Today we were troubleshooting a strange behavior in a customer environment. When connecting to several target machines the Remote Desktop Client hung for about 30 seconds at “Securing remote connection”. The issue seemed to be RDP Version related, as connections to Windows XP/2003 machines were established fast – while Vista/2008 or higher showed the issue.
As 15-30 seconds are quite often TCP timeouts we did a network trace for further analysis. The analysis showed that while the RDP client hung at “Securing remote connection…”, it tried to access ctldl.windowsupdate.com.
Note – dear network admin: This is a classic example of bad network design. The client was located in an isolated network but was able to lookup public targets and tried to access one of them. Because your IP firewall is dropping packages instead of rejecting them, the client will never get a notification that a connection could not be established and instead wait until the timeout is reached.
So if your network does allow lookups to external resources, and there are NO good reasons to do so, make sure to reject connections – at least from your own network – instead of dropping them. For maximized security strictly disable external DNS in isolated networks to avoid DNS tunnel attacks.
Note –the response from the network admin will be: This is a classic example of blaming the network instead of the application. Make sure to configure your OS and application correctly to avoid unnecessary network connections, disable automatic updates and things will be fine.
Well, as only Vista and higher targets shows the hangs we suspected an Root CA updating issue, found http://support.microsoft.com/kb/2677070 and disabled network retrieval.
Updates disabled, timeouts prohibited, mission accomplished – go home early.