You work as the enterprise administrator at ABC.com. ABC.com has a domain named ABC.com. The ABC.com network servers run Microsoft Windows Server 2008 and the client computers run Microsoft Windows Vista. ABC.com has a computer named ABC-SR01 using the default security settings to run Remote Desktop.
How would you configure the Remote Desktop connection to ensure secure connections between ABC-SR01 and accessing clients?
A.
By configuring Windows Firewall to block communications via port 110 on the firewall.
B.
By obtaining user certificates from the internal certificate authority.
By allowing connections to Remote Desktop client computers that use Network Level Authentication only.
C.
By configuring Windows Firewall to block communications via port 443 on the firewall.
D.
By obtaining user certificates from the external certificate authority.
By allowing connections to Remote Desktop client computers that use Network Level Authentication only.
E.
By configuring Windows Firewall to block communications via port 1423 on the firewall.
Explanation:
To ensure the RDP connections are as secure as possible, you need to first acquire user certificates from the internal certificate authority and then configure each server to allow connections only to Remote Desktop client computers that use Network Level Authentication.In the pre-W2008 Terminal Server, you used to enter the name of the server and a connection is initiated to its logon screen. Then, at that logon screen you attempt to authenticate. From a security perspective, this isn’t a good idea. Because by doing it in this manner, you’re actually getting access to a server prior to authentication the access you’re getting is right to a session on that server and that is not considered a good security practice.
NLA, or Network Level Authentication, reverses the order in which a client attempts to connect.
The new RDC 6.0 client asks you for your username and password before it takes you to the logon screen. If you’re attempting to connect to a pre-W2008 server, a failure in that initial logon will fail back to the old way of logging in. It shines when connecting to Windows Vista computers and W2008 servers with NLA configured it prevents the failback authentication from ever occurring, which prevents the bad guys from gaining accessing your server without a successful authentication.
Reference: Server 2008 Terminal Services Part 2: NLA Network Level Authentication
http://www.realtime-windowsserver.com/tips_tricks/2007/06/server_2008_terminal_services_2.htm