Yep just did that, and it shows that the access is authenticated via certificate, but when I do a sniff with wireshark, I am not seeing the TLS Handshake this is what concerns me. I can see in the tcp stream of the packets that the certificate and its CRL is requested and per the connection that Kerberos and Server Certificate is being used.
The security layer is set to SSL (TLS1.0) and the Encryption Level is set to FIPS compliant and I set the security option use FIPS compliant Algorithms for Encryption Signing and Hashing. I have a call in with M$ on this just to verify the process is working as expected, but I would assume that if settings are set to TLS1.0 (SSL) and using FIPS compliant settings I should be using TLS 1.0 (so just like a SSL handshake you see the compatable algorithms between the workstation and the server which is sending its certificate etc etc) I will let everyone know what I find out, but I haven't seen any documentation to the contrary on the setup I have done on these. I just don't want an auditor coming back and saying that something isn't working correctly, or was done wrong and isn't giving the protections when I know it is and I have proof to verify it is. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, July 12, 2012 8:36 PM To: NT System Admin Issues Subject: RE: Encryption of RDP via Certificates Just use the web server certificate. From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Thursday, July 12, 2012 2:57 PM To: NT System Admin Issues Subject: Encryption of RDP via Certificates If anyone has successfully done this and knows which Certificate Template in Microsoft CA to utilize for this, I would be greatful if you hit me off line. I am going nuts trying to use the Certificates Snapin to get a certificate created via a template on my server made for Server authentication, and its just not letting me do it. Z Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
