When using Remote Desktop Connection, is the information being sent back and forth securely, as in SSL? Are usernames and passwords secure? When connecting to a remote server through Remote Desktop Connection, is the server required to use, at minimum, a self-signed ssl certificate in order to secure the data sent back and forth? I'm simply wanting to know if my info going through Remote Desktop Connection is secure or not. I'm connecting from a Win7 PC to a Windows 2008 R2 Web Server. Thanks for your help!


by default the connection is SSL encrypted with a self signed cert. you should et a warning on first connection or optionally on every connection about this. You can use a signed cert if paranoid.


RDP can use RC4 128-bit encryption. From what I gather, RC4 is not considered as strong as AES for the same key-length, but I'm no cryptographer. This feature has been present since XP, but it is not required. The default group policy allows for minimal or no encryption for compatibility. Unfortunately, until Server 2003 SP1, while it was encrypted, there was no authentication of the connection because it used a hardcoded private key. (I'm not referring to the login prompt once a connection has been established, but during the connection attempt.) This means that you can't be sure that you are actually talking to the real RDP server. You could be subject to a man-in-th-middle attack where you have just negotiated an encrypted connection with some malicious third-party who is decrypting everything and then re-encrypting it to send to the real server. This can only happen on initial contact. If you actually did connect and negotiate encryption with the real server, you are safe, at least until to try and connect again. Starting with Server 2003 SP1 and Vista, TLS was added and a certificate is generated automatically used to sign the connection handshake. You still need to learn what the certificate is, but it can be stored to verify future connections. Ideally, the certificate will be signed by the in-house CA for your domain, but lacking any PKI, you may still be subject to man-in-the-middle on the very first connection unless you verify the fingerprint.