RDP 6.0 security

[Guest]

With RDP 6.0 installed, are the credentials still passed between a remote
host and a RAS server (or any other machine, for that matter) in clear text?
Or with this latest version of RDP, can a completely encrypted
connection/session be made across the I'net?

I have a PPTP VPN configured on a Win2003SP2 machine with MS-CHAPv2 and
Windows Authentication in the access policy. Using Ethereal or Netmon 3.0,
no human-readable information is available in the LCP, GRE or PPP packets
captured when making a connection and during the session, as expected.

Recently, I was unable to establish a VPN connection from a remote location
but needed to access the RAS box. Reluctantly, I remoted into my
firewall/router, set port forwarding on 3389 to the RAS box and made my
connection. I changed my password just before I closed the 3389 connection
and immediately closed the port/forwarding on the firewall/router. However,
before I took any of these actions, I started a capture using Netmon 3.0.
The capture indicated that everything was encrypted - I couldn't see
credentials being passed to the server.

If the RDP 6.0 protocol is now secure end-to-end by design, this would
obviate the need to first create a VPN connection, woudln't it?

If anyone can authoritatively let me know if RDP 6.0 is in fact now secure
end-to-end, I would appreciate the confirmation; and if in your opinion, this
can safely be used in lieu of a VPN.

Thanks.

 

[Sooner Al [MVP]]

With RDP 6.0 installed, are the credentials still passed between a remote
host and a RAS server (or any other machine, for that matter) in clear
text?
Or with this latest version of RDP, can a completely encrypted
connection/session be made across the I'net?

I have a PPTP VPN configured on a Win2003SP2 machine with MS-CHAPv2 and
Windows Authentication in the access policy. Using Ethereal or Netmon
3.0,
no human-readable information is available in the LCP, GRE or PPP packets
captured when making a connection and during the session, as expected.

Recently, I was unable to establish a VPN connection from a remote
location
but needed to access the RAS box. Reluctantly, I remoted into my
firewall/router, set port forwarding on 3389 to the RAS box and made my
connection. I changed my password just before I closed the 3389 connection
and immediately closed the port/forwarding on the firewall/router.
However,
before I took any of these actions, I started a capture using Netmon 3.0.
The capture indicated that everything was encrypted - I couldn't see
credentials being passed to the server.

If the RDP 6.0 protocol is now secure end-to-end by design, this would
obviate the need to first create a VPN connection, woudln't it?

If anyone can authoritatively let me know if RDP 6.0 is in fact now secure
end-to-end, I would appreciate the confirmation; and if in your opinion,
this
can safely be used in lieu of a VPN.

Thanks.

AFAIK the entire data link is encrypted including the sending of passwords.
I recommend configuring the server to only use 128-bit encryption (ie.
"High" encryption) if all of your RDP clients support that...

http://support.microsoft.com/kb/816594/en-us

I do that with my Vista-to-Vista RDP links...

With that said I still run RDP through a PPTP VPN in addition to being able
to access shared files/folders through the VPN tunnel. The other benefit of
using a VPN tunnel is you only need to open one hole in your firewall in
order to access additional PCs with RDP versus multiple holes without a VPN.

You might post this question to the...

microsoft.public.windows.terminal_services

....news group for a more precise answer.

--

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the
mutual benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...
How to ask a question
http://support.microsoft.com/KB/555375

 

[Guest]

Al,

Thanks. In normal practice, I do as you described - namely, after the VPN
connection is established, I use RDP to connect to machines directly as
needed, or simply connect to shares otherwise.

But knowing that RDP 6.0 DOES encrypt the password is reassuring for those
occasions (usually rare) that I cannot establish a VPN connection in some
remote coffee shop, for example.

I do use the highest encryption (MSPPE 128, I believe is it's designation)
and via Group Policy, require encryption and secure channels, etc. for all
machines in my RemoteComputers OU, even for TS connections. The encryption
burden at both ends seems neglibible with the hardware we are using, so I
"max it out". Some day when I have the time to lab it, I will explore PKI
and L2TP/IPSec VPN - I don't have enough aggravation in my life!

Thanks again; I will follow up posting at the alternate adress you provided.