This is a common problem that you’ll see from PCI-DSS compliance audits for customers which process credit cards on their PC network. In many cases simply disabling external RDP access is the answer, but when external RDP access is required, here is the proper way to address the following two errors:
- Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
- Terminal Server Encryption Level is not FIPS-140 compliant
What I have seen other companies do is simply restrict RDP to a specifc set of WAN IP’s, which will appear solve the problem from the PCI audit report because they cannot access the RDP port open due to the firewall rules, however this is still a violation of PCI because the vulnerabilities still exist. The protocol needs to be properly secured, and the process is relatively simple.
1) Create a self-signed SSL certificate (if one doesn’t already exist; of course a publicly signed SSL is better, but not needed for PCI compliance)
2) Open Terminal Services Configuration
3) Edit the properties of the RDP-Tcp Connection
4) Start from the bottom and work up
- Click Edit and add the self-signed SSL certificate
- Set the encryption level to FIPS compliant
- Click APPLY
- Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
- Click APPLY again then OK
5) Close all windows and all active RDP sessions
Simply have the PCI Compliance company run a new audit and you should be all set.