Security

Applies To: Windows Server 2008

Policy settings in this node control security settings on a terminal server.

The full path of this node in the Group Policy Management Console is:

Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security

Note

If you are using the Local Group Policy Editor, Policies is not part of the node path.

Available policy settings

Name	Explanation	Requirements
Always prompt for password upon connection	This policy setting allows you to specify whether Terminal Services always prompts the client for a password upon connection. You can use this policy setting to enforce a password prompt for users logging on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. If you enable this policy setting, users cannot automatically log on to Terminal Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. If you disable this policy setting, users can always log on to Terminal Services automatically by supplying their passwords in the Remote Desktop Connection client. If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. However, an administrator can still enforce password prompting by using the Terminal Services Configuration tool.	At least Windows XP Professional or Windows Server 2003
Do not allow local administrators to customize permissions	This policy setting allows you to specify whether to disable the administrator rights to customize security permissions in the Terminal Services Configuration tool. You can use this policy setting to prevent administrators from making changes to the user groups on the Permissions tab in the Terminal Services Configuration tool. By default, administrators are able to make such changes. If you enable this policy setting, the Permissions tab in the Terminal Services Configuration tool cannot be used to customize per-connection security descriptors or to change the default security descriptors for an existing group. All of the security descriptors are read-only. If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors on the Permissions tab in the Terminal Services Configuration tool. Note The preferred method of managing user access is by adding a user to the Remote Desktop Users group.	At least Windows Server 2003
Require secure RPC communication	This policy setting allows you to specify whether a terminal server requires secure remote procedure call (RPC) communication with all clients or allows unsecured communication. You can use this policy setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If you enable this policy setting, the terminal server accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. If you disable this policy setting, the terminal server always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If you do not configure this policy setting, unsecured communication is allowed. Note The RPC interface is used for administering and configuring Terminal Services.	At least Windows Server 2003
Require use of specific security layer for remote (RDP) connections	This policy setting allows you to specify whether to require the use of a specific security layer to secure communications between clients and terminal servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting, all communications between clients and terminal servers during remote connections must use the security method specified in this setting. The following security methods are available: Negotiate  The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the terminal server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the terminal server is not authenticated. RDP  The RDP method uses native RDP encryption to secure communications between the client and terminal server. If you select this setting, the terminal server is not authenticated. SSL (TLS 1.0)  The SSL method requires the use of TLS 1.0 to authenticate the terminal server. If TLS is not supported, the connection fails. If you disable or do not configure this policy setting, the security method to be used for remote connections to terminal servers is not enforced through Group Policy. However, you can configure a required security method for these connections by using the Terminal Services Configuration tool.	At least Windows Vista
Require user authentication for remote connections by using Network Level Authentication	This policy setting allows you to specify whether to require user authentication for remote connections to the terminal server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If you enable this policy setting, only client computers that support Network Level Authentication can connect to the terminal server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase "Network Level Authentication supported." If you disable or do not configure this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the terminal server. You can specify that Network Level Authentication be required for user authentication by using the Terminal Services Configuration tool or the Remote tab in System Properties. Important Disabling or not configuring this policy setting provides less security because user authentication will occur later in the remote connection process.	At least Windows Vista
Server Authentication Certificate Template	This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate a terminal server. A certificate is needed to authenticate a terminal server when SSL (TLS 1.0) is used to secure communication between a client and a terminal server during RDP connections. If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the terminal server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. Important You must set the certificate template’s attributes Template display name and Template name to the same value. If no certificate can be found that was created with the specified certificate template, the terminal server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the terminal server will be selected. If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the terminal server. You can select a specific certificate to be used to authenticate the terminal server on the General tab of the Terminal Services Configuration tool. Note If you select a specific certificate to be used to authenticate the terminal server, that certificate will take precedence over this policy setting.	At least Windows Vista
Set client connection encryption level	This policy setting allows you to specify whether to require the use of a specific encryption level to secure communications between clients and terminal servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting, all communications between clients and terminal servers during remote connections must use the encryption method specified in this policy setting. By default, the encryption level is set to High. The following encryption methods are available: High  The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to terminal servers. Client Compatible  The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. Low  The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. If you disable or do not configure this policy setting, the encryption level to be used for remote connections to terminal servers is not enforced through Group Policy. However, you can configure a required encryption level for these connections by using the Terminal Services Configuration tool. Important FIPS compliance can be configured through the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy setting (located in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options) or through the FIPS Compliant setting in the Terminal Services Configuration tool. The FIPS Compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and terminal servers require the highest level of encryption. If FIPS compliance is already enabled through the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing policy setting, that policy setting overrides the encryption level specified in this Group Policy setting or in the Terminal Services Configuration tool.	At least Windows XP Professional or Windows Server 2003