click General.
  4. In the Encryption level box, click the appropriate encryption level, and then click OK.
Note The new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.

back to the top


For additional information about Terminal Services in Windows 2003, click the following article number to view the article in the Microsoft Knowledge Base:
814585 HOW TO: Connect Clients to Terminal Services in Windows Server 2003

814593 HOW TO: Deactivate or Reactivate a License Server By Using Terminal Services Licensing
back to the top