Re: RDP and encryption

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

"Sooner Al [MVP]" <SoonerAl@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:09CB6D4F-0BC5-4C3A-B473-C42029528304@xxxxxxxxxxxxxxxx
"Taibear ios" <Taibear@xxxxxxx> wrote in message news:4710b151@xxxxxxxxxxxxxxxxxxxxxxxx
one more question...

IF I was able to use Vista Ultimate as the RDP host and Vista premium as the Client,
would this result in a more secure-encrypted session?


thanks


"Taibear ios" <Taibear@xxxxxxx> wrote in message news:4710b044@xxxxxxxxxxxxxxxxxxxxxxxx
Hello I want to know how much or how I can configure XPSP2 pro (HOST) to Vista (client) to have
an ENCRYPTED RDP session. I found this page http://support.microsoft.com/kb/275727
But Its not clear...

so my questions are:

Is RDP already encrypted and to what level?
Must I change anything on the RDP server (XPSP2 Pro) or client (Vista Premium Home) to get better encryption?
Is VNC (like ultraVNC) better encrypted than RDP?

basically I want to know if someone (anyone) can intercept the data stream of the RDP session and
see what the user is doing...

thank you





The entire Remote Desktop (RDP) session is encrypted by default at 128-bits. If a client like a PocketPC, that can only do 64-bit encryption, connects then that is what the session will be at. So I always recommend configuring the RDP host PC to only allow connections using "high" encryption versus "client compatible". That is configured using a group policy setting.

http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

The big difference connecting a Vista-2-Vista Remote Desktop session versus a Vista-2-XP session is the use of Network Level Authentication (NLA) which is not available for XP. NLA will help prevent man-in-the-middle attacks.

It goes without saying that you should use a strong password.

http://www.microsoft.com/protect/yourself/password/checker.mspx

I also limit access to my Vista and XP Pro desktops with Remote Desktop to my normal standard/limited user accounts. I disable access to my administrator account. In this example my normal admin account is called root (original eh...) and can not access my desktop via Remote Desktop.

http://theillustratednetwork.mvps.org/Vista/RDP/NoAdminUserLogintoRDP.jpg

Some folks, including myself, also only run Remote Desktop through a VPN or Secure Shell (SSH) tunnel. I like SSH because I can use a 4096-bit RSA private/public key pair protected by a strong password for authentication versus a password only (strong or otherwise). Another advantage of a VPN or SSH tunnel is you can access multiple desktops through the tunnel with needing to open multiple ports.

http://theillustratednetwork.mvps.org/Ssh/SecureShell.html

Remember if you are accessing a XP Pro/MCE machine from a Vista machine that you need to configure the Vista RDP client like this...

http://theillustratednetwork.mvps.org/ScreenShots/XP/RDP6-XPClientSettings.jpg

FWIW, I have always found the Remote Desktop is much faster and more responsive that VNC (any flavor). As always YMMV...

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375


These may explain NLA a bit...

http://windowshelp.microsoft.com/Windows/en-US/Help/ea4680d1-6962-463b-b29b-351efa676f9e1033.mspx

http://blogs.msdn.com/buckh/archive/2007/01/20/remote-desktop-connection-6-0-client.aspx

http://www.computerweekly.com/Articles/2007/03/21/222578/remote-desktop-gets-a-bit-more-secure.htm

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

.

Relevant Pages

  • Re: RDP and encryption
    ... IF I was able to use Vista Ultimate as the RDP host and Vista premium as the Client, ... The big difference connecting a Vista-2-Vista Remote Desktop session versus a Vista-2-XP session is the use of Network Level Authentication which is not available for XP. ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: RWW question - SBS2003 Standard
    ... please understand that all RWW sessions relies on both ... ActiveX and RDP. ... When a user logs on RWW, and requests connect to a client ... If yes, the RDP session will not be opened in IE, instead, it ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP and encryption
    ... IF I was able to use Vista Ultimate as the RDP host and Vista premium as ... an ENCRYPTED RDP session. ... The big difference connecting a Vista-2-Vista Remote Desktop session ...
    (microsoft.public.windowsxp.work_remotely)
  • Remote Desktop Connection to Server 2008
    ... I have a Vista client. ... I can use the RDP ... client to connect to a Server 2008 machine and logon using a local account. ...
    (microsoft.public.windows.terminal_services)
  • Re: Editing Term Services RDP File to stop blocking credentials
    ... We have an XP environment with no Vista, ... receives the new RDP client through WSUS that could be. ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)