<<< Date Index >>>     <<< Thread Index >>>

RDP TLS downgrade



For those using TLS with Microsoft's Terminal server.  

With Terminal server installed on Windows 2003 Server with current service 
packs and patches it is possible to bypass the server side setting that 
requires SSL with a self-signed cert.

You will automatically be downgraded to not using TLS and not be notified.  The 
padlock will be missing on the RDP banner.

Why is this a problem?

Using a cert and SSL was MS answer to prevent man in the middle attacks when 
using RDP.  You may think that you are protected but you are not.

This behavior exposes itself when you use the RDP 6.0 client.  Nothing else is 
required.

I have not tested it with a trusted cert via verisign or others but I expect 
the results will be the same.

To recreate:  Install MS Windows 2003 server, install Terminal services, set 
the server setting encryption level to high and require SSL.

Use RDP client 5.2, set to no authentication, should fail to connect.

Use RDP client 6.0 set to always connect even if authetication fails.  This 
should bypass the server settings and connect downgraded.

It is interesting that the client side piece can control the server settings....

MS sec response contacted, did not see it as a problem.