On Thu, Jul 2, 2009 at 3:54 PM, Michael B. Smith<mich...@owa.smithcons.com> wrote: > RDP in Vista (and above) and Server 2008 (and above) provide the capability of > TLS-encrypting the RDP sessions - built in.
That's not what I was talking about. I was talking about strong authentication of the *client* -- in other words, the *client* needs to have a trusted keypair ("certificate", in TLS-speak) for the server to allow the connection. Microsoft's documentation makes it sound like you can have the client authenticate the server with a TLS PKI, but there doesn't seem to be any provision for authenticating the client to the server. http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx http://technet.microsoft.com/en-us/library/cc786838(WS.10).aspx It's a common mistake to read "security" and think "transport encryption". Transport encryption gives you confidentiality. PKI gives you authentication. They're not the same thing. Confidentiality without authentication just protects against eavesdropping, not impersonation. Attackers can still guess passwords, and then get in. I just won't be able to sniff the connection to see what the attackers are doing. Now, if RDP can also authenticate clients-to-servers via PKI, then it would address this issue. However, it wouldn't address issues #2 (exposure) and #3 (defense in depth) in my original message. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~