Remote Desktop Services
Following on from more work with OpenVAS and after resolving issues around PHP/MySQL the next largest priority was flagged as issues with the Remote Desktop Server (this applies if the server is being used as a Session Host or is just running Windows Server/Client). Here are two pointers in the right direction to get these port 3389 issues resolved!
SSL/TLS: Report Weak Cipher Suites and SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
To resolve this issue I would suggest you look at the free IISCrypto tool (https://www.nartac.com/Products/IISCrypto) which (after a reboot) disables weak cipher suites and ensures that the correct key exchange mechanisms are used on your servers and clients. Note this software doesn’t just apply to IIS (Internet Information Services) but also Remote Desktop and any other Microsoft technology that makes use of schannel.
Although it takes a little while longer you can also examine the registry (see https://www.nartac.com/Support/IISCrypto/FAQ) and deploy a Group Policy to apply the same settings to your machines.
If you can I would suggest you opt for the PCI 3.1 template (which also culls TLS1.0 support) however as I found out you may have to resort to the ‘Best Practices’ which keeps TLS1.0 enabled and in turn allows things like 802.1x EAPOL and older versions of Microsoft SQL Server to work. Really is worth doing extensive testing with all of your applications (network services included!) before you go and roll this tool out to your full environment!
SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
In this case we are looking at the self signed Remote Desktop Protocol certificate which just so happens to be SHA1. To resolve this issue have a look at this blog post – https://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo which covers in great detail how to use an Active Directory Certificate Services Server to issue SHA256 certificates to your machines to use with Remote Desktop.
Looking for some fun ways to get more out of your your Smart Card deployment? If so have you tried……?
- Use Smart Cards to login to your Servers via Remote Desktop
- Use Smart Cards with the PowerShell Get-Credential Commandlet
- Use Smart Cards with your Firewall for single sign on
- Use Smart Cards to login to IIS Web Applications (just a box to tick and a radio option to select)
- Store multiple identities on your Smart Card and assign different (and perhaps more complex) PINs to the identities
Have a look at the screen shots below for some more details…
After a fair few months of work and with support from the team at PACKT my new book (Microsoft Application Virtualization Cookbook) is out on sale.
With over 60 recipes for the practical application of Microsoft Application Virtualization (Version 5) from every angle including…
- Setting up your first App-V infrastructure
- Deploying the software clients and prerequisites
- Sequencing applications into packages
- Publishing applications and connection groups to your clients
- Integrating with XenDesktop, Microsoft Remote Desktop Services and System Centre Configuration Manager
- and lots more!
Its looking like we got our sizing for our custom RDS servers right and we may well have answered (at least for own internal use) ‘how many users can you get on a RDS server?’.
The video shows our RDS farm under normal load with 24 clients remotely logged in (excluding the admin session I was using) with the CPU usage being either low or idle on occasion.
Sometimes you will want to connect to a particular server in a RDS load balanced farm (maybe you want to perform a particular update on that server or something similar) however when you RDP onto it the load balancer kicks in and you may not get the server you were after.
The simple solution is to start a remote desktop session to that server using the /admin switch.
The screen shots below show one of many methods you could use to start the session.
Following on from my first post I am going to look at what will make up by RemoteFX RDS farm including the software and hardware architecture.
First I’ve started out as you would with any small RDS farm; in this case with 4 session hosts and a single connection broker (which will also act as licence server). The 30 endpoints are pointed at the connection broker which then decides which session host they should be logging into.
In my case the servers have only 2 hops between themselves and the endpoints over a fibre optic to a local network switch and then down copper 10/100mb to the client. For the time being the endpoints are just re purposed PCs however we hope to replace them with dedicated thin clients (mainly for power saving reasons) in the next few months.
The connection broker will be hosted as a virtual machine on one of our Hyper-V servers however to make use of RemoteFX technology (will go into this in a little more depth in a later post) the session hosts will all be running directly off physical hardware. Continue reading
One alternative has always been to convert the PCs in the room to ‘fat thin clients’ with a small OS (say Windows Thin PC) and hook them up to a Terminal Server/Remote Desktop Services Farm. The biggest show stopper in this has been the lack of graphics acceleration which performing graphics intensive tasks difficult if not impossible.
Luckily Server 2008 R2 SP1 has come around with RemoteFX technology – this allows you to harness the power of graphics processing in a server. Another issue crops up though – few if any servers (from leading OEMs like HP and Dell) support graphics cards and those that do are just as expensive as normal PCs.
My solutions is – build custom servers out of AMD Fusion APUs (which combine a powerful CPU and GPU on one chip) in true ‘cookie sheet style’.
This series of posts looks at the hardware, software and endpoints (fat thin clients) that I’m going to be using in this project.
A little while ago the guys at Axel let me borrow one of their M80 thin clients to try out with Citrix VDI-in-a-Box and also Microsoft RDS (Server 2008 R2) and I’m happy to say I can easily see this as a good thin client to use in the office although I have my reservations about use in classroom.
This review takes a look at some things that wern’t in the video (also makes some corrections to the video) and should help to give you a better overview of what the Axel M80 thin client can do. Continue reading