Security-Enhanced Connection Sequence

The RDP Connection Sequence does not provide any mechanisms which ensure that the identity of the server is authenticated, and as a result it is vulnerable to man-in-the-middle attacks (these attacks can compromise the confidentiality of the data sent between client and server).

The goal of the Security-Enhanced Connection Sequence is to provide an extensible mechanism within RDP so that well-known and proven security protocols (such as Secure Socket Layer (SSL) or Kerberos) can be used to fulfill security objectives and to wrap RDP traffic. There are two variations of the Security-Enhanced Connection Sequence. The negotiation-based approach aims to provide backward-compatibility with previous RDP implementations, while the Direct Approach favors more rigorous security over interoperability.

Negotiation-Based Approach: The client advertises the security packages which it supports (by appending a negotiation request structure to the X.224 Connection Request PDU) and the server selects the package to use (by appending a negotiation response structure to the X.224 Connection Confirm PDU). After the client receives the X.224 Connection Confirm PDU the handshake messages defined by the negotiated security package are exchanged and then all subsequent RDP traffic is secured by using the cryptographic techniques specified by the negotiated security package.

Direct Approach: Instead of negotiating a security package, the client and server immediately execute a predetermined security protocol (for example, the CredSSP Protocol [MS-CSSP]) prior to any RDP traffic being exchanged on the wire. This approach results in all RDP traffic being secured using the hard-coded security package. However, it has the disadvantage of not working with servers that expect the connection sequence to be initiated by an X.224 Connection Request PDU.

For more details about Enhanced RDP Security, see section 5.4.