Remote Desktop Encryption

My client is RDP 6.1 (On Windows XP SP3) and Server is Windows Server 2003. I have installed an SSL certificate on server for RDP. In the RDP settings (General tab), the Encryption method is set to SSL/TLS 1.0 and Encryption level is set to "Client Compatible". I have following questions

  1. In this case is it guaranteed that all communication is encrypted even when I remote login to the server? I mean pwd is encrypted

  2. Does RDP always use some kind of encryption even if there is no SSL certificate installed on the server?

  3. In this case I do not see security lock in the connection bar. When I set encryption level to "High" then I see security lock. I do believe that communication is both cases will be encrypted. Is it true?

Please reply to my questions

Thanks in advance Kumar


  1. No, "client compatible" can disable encryption if the client requests that.
  2. No. RDP originally had no encryption ability, it was added later and today's encryption is very good.
  3. The lock icon only appears when using Kerberos to authenticate the session, it doesn't have anything to do with the TLS encryption of the RDP connection.

The expected behavior is documented here:

[MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification
Standard RDP Security - 5.3.2 Negotiating the Cryptographic Configuration
http://msdn.microsoft.com/en-us/library/cc240773%28v=prot.10%29.aspx

Encryption Negotiation in RDP connection
https://blogs.msdn.com/b/openspecification/archive/2011/12/08/encryption-negotiation-in-rdp-connection.aspx

The answer is a bit convoluted. In some configurations the server to client data may not be encrypted, however the client to server data is always encrypted. One key sentence would be: "To protect the confidentiality of client-to-server user data, an RDP server must ensure that the negotiated Encryption Level is always greater than zero when using Standard RDP Security mechanisms."

Since your question is security-related and relatively simple to test, you may want to validate the results yourself. As RDP data can be compressed, tests should be performed with compression disabled to determine if it is actually not encrypted.

It may be worth noting that when using SSL/TLS, an administrator with access to the certificate private key can perform a packet capture and decrypt the data. There is also a Network Monitor expert for it.

Network Monitor Decryption Expert
https://nmdecrypt.codeplex.com