RE: Under the hood question about Remote Desktop Connection



Note that with Low Encryption set; only packets from client to server are
encrypted. Packets from server to the client are not.

This is also documented here:

Low encryption encrypts only packets being sent from the client to the
Terminal Server. This "input only" encryption is to protect the input of
sensitive data like a user's password.
http://technet2.microsoft.com/windowsserver/en/library/2cb5c8c9-cadc-44a9-bf
39-856127f4c8271033.mspx?mfr=true

This is the reason why I don't use "Low" or "Client compatible" settings.

Mike

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Wayne S. Anderson
Sent: Friday, January 25, 2008 4:05 PM
To: 'Wozny, Scott'; focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Under the hood question about Remote Desktop Connection

By default, there are three settings in a non-FIPS, non-TLS environment:
Low, High, and Client Compatible. Low is encrypted with 56-bit RC4, High is
encrypted with 128-bit RC4 (or TLS if configured). Client compatible
selects the highest supported level of encryption between the two. Just so
you know, by default you are usually using 128 bit RC4 in a homogenous
Windows XP / Server 2003 environment. With RDP 5.2 and later (XP, Server
2003, Vista, Server 2008), you can set the encryption to use TLS 1.0 with
certificates. This should solve any concern about key exchange by ensuring
your local infrastructure adopts an accepted standard.

There are other solutions, of course, including implementing IPSec so that
administrators are running RDP and other sensitive sessions over IPSec
channels, thereby circumventing the issue of RDP encryption integrity
completely but for obvious reasons, the performance and maintainability is
going to be significantly in favor of simply using TLS if this is really a
concern.

Windows Server 2003
Client-Based Encryption Config:
http://technet2.microsoft.com/windowsserver/en/library/cdfe9f76-fb54-46fe-84
c0-7cf637dc65be1033.mspx?mfr=true
Server-Based Encryption Config:
http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac
9b-29fd6146977b1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/8be5bfb5-b652-49aa-8a
c4-f6c2b01f35101033.mspx?mfr=true

Windows Server 2008
Server-Based Encryption Config:
http://technet2.microsoft.com/windowsserver2008/en/library/9a86af81-c87e-41f
2-bdec-b154d896a8821033.mspx?mfr=true

There is one other thing that I think you may want to pay attention to,
there are some things in any RDP session which are, by default, not
encrypted. For XP or 2003 based sessions, there is a KB article which
reviews these elements: http://support.microsoft.com/kb/275727

This documentation is not yet fully available for RDP 6.0 which is used in
Vista and Windows Server 2008.


-W

Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Wozny, Scott
Sent: Thursday, January 24, 2008 12:20 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Under the hood question about Remote Desktop Connection

Doing some poking around in the list archives and some sites on the net, I
see how one can require remote connections to use 128-bit RC4 encryption. 
Setting aside the debate on whether or not this algorithm qualifies as
secure or insecure, this is a symmetric algorithm.  As sending the key in
the clear would be a major faux pas, does anyone know what mechanism this
app uses to do secure key exchange?  Does it just "borrow" a browser cert to
do a DH exchange?
 
Any insights would be appreciated.
 
Thanks,
 
Scott
 

Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages

  • Re: Socket Server with Encryption help
    ... Before the client ... Authentication protocols are fiercely difficult to get right. ... by Needham and Schroeder "Using encryption for authentication in large ... Client connects into Server and Server accepts the connection. ...
    (microsoft.public.dotnet.security)
  • Re: Auto-update protocol
    ... to transfer even with a single client and no interference. ... shared secret/public key is the only way to do the encryption. ... successfully decryption is the authentication. ... you can get using a generic farm server, but TFTP does not have any ...
    (comp.arch.embedded)
  • Question on client/server application
    ... (one will act as a simple TCP server and the other will be a simple ... TCP client). ... What is the simplest way for me to implement a secure connection ... There are plenty of encryption libraries out ...
    (comp.lang.pascal.delphi.misc)
  • RE: Implementing RSACryptoServiceProvider *and* JavaScript
    ... JavaScript: hashing, synchronous encryption, and asynchronous ... This will enable me to ensure security between the client ... Send these back to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: RDP Data Encryption Error
    ... If we make a remote connection to the server at work and then RDP into one ... we get this "encryption error" after a few seconds. ... the client will drop the connection ...
    (microsoft.public.windows.terminal_services)