Existem dois aspectos da segurança dos quais você deve estar ciente, como cria a conexão e como a conexão é protegida. Existem dois modos diferentes para proteger a criação da conexão para a área de trabalho remota, o modo Legado (não acho que tenha um nome) e a Autenticação no Nível da Rede (NLA). Quando você permite a área de trabalho remota, pode escolher se deseja apenas permitir conexões NLA ou permitir conexões do modo legado mais antigo também.
O modo NLA é muito mais seguro e tem menos possibilidades de as pessoas capturarem dados ou interceptarem a conexão enquanto ela está sendo estabelecida.
Para a conexão em si, existem muitas configurações de ajuste fino que são definidas pelo servidor. O arquivo de ajuda resume muito melhor do que eu, então vou apenas citar isso.
Configure Server Authentication and Encryption Levels
By default, Remote Desktop Services sessions are configured to negotiate the encryption level from the client to the RD Session Host server. You can enhance the security of Remote Desktop Services sessions by requiring the use of Transport Layer Security (TLS) 1.0. TLS 1.0 verifies the identity of the RD Session Host server and encrypts all communication between the RD Session Host server and the client computer. The RD Session Host server and the client computer must be correctly configured for TLS to provide enhanced security.
NoteFor more information about RD Session Host, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (http://go.microsoft.com/fwlink/?LinkId=140438).
Three security layers are available.
- SSL (TLS 1.0) - SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.
- Negotiate - This is the default setting. The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used.
- RDP Security Layer - Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used.
RDP Security Layer
Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.
A certificate, used to verify the identity of the RD Session Host server and encrypt communication between the RD Session Host and the client, is required to use the TLS 1.0 security layer. You can select a certificate that you have installed on the RD Session Host server, or you can use a self-signed certificate.
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
Four encryption levels are available.
- FIPS Compliant - This level encrypts and decrypts data sent from the client to the server and from the server to the client by using Federal Information Process Standard (FIPS) 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect.
- High - This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. Use this level when the RD Session Host server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption will not be able to connect.
- Client Compatible - This is the default setting. This level encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this level when the RD Session Host server is running in an environment containing mixed or legacy clients.
- Low - This level encrypts data sent from the client to the server by using 56-bit encryption. Data sent from the server to the client is not encrypted.