By default, there are three settings in a non-FIPS, non-TLS environment: Low, High, and Client Compatible. Low is encrypted with 56-bit RC4, High is encrypted with 128-bit RC4 (or TLS if configured). Client compatible selects the highest supported level of encryption between the two. Just so you know, by default you are usually using 128 bit RC4 in a homogenous Windows XP / Server 2003 environment. With RDP 5.2 and later (XP, Server 2003, Vista, Server 2008), you can set the encryption to use TLS 1.0 with certificates. This should solve any concern about key exchange by ensuring your local infrastructure adopts an accepted standard.
There are other solutions, of course, including implementing IPSec so that administrators are running RDP and other sensitive sessions over IPSec channels, thereby circumventing the issue of RDP encryption integrity completely but for obvious reasons, the performance and maintainability is going to be significantly in favor of simply using TLS if this is really a concern. Windows Server 2003 Client-Based Encryption Config: http://technet2.microsoft.com/windowsserver/en/library/cdfe9f76-fb54-46fe-84 c0-7cf637dc65be1033.mspx?mfr=true Server-Based Encryption Config: http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac 9b-29fd6146977b1033.mspx?mfr=true http://technet2.microsoft.com/windowsserver/en/library/8be5bfb5-b652-49aa-8a c4-f6c2b01f35101033.mspx?mfr=true Windows Server 2008 Server-Based Encryption Config: http://technet2.microsoft.com/windowsserver2008/en/library/9a86af81-c87e-41f 2-bdec-b154d896a8821033.mspx?mfr=true There is one other thing that I think you may want to pay attention to, there are some things in any RDP session which are, by default, not encrypted. For XP or 2003 based sessions, there is a KB article which reviews these elements: http://support.microsoft.com/kb/275727 This documentation is not yet fully available for RDP 6.0 which is used in Vista and Windows Server 2008. -W Wayne S. Anderson http://www.linkedin.com/in/wayneanderson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wozny, Scott Sent: Thursday, January 24, 2008 12:20 PM To: [email protected] Subject: Under the hood question about Remote Desktop Connection Doing some poking around in the list archives and some sites on the net, I see how one can require remote connections to use 128-bit RC4 encryption. Setting aside the debate on whether or not this algorithm qualifies as secure or insecure, this is a symmetric algorithm. As sending the key in the clear would be a major faux pas, does anyone know what mechanism this app uses to do secure key exchange? Does it just borrow a browser cert to do a DH exchange? Any insights would be appreciated. Thanks, Scott
