Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Greg.

« Windows Server 2008: What's New / What's Changed Part #8 of 12: Chapter 7 - Active Directory | Main | Windows Server 2008: What's New / What's Changed Part #10 of 12: Chapter 9 - Security & the Windows Firewall with Advanced Security »

Windows Server 2008: What's New / What's Changed Part #9 of 12: Chapter 8 - Terminal Services

This snippet from Chapter 8 of my new book Windows Server 2008: What's New / What's Changed is brought to you by SAPIEN Press. Get your copy at http://www.sapienpress.com/Windows_Server_08.asp.

Network Level Authentication
Network Level Authentication (NLA) is another new component of RDC v6.0 that effectively rearranges the order in which clients connect to Terminal Servers. Why is this necessary? From a security perspective, the original architecture of how clients connect to Terminal Servers was actually backwards.

Backwards, you say? Think about the "old" mechanism you would go through to connect your client to a remote Terminal Server:

More after the fold...

- You'd enter in the name of the Terminal Server and hit enter. The client would resolve the remote Terminal Server and request a session.
- The remote Terminal Server would open a connection to the client and provide a remote logon screen to the client.
- From this remote logon screen, the user would enter their credentials. If they successfully authenticated, they'd be given a desktop on the server.

But what about the situation where a remote user didn't successfully authenticate? In those situations, after a series of failed attempts the remote Terminal Server would sever the connection. Think about how this is wrong from a security perspective. For nearly every other service in your organization, before you gain access to a resource you must first authenticate to that resource. But here, you're getting a more-or-less direct access to the (remote) console of your Terminal Server without ever authenticating to it. It's akin to saying, "Ah, heck. We'll leave the door to the data center unlocked. They don't have passwords anyway, right?"

Wrong. So, in Vista and Server 2008 Microsoft reversed the order in which clients can connect to Terminal Servers. Before they ever get a remote session, they must first send credentials to the Server and successfully authenticate. What's complicated about the end result is that even though this is a great idea, Microsoft didn't want to necessarily force you into this new model. So, they made it optional. Thus on the server if you navigate to the System Control Panel and select the Remote Settings option, you'll see three options for configuring Remote Desktop.

(Want to read all the posts in this series? Click here.)

Tags:                                                            
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Greg Shields on May 15, 2008 12:30 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-windowsserver.com/type/mt-tb.cgi/441

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Greg Shields' Bio:

Greg Shields, is an independent author, instructor, and IT consultant based in Denver, Colorado, and a co-founder of Concentrated Technology. With nearly 15 years of experience in information technology, Greg has developed extensive experience in systems administration, engineering, and architecture specializing in Microsoft systems management, remote application, and virtualization technologies. Greg is a Contributing Editor for Redmond Magazine, MCPmag.com, and Virtualization Review Magazine and is the author of five books, including Windows Server 2008:  What’s New / What’s Changed. Greg is also a highly sought-after instructor and speaker, speaking regularly at conferences like TechMentor Events, and producing computer-based training curriculum for CBT Nuggets.  Greg is a recipient of Microsoft "Most Valuable Professional" award with a specialization in Windows Terminal Services.