Microsoft KB Archive/275727

= High Encryption on a Remote Desktop or Terminal Services Session Does Not Encrypt All Information =

Article ID: 275727

Article Last Modified on 1/29/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-



This article was previously published under Q275727



SUMMARY
All the information that is passed from the client to the server in a Remote Desktop or Terminal Services session is not encrypted.



MORE INFORMATION
By default, Windows XP Remote Desktop and Windows Server 2003 Remote Desktop and Terminal Services use high (128-bit) encryption to encrypt most data transmissions in both the client-to-server direction and the server-to-client direction. When you install the 128-bit High Encryption pack and use high encryption on a Windows 2000 Terminal Services computer, high (128-bit) encryption is used to encrypt most data transmissions in both the client-to-server direction and the server-to-client direction.

The following types of data transmissions might not be encrypted:  Virtual Channels

By default, information that is passed through a virtual channel is not encrypted, but the program that is using the virtual channel can request that information be encrypted. After you install Windows 2000 Service Pack 2 (SP2) or later, data on Virtual Channels is encrypted. Initial Connection

The RDP protocol sends initial packets to establish the connection to the server and negotiate the level of encryption. These packets are not encrypted, but they do not contain any sensitive information. Server Certificate

The public certificate that contains the server name and some other non-sensitive information is not encrypted. Licensing Packets

One of the licensing information packets is not encrypted and contains the following information:  Client computer name Client user name Client license information</li></ul>

After you install Windows 2000 Service Pack 2 (SP2) or later, licensing information is encrypted. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

295080 Terminal Server Client Licensing Information Is Not Encrypted in the Network Packets

</li> Clipboard and Redirected Printing

Clipboard and Redirected Printing use virtual channels and are always encrypted in both the client-to-server direction and the server-to-client direction in Windows 2000 SP2 and later.

Important When you connect to a Terminal Services session by using a virtual private network (VPN) connection, the data stream is encrypted. Also, any connection that you make by using Internet Security Protocol (IPSec) encrypts all the RDP traffic.</li></ul>

Keywords: kbinfo kbtunneling kbenv kbnetwork KB275727

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.