Security – Is windows remote desktop secure?

Is windows built-in Remote Desktop secure? I mean, does it use any encryption methods? or someone can hijack the data that have been transferred between two system?

Solution:

There are two aspects of the security you should be aware of, how it creates the connection and how the connection is secured. There are two different modes for securing the creation of the connection for remote desktop, Legacy mode (I don’t think it has a name) and Network Level Authentication (NLA). When you allow remote desktop you can choose if you only want to allow NLA connections or allow connections from the older legacy mode too.

enter image description here

NLA mode is much more secure and has less possibilities for people to capture data from or intercept the connection while it is being established.

For the connection itself there are many fine tuning settings that are all set server side. The Help file summarizes much better than I can so I will just quote that.

 

Configure Server Authentication and Encryption  Levels

By default, Remote Desktop Services  sessions are configured to negotiate the encryption level from the  client to the RD Session Host server. You can enhance the security of  Remote Desktop Services sessions by requiring the use of Transport  Layer Security (TLS) 1.0. TLS 1.0 verifies the identity of the  RD Session Host server and encrypts all communication between the  RD Session Host server and the client computer. The RD Session Host  server and the client computer must be correctly configured for TLS to  provide enhanced security.

   Note  

For  more information about RD Session Host, see the Remote Desktop  Services page on the Windows Server 2008 R2 TechCenter (http://go.microsoft.com/fwlink/?LinkId=140438).

   

Three security layers are available.

   

     

  • SSL (TLS 1.0) – SSL (TLS 1.0) will be used for server authentication and for encrypting all data transferred between the server and the client.
  •  

  • Negotiate – This is the default setting. The most secure layer that is supported by the client will be used. If supported, SSL (TLS 1.0) will be used. If the client does not support SSL (TLS 1.0), the RDP Security Layer will be used.
  •  

  • RDP Security Layer – Communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.      
  •  

   

The most secure layer that is supported by the client will be used.  If supported, SSL (TLS 1.0) will be used. If the client does not  support SSL (TLS 1.0), the RDP Security Layer will be  used.

RDP Security Layer

 

Communication between the server and the client  will use native RDP encryption. If you select RDP Security Layer, you  cannot use Network Level Authentication.

   

A certificate, used to verify the identity of the RD Session Host  server and encrypt communication between the RD Session Host and the  client, is required to use the TLS 1.0 security layer. You can select  a certificate that you have installed on the RD Session Host server,  or you can use a self-signed certificate.

   

By default, Remote Desktop Services connections are encrypted at  the highest level of security available. However, some older versions  of the Remote Desktop Connection client do not support this high level  of encryption. If your network contains such legacy clients, you can  set the encryption level of the connection to send and receive data at  the highest encryption level supported by the client.

   

Four encryption levels are available.

   

     

  • FIPS Compliant – This level encrypts and decrypts data sent from the client to the server and from the server to the client by using Federal Information Process Standard (FIPS) 140-1 validated encryption methods. Clients that do not support this level of encryption cannot connect.
  •  

  • High – This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. Use this level when the RD Session Host server is running in an environment containing 128-bit clients only (such as Remote Desktop Connection clients). Clients that do not support this level of encryption will not be able to connect.
  •  

  • Client Compatible – This is the default setting. This level encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this level when the RD Session Host server is running in an environment containing mixed or legacy clients.
  •  

  • Low – This level encrypts data sent from the client to the server by using 56-bit encryption. Data sent from the server to the client is not encrypted.
  •