1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
<topic xml:lang="en-us" id="vrde-crypt">
<title>RDP Encryption</title>
<body>
<p>RDP features data stream encryption, which is based on the RC4 symmetric cipher, with keys up to 128-bit. The RC4
keys are replaced at regular intervals, every 4096 packets. </p>
<p>RDP provides the following different server authentication methods: </p>
<ul>
<li>
<p><b outputclass="bold">RDP 4</b> authentication was used historically. With RDP 4, the RDP client does not perform any checks in order to verify the identity of the server it connects to. Since user credentials can be obtained using a man in the middle (MITM) attack, RDP4 authentication is insecure and should not be used. </p>
</li>
<li>
<p><b outputclass="bold">RDP 5.1</b> authentication
employs a server certificate for which the client possesses
the public key. This way it is guaranteed that the server
possess the corresponding private key. However, as this
hard-coded private key became public some years ago, RDP 5.1
authentication is also insecure.
</p>
</li>
<li>
<p><b outputclass="bold">RDP 5.2 or later</b>
authentication uses Enhanced RDP Security, which means that
an external security protocol is used to secure the
connection. RDP 4 and RDP 5.1 use Standard RDP Security. The
VRDP server supports Enhanced RDP Security with TLS protocol
and, as a part of the TLS handshake, sends the server
certificate to the client.
</p>
<p>The <codeph>Security/Method</codeph> VRDE property sets the required security method that is used for a connection. You can also change this in the VM Settings, Remote Display tab. Valid values are as follows: </p>
<ul>
<li>
<p><b outputclass="bold">Negotiate.</b> Both Enhanced (TLS) and Standard RDP Security connections are allowed. The security method is negotiated with the client. </p>
</li>
<li>
<p><b outputclass="bold">RDP.</b> Only Standard RDP
Security is accepted.
</p>
</li>
<li>
<p><b outputclass="bold">TLS.</b> Only Enhanced RDP Security is accepted. The client must support TLS. This is the default setting. </p>
<p>
The version of OpenSSL used by <ph conkeyref="vbox-conkeyref-phrases/product-name"/> supports
TLS versions 1.0, 1.1, 1.2, and 1.3.
</p>
</li>
</ul>
<p>For example, the following command configures a client to use either Standard or Enhanced RDP Security connection: </p>
<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> --vrde-property "Security/Method=negotiate"</pre>
<p>If the <codeph>Security/Method</codeph> property is set to either Negotiate or TLS, the server uses TLS if the client supports it. However, to use TLS the server must have the Server Certificate and the Server Private Key. A Certificate Authority (CA) Certificate is optional. </p>
<p>If you choose TLS as the security method, <ph conkeyref="vbox-conkeyref-phrases/product-name"/> generates a server key and certificate pair called VRDEAutoGeneratedPrivateKey.pem and VRDEAutoGeneratedCert.pem) for the VM. <ph conkeyref="vbox-conkeyref-phrases/product-name"/> also recreates the auto-generated certificate and key if they are about to expire, or if one or both are deleted or corrupted. </p>
<p>To generate a custom server key and certificate pair, with a CA certificate, follow these steps. </p>
<ol>
<li>
<p>Create a CA self signed certificate. </p>
<pre xml:space="preserve">openssl req -new -x509 -days 365 -extensions v3_ca \
-keyout ca_key_private.pem -out ca_cert.pem</pre>
</li>
<li>
<p>Generate a server private key and a request for signing. </p>
<pre xml:space="preserve">openssl genrsa -out server_key_private.pem
openssl req -new -key server_key_private.pem -out server_req.pem</pre>
</li>
<li>
<p>Generate the server certificate. </p>
<pre xml:space="preserve">openssl x509 -req -days 365 -in server_req.pem \
-CA ca_cert.pem -CAkey ca_key_private.pem -set_serial 01 -out server_cert.pem</pre>
</li>
</ol>
<p>Configure the server to access the required files. For example: </p>
<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
--vrde-property "Security/CACertificate=path/ca_cert.pem"</pre>
<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
--vrde-property "Security/ServerCertificate=path/server_cert.pem"</pre>
<pre xml:space="preserve">VBoxManage modifyvm <varname>VM-name</varname> \
--vrde-property "Security/ServerPrivateKey=path/server_key_private.pem"</pre>
<p>Note that <ph conkeyref="vbox-conkeyref-phrases/product-name"/> does not maintain custom certificates. You are responsible for keeping these updated.</p>
</li>
</ul>
<p>As the client that connects to the server determines what type of encryption will be used, with
<userinput>rdesktop</userinput>, the Linux RDP viewer, use the <codeph>-4</codeph> or <codeph>-5</codeph>
options. </p>
</body>
</topic>
|
