RDP and encryption

  • Thread starter Thread starter Taibear ios
  • Start date Start date
T

Taibear ios

Hello I want to know how much or how I can configure XPSP2 pro (HOST) to
Vista (client) to have
an ENCRYPTED RDP session. I found this page
http://support.microsoft.com/kb/275727
But Its not clear...

so my questions are:

Is RDP already encrypted and to what level?
Must I change anything on the RDP server (XPSP2 Pro) or client (Vista
Premium Home) to get better encryption?
Is VNC (like ultraVNC) better encrypted than RDP?

basically I want to know if someone (anyone) can intercept the data stream
of the RDP session and
see what the user is doing...

thank you
 
one more question...

IF I was able to use Vista Ultimate as the RDP host and Vista premium as the
Client,
would this result in a more secure-encrypted session?


thanks
 
Taibear ios said:
one more question...

IF I was able to use Vista Ultimate as the RDP host and Vista premium as
the Client,
would this result in a more secure-encrypted session?


thanks
Click to expand...

The entire Remote Desktop (RDP) session is encrypted by default at 128-bits.
If a client like a PocketPC, that can only do 64-bit encryption, connects
then that is what the session will be at. So I always recommend configuring
the RDP host PC to only allow connections using "high" encryption versus
"client compatible". That is configured using a group policy setting.

http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

The big difference connecting a Vista-2-Vista Remote Desktop session versus
a Vista-2-XP session is the use of Network Level Authentication (NLA) which
is not available for XP. NLA will help prevent man-in-the-middle attacks.

It goes without saying that you should use a strong password.

http://www.microsoft.com/protect/yourself/password/checker.mspx

I also limit access to my Vista and XP Pro desktops with Remote Desktop to
my normal standard/limited user accounts. I disable access to my
administrator account. In this example my normal admin account is called
root (original eh...) and can not access my desktop via Remote Desktop.

http://theillustratednetwork.mvps.org/Vista/RDP/NoAdminUserLogintoRDP.jpg

Some folks, including myself, also only run Remote Desktop through a VPN or
Secure Shell (SSH) tunnel. I like SSH because I can use a 4096-bit RSA
private/public key pair protected by a strong password for authentication
versus a password only (strong or otherwise). Another advantage of a VPN or
SSH tunnel is you can access multiple desktops through the tunnel with
needing to open multiple ports.

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

Remember if you are accessing a XP Pro/MCE machine from a Vista machine that
you need to configure the Vista RDP client like this...

http://theillustratednetwork.mvps.org/ScreenShots/XP/RDP6-XPClientSettings.jpg

FWIW, I have always found the Remote Desktop is much faster and more
responsive that VNC (any flavor). As always YMMV...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Sooner Al said:
The entire Remote Desktop (RDP) session is encrypted by default at
128-bits. If a client like a PocketPC, that can only do 64-bit encryption,
connects then that is what the session will be at. So I always recommend
configuring the RDP host PC to only allow connections using "high"
encryption versus "client compatible". That is configured using a group
policy setting.

http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

The big difference connecting a Vista-2-Vista Remote Desktop session
versus a Vista-2-XP session is the use of Network Level Authentication
(NLA) which is not available for XP. NLA will help prevent
man-in-the-middle attacks.

It goes without saying that you should use a strong password.

http://www.microsoft.com/protect/yourself/password/checker.mspx

I also limit access to my Vista and XP Pro desktops with Remote Desktop to
my normal standard/limited user accounts. I disable access to my
administrator account. In this example my normal admin account is called
root (original eh...) and can not access my desktop via Remote Desktop.

http://theillustratednetwork.mvps.org/Vista/RDP/NoAdminUserLogintoRDP.jpg

Some folks, including myself, also only run Remote Desktop through a VPN
or Secure Shell (SSH) tunnel. I like SSH because I can use a 4096-bit RSA
private/public key pair protected by a strong password for authentication
versus a password only (strong or otherwise). Another advantage of a VPN
or SSH tunnel is you can access multiple desktops through the tunnel with
needing to open multiple ports.

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

Remember if you are accessing a XP Pro/MCE machine from a Vista machine
that you need to configure the Vista RDP client like this...

http://theillustratednetwork.mvps.org/ScreenShots/XP/RDP6-XPClientSettings.jpg

FWIW, I have always found the Remote Desktop is much faster and more
responsive that VNC (any flavor). As always YMMV...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
Click to expand...

These may explain NLA a bit...

http://windowshelp.microsoft.com/Windows/en-US/Help/ea4680d1-6962-463b-b29b-351efa676f9e1033.mspx

http://blogs.msdn.com/buckh/archive/2007/01/20/remote-desktop-connection-6-0-client.aspx

http://www.computerweekly.com/Articles/2007/03/21/222578/remote-desktop-gets-a-bit-more-secure.htm

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375
 
Oh you have been extremely helpful!

I will take a look at all the links..

THANK YOU!
 
Back
Top