High Encryption on a Remote Desktop or Terminal Services Session Does Not Encrypt All Information (275727)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP 64-Bit Edition Version 2002
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows NT Server 4.0 Terminal Server Edition
This article was previously published under Q275727

SUMMARY

All the information that is passed from the client to the server in a Remote Desktop or Terminal Services session is not encrypted.

MORE INFORMATION

By default, Windows XP Remote Desktop and Windows Server 2003 Remote Desktop and Terminal Services use high (128-bit) encryption to encrypt most data transmissions in both the client-to-server direction and the server-to-client direction. When you install the 128-bit High Encryption pack and use high encryption on a Windows 2000 Terminal Services computer, high (128-bit) encryption is used to encrypt most data transmissions in both the client-to-server direction and the server-to-client direction.

The following types of data transmissions might not be encrypted:
  • Virtual Channels

    By default, information that is passed through a virtual channel is not encrypted, but the program that is using the virtual channel can request that information be encrypted. After you install Windows 2000 Service Pack 2 (SP2) or later, data on Virtual Channels is encrypted.
  • Initial Connection

    The RDP protocol sends initial packets to establish the connection to the server and negotiate the level of encryption. These packets are not encrypted, but they do not contain any sensitive information.
  • Server Certificate

    The public certificate that contains the server name and some other non-sensitive information is not encrypted.
  • Licensing Packets

    One of the licensing information packets is not encrypted and contains the following information:
    • Client computer name
    • Client user name
    • Client license information
    After you install Windows 2000 Service Pack 2 (SP2) or later, licensing information is encrypted. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    295080 Terminal Server Client Licensing Information Is Not Encrypted in the Network Packets

  • Clipboard and Redirected Printing

    Clipboard and Redirected Printing use virtual channels and are always encrypted in both the client-to-server direction and the server-to-client direction in Windows 2000 SP2 and later.

    Important When you connect to a Terminal Services session by using a virtual private network (VPN) connection, the data stream is encrypted. Also, any connection that you make by using Internet Security Protocol (IPSec) encrypts all the RDP traffic.
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbenv kbinfo kbnetwork kbTunneling KB275727
©2003 Microsoft Corporation. All rights reserved.