RE: Under the hood question about Remote Desktop Connection



Note that with Low Encryption set; only packets from client to server are
encrypted. Packets from server to the client are not.

This is also documented here:

Low encryption encrypts only packets being sent from the client to the
Terminal Server. This "input only" encryption is to protect the input of
sensitive data like a user's password.
http://technet2.microsoft.com/windowsserver/en/library/2cb5c8c9-cadc-44a9-bf
39-856127f4c8271033.mspx?mfr=true

This is the reason why I don't use "Low" or "Client compatible" settings.

Mike

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Wayne S. Anderson
Sent: Friday, January 25, 2008 4:05 PM
To: 'Wozny, Scott'; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Under the hood question about Remote Desktop Connection

By default, there are three settings in a non-FIPS, non-TLS environment:
Low, High, and Client Compatible. Low is encrypted with 56-bit RC4, High is
encrypted with 128-bit RC4 (or TLS if configured). Client compatible
selects the highest supported level of encryption between the two. Just so
you know, by default you are usually using 128 bit RC4 in a homogenous
Windows XP / Server 2003 environment. With RDP 5.2 and later (XP, Server
2003, Vista, Server 2008), you can set the encryption to use TLS 1.0 with
certificates. This should solve any concern about key exchange by ensuring
your local infrastructure adopts an accepted standard.

There are other solutions, of course, including implementing IPSec so that
administrators are running RDP and other sensitive sessions over IPSec
channels, thereby circumventing the issue of RDP encryption integrity
completely but for obvious reasons, the performance and maintainability is
going to be significantly in favor of simply using TLS if this is really a
concern.

Windows Server 2003
Client-Based Encryption Config:
http://technet2.microsoft.com/windowsserver/en/library/cdfe9f76-fb54-46fe-84
c0-7cf637dc65be1033.mspx?mfr=true
Server-Based Encryption Config:
http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac
9b-29fd6146977b1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/8be5bfb5-b652-49aa-8a
c4-f6c2b01f35101033.mspx?mfr=true

Windows Server 2008
Server-Based Encryption Config:
http://technet2.microsoft.com/windowsserver2008/en/library/9a86af81-c87e-41f
2-bdec-b154d896a8821033.mspx?mfr=true

There is one other thing that I think you may want to pay attention to,
there are some things in any RDP session which are, by default, not
encrypted. For XP or 2003 based sessions, there is a KB article which
reviews these elements: http://support.microsoft.com/kb/275727

This documentation is not yet fully available for RDP 6.0 which is used in
Vista and Windows Server 2008.


-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Wozny, Scott
Sent: Thursday, January 24, 2008 12:20 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Under the hood question about Remote Desktop Connection

Doing some poking around in the list archives and some sites on the net, I
see how one can require remote connections to use 128-bit RC4 encryption. 
Setting aside the debate on whether or not this algorithm qualifies as
secure or insecure, this is a symmetric algorithm.  As sending the key in
the clear would be a major faux pas, does anyone know what mechanism this
app uses to do secure key exchange?  Does it just "borrow" a browser cert to
do a DH exchange?
 
Any insights would be appreciated.
 
Thanks,
 
Scott
 

Attachment: smime.p7s
Description: S/MIME cryptographic signature