Securing the Remote Desktop Web Connection Site?

[Guest]

Archived from groups: microsoft.public.windowsnt.terminalserver.connectivity (More info?)

Does anyone know right off hand if it's possible to secure (with SSL I
guess) the Remote Desktop Web Connection software? We have to take into
account HIPAA regulations, and we would need to have 128 bit encryption for
this type of traffic.

Thanks!
Jason Rosolowski
Northport Health Services

 

[Guest]

Archived from groups: microsoft.public.windowsnt.terminalserver.connectivity (More info?)

Jason, let me describe the way it works to help explain how you want to do
this.

The remote desktop page you navigate to is a standard web page, hosting an
ActiveX control that is just the same core tool as the installable full
client. So you connect to the page to _get_ the client, and from then on it
is a direct TS connection that just happens to be hosted inside Internet
Explorer.

The connection to the web page itself _could_ be secured via SSL, etc -
whatever your web server and IE agree on - but it doesn't really add any
security to the process. Someone can start out from any open TS web page in
the world that allows specifying a target host, and then connect to your
system. This isn't a vulnerability because the web server has nothing to do
with your TS session.

Once the web page is open, nothing is done through the web server. The
connection will go directly to the targeted TS as a client connection, and
it already has 128-bit encryption.

Jason Rosolowski wrote:
> Does anyone know right off hand if it's possible to secure (with SSL I
> guess) the Remote Desktop Web Connection software? We have to take into
> account HIPAA regulations, and we would need to have 128 bit encryption
> for this type of traffic.
>
> Thanks!
> Jason Rosolowski
> Northport Health Services