You can use Windows Server 2003 Terminal Services to access programs in a multiple-user Terminal server environment. Communications between the Terminal Services client computer and the server that has Terminal Services enabled may contain sensitive information. Therefore, you may want to optimize security between the Terminal Services client and the Terminal server. This step-by-step article describes how to secure Terminal Services communications by configuring the Terminal server to require varying degrees of encryption by using the RC4 algorithm.
Many organizations use standardized Internet Protocol security (IPSec) for network security. You can configure IPSec policies on Terminal servers to make sure that IPSec protects all the Terminal Services communications.
This article assumes that you are configuring computers that are a part of a domain structure. If the computer is not part of a domain structure, you may also have to configure encryption and authentication services.
For additional information about troubleshooting IPSec, click the following article number to view the article in the Microsoft Knowledge Base:
257225 Basic IPSec Troubleshooting in Windows 2000
To enable IPSec protection for Terminal Services:
Create an IPSec filter list to match the Terminal Services packets.
Create an IPSec policy to enforce IPSec protection, and then enable the policy.
Enable the Client (respond-only) policy on the Terminal Services clients.
How to Create the IPSec Filter List for Terminal Services Communications
Click Start, click Run, type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Windows Settings, expand Security Settings, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
Click the Manage IP Filter Lists tab, and then click Add.
Type terminal services in the Name box, and then type for terminal services connections in the Description box.
Click to clear the Use Add Wizard check box, and then click Add.
Click the Addressing tab, click My IP Address in the Source address box, and then click Any IP Address in the Destination address box.
After you complete this step, the filter is applied to outbound packets.
Verify that the Mirrored check box is selected.
If this check box is selected, a packet filter is created to match the inbound packets. You must protect all the IPSec-secured communications in both directions. You cannot have IPSec security in only one direction.
Click the Protocol tab, click TCP in the Select a protocol box, and then click From this port .
Type 3389 in the From this port box, click To any port, and then click OK.
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Web Edition, Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Server 2003, 64-Bit Datacenter Edition