Remote Desktop Protocol#Version 4.0

{{Main|Remote Desktop Services}}

{{bad summary}}

Every server and professional version of Microsoft Windows from Windows XP onward{{cite web | url= http://windows.microsoft.com/en-GB/windows-vista/Connect-to-another-computer-using-Remote-Desktop-Connection | title= Connecting to another computer Remote Desktop Connection | author= Microsoft | access-date= 2012-12-22 | archive-date= January 16, 2013 | archive-url= https://web.archive.org/web/20130116172522/http://windows.microsoft.com/en-GB/windows-vista/Connect-to-another-computer-using-Remote-Desktop-Connection | url-status= live }} includes an installed Remote Desktop Connection (RDC) ("Terminal Services") client ({{mono|mstsc.exe}}) whose version is determined by that of the operating system or by the last applied Windows Service Pack. The Terminal Services server is supported as an official feature on Windows NT 4.0 Terminal Server Edition, released in 1998, Windows 2000 Server, all editions of Windows XP except Windows XP Home Edition, Windows Server 2003, Windows Home Server, on Windows Fundamentals for Legacy PCs, in Windows Vista Ultimate, Enterprise and Business editions, Windows Server 2008 and Windows Server 2008 R2 and on Windows 7 Professional and above. The home versions of Windows do not support RDP.

Microsoft provides the client required for connecting to newer RDP versions for downlevel operating systems. Since the server improvements are not available downlevel, the features introduced with each newer RDP version only work on downlevel operating systems when connecting to a higher version RDP server from these older operating systems, and not when using the RDP server in the older operating system.{{clarify|date=May 2014}}

Based on the ITU-T T.128 application sharing protocol (during draft also known as "T.share") from the T.120 recommendation series, the first version of RDP (named version 4.0) was introduced by Microsoft with "Terminal Services", as a part of their product Windows NT 4.0 Server, Terminal Server Edition. The Terminal Services Edition of NT 4.0 relied on Citrix's MultiWin technology, previously provided as a part of Citrix WinFrame atop Windows NT 3.51, in order to support multiple users and login sessions simultaneously. Microsoft required Citrix to license their MultiWin technology to Microsoft in order to be allowed to continue offering their own terminal-services product, then named Citrix MetaFrame, atop Windows NT 4.0. The Citrix-provided DLLs included in Windows NT 4.0 Terminal Services Edition still carry a Citrix copyright rather than a Microsoft copyright. Later versions of Windows integrated the necessary support directly. The T.128 application sharing technology was acquired by Microsoft from UK software developer Data Connection Limited.Implementing Collaboration Technologies in Industry, Bjørn Erik Munkvold, 2003; Chapter 7

This version was introduced with Windows 2000 Server, added support for a number of features, including printing to local printers, and aimed to improve network bandwidth usage. The RDP clients available through the Windows 2000 Terminal Server Disk Creation Tool is tested and working on even 16 bit Windows 3.1 using 3rd party TCP/IP libraries such as Trumpet WinSock.

This version was introduced with Windows XP Professional and included support for 24-bit color and sound. It is supported on Windows 2000, Windows 9x, and Windows NT 4.0.{{cite web |url=http://www.microsoft.com/downloads/details.aspx?familyid=80111f21-d48d-426e-96c2-08aa2bd23a49&displaylang=en |title=Windows XP Remote Desktop Connection software [XPSP2 5.1.2600.2180] |publisher=Microsoft.com |date=2012-08-27 |access-date=2014-03-11 |archive-date=September 8, 2010 |archive-url=https://web.archive.org/web/20100908204215/http://www.microsoft.com/downloads/details.aspx?FamilyID=80111f21-d48d-426e-96c2-08aa2bd23a49&DisplayLang=en |url-status=live }} With this version, the name of the client was changed from Terminal Services Client to Remote Desktop Connection; the heritage remains to this day, however, as the underlying executable is still named {{mono|mstsc.exe}}.

This version was introduced with Windows Server 2003, included support for console mode connections, a session directory, and local resource mapping. It also introduces Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications.{{cite web |title=Configuring authentication and encryption |url=https://technet.microsoft.com/en-us/library/cc782610.aspx |date=January 21, 2005 |access-date=March 30, 2009 |archive-date=March 18, 2009 |archive-url=https://web.archive.org/web/20090318052939/http://technet.microsoft.com/en-us/library/cc782610.aspx |url-status=live }} Microsoft Technet article This version is built into Windows XP Professional x64 Edition and Windows Server 2003 x64 & x86 Editions, and also available for Windows XP as a download.

This version was introduced with Windows Vista and incorporated support for Windows Presentation Foundation applications, Network Level Authentication, multi-monitor spanning and large desktop support, and TLS 1.0 connections.{{cite web |title= Remote Desktop Connection (Terminal Services Client 6.0) |url= http://support.microsoft.com/default.aspx/kb/925876 |date= June 8, 2007 |access-date= June 20, 2007 |archive-date= July 17, 2007 |archive-url= https://web.archive.org/web/20070717081442/http://support.microsoft.com/default.aspx/kb/925876 |url-status= live }} Microsoft KB article 925876, revision 7.0. The RDP 6.0 client is available on Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and x64 editions) and Windows XP Professional x64 Edition through KB925876. Microsoft Remote Desktop Connection Client for Macintosh OS X is also available with support for Intel and PowerPC Mac OS versions 10.4.9 and greater.

This version was released in February 2008 and is first included with Windows Server 2008 and Windows Vista with Service Pack 1 and later backported to Windows XP with Service Pack 3. The RDP 6.1 client is available on Windows XP SP2, Windows Server 2003 SP1/SP2 (x86 and x64 editions) and Windows XP Professional x64 Edition through KB952155.{{cite web | url=http://support.microsoft.com/kb/952155 | title=Description of the Remote Desktop Connection 6.1 client update for Terminal Services in Windows XP Service Pack 2 | publisher=microsoft | access-date=2014-03-11 | archive-date=August 29, 2008 | archive-url=https://web.archive.org/web/20080829115853/http://support.microsoft.com/kb/952155 | url-status=live }} In addition to changes related to how a remote administrator connects to the "console",{{cite web

|url=http://blogs.msdn.com/ts/archive/2007/12/17/changes-to-remote-administration-in-windows-server-2008.aspx

|title=Changes to Remote Administration in Windows Server 2008

|date=December 17, 2007

|access-date=February 10, 2008

|work=Terminal Services Team Blog

|publisher=Microsoft

|archive-date=March 5, 2009

|archive-url=https://web.archive.org/web/20090305054514/http://blogs.msdn.com/ts/archive/2007/12/17/changes-to-remote-administration-in-windows-server-2008.aspx

|url-status=live

}} this version has new functionality introduced in Windows Server 2008, such as connecting remotely to individual programs and a new client-side printer redirection system that makes the client's print capabilities available to applications running on the server, without having to install print drivers on the server{{cite web

|url = http://technet2.microsoft.com/windowsserver2008/en/library/484d57e7-feb4-4dcc-9d13-152c053516471033.mspx?pf=true

|archive-url = http://webarchive.loc.gov/all/20140121002246/http://technet2.microsoft.com/windowsserver2008/en/library/484d57e7-feb4-4dcc-9d13-152c053516471033.mspx?pf=true

|url-status = dead

|archive-date = January 21, 2014

|title = Terminal Services Printing

|date = January 10, 2008

|access-date = February 10, 2008

|work = TechNet – Windows Server 2008 Technical Library

|publisher = Agozik-Microsoft

}}{{cite web |url=http://blogs.msdn.com/b/rds/archive/2007/04/26/introducing-terminal-services-easy-print-part-1.aspx |title=Introducing Terminal Services Easy Print: Part 1 – Remote Desktop Services (Terminal Services) Team Blog – Site Home – MSDN Blogs |publisher=Blogs.msdn.com |access-date=2014-02-13 |archive-date=February 13, 2014 |archive-url=https://web.archive.org/web/20140213012007/http://blogs.msdn.com/b/rds/archive/2007/04/26/introducing-terminal-services-easy-print-part-1.aspx |url-status=live }} also on the other hand, remote administrator can freely install, add/remove any software or setting at the client's end. However, to start a remote administration session, one must be a member of the Administrators group on the server to which one is trying to get connected.{{Cite web|title=Securing Remote Desktop (RDP) for System Administrators {{!}} Information Security Office|url=https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp|access-date=2020-10-12|website=security.berkeley.edu|archive-date=October 12, 2020|archive-url=https://web.archive.org/web/20201012115849/https://security.berkeley.edu/education-awareness/best-practices-how-tos/system-application-security/securing-remote-desktop-rdp|url-status=live}}

This version was released to manufacturing in July 2009 and is included with Windows Server 2008 R2, as well as with Windows 7.{{cite web

|url = http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx

|title = Remote Desktop Connection 7 for Windows 7, Windows XP & Windows Vista

|date = August 21, 2009

|access-date = August 21, 2009

|work = Terminal Services Team Blog

|publisher = Microsoft

|url-status = dead

|archive-url = https://web.archive.org/web/20090827093910/http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx

|archive-date = August 27, 2009

|df = mdy-all

}} With this release, also changed from Terminal Services to Remote Desktop Services. This version has new functions such as Windows Media Player redirection, bidirectional audio, multi-monitor support, Aero glass support, enhanced bitmap acceleration, Easy Print redirection,{{cite web |url=http://blogs.msdn.com/rds/archive/2009/09/28/using-remote-desktop-easy-print-in-windows-7-and-windows-server-2008-r2.aspx |title=Using Remote Desktop Easy Print in Windows 7 and Windows Server 2008 R2 |publisher=Blogs.msdn.com |access-date=2014-03-11 |archive-date=May 8, 2010 |archive-url=https://web.archive.org/web/20100508111114/http://blogs.msdn.com/rds/archive/2009/09/28/using-remote-desktop-easy-print-in-windows-7-and-windows-server-2008-r2.aspx |url-status=live }} Language Bar docking. The RDP 7.0 client is available on Windows XP SP3 and Windows Vista SP1/SP2 through KB969084,{{cite web |url=http://blogs.msdn.com/rds/archive/2009/10/28/announcing-the-availability-of-remote-desktop-connection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vista-sp2.aspx |title=Announcing the availability of Remote Desktop Connection 7.0 for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2 |publisher=Blogs.msdn.com |access-date=2014-03-11 |url-status=dead |archive-url=https://web.archive.org/web/20100308114249/http://blogs.msdn.com/rds/archive/2009/10/28/announcing-the-availability-of-remote-desktop-connection-7-0-for-windows-xp-sp3-windows-vista-sp1-and-windows-vista-sp2.aspx |archive-date=March 8, 2010 |df=mdy-all }} and is not officially supported on Windows Server 2003 x86 and Windows Server 2003 / Windows XP Professional x64 editions. It is also not officially supported on Windows Server 2008.

Most RDP 7.0 features like Aero glass remote use, bidirectional audio, Windows Media Player redirection, multiple monitor support and Remote Desktop Easy Print are only available in Windows 7 Enterprise or Ultimate editions.{{cite web |url=http://blogs.msdn.com/rds/archive/2009/06/23/aero-glass-remoting-in-windows-server-2008-r2.aspx#9861892 |title=Aero Glass Remoting in Windows Server 2008 R2 |publisher=Blogs.msdn.com |access-date=2014-03-11 |url-status=dead |archive-url=https://web.archive.org/web/20090627094235/http://blogs.msdn.com/rds/archive/2009/06/23/aero-glass-remoting-in-windows-server-2008-r2.aspx#9861892 |archive-date=June 27, 2009 |df=mdy-all }}{{cite web |url=http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx#9902608 |title=Remote Desktop Connection 7 for Windows 7, Windows XP & Windows Vista |publisher=Blogs.msdn.com |access-date=2014-03-11 |url-status=dead |archive-url=https://web.archive.org/web/20090827093910/http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx#9902608 |archive-date=August 27, 2009 |df=mdy-all }}

Release 7.1 of RDP was included with Windows 7 Service Pack 1 and Windows Server 2008 R2 SP1 in 2010. It introduced RemoteFX, which provides virtualized GPU support and host-side encoding.

This version was released in Windows 8 and Windows Server 2012. This version has new functions such as Adaptive Graphics (progressive rendering and related techniques), automatic selection of TCP or UDP as transport protocol, multi touch support, DirectX 11 support for vGPU, USB redirection supported independently of vGPU support, etc.{{cite web |url=http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx |title=Windows Server 2012 Remote Desktop Services (RDS) – Windows Server Blog – Site Home – TechNet Blogs |publisher=Blogs.technet.com |date=May 8, 2012 |access-date=2014-02-13 |archive-date=October 5, 2013 |archive-url=https://web.archive.org/web/20131005022811/http://blogs.technet.com/b/windowsserver/archive/2012/05/09/windows-server-2012-remote-desktop-services-rds.aspx |url-status=live }} A "connection quality" button is displayed in the RDP client connection bar for RDP 8.0 connections; clicking on it provides further information about connection, including whether UDP is in use or not.{{cite web |url=http://support.microsoft.com/kb/2592687 |title=Remote Desktop Protocol (RDP) 8.0 update for Windows 7 and Windows Server 2008 R2 |publisher=Support.microsoft.com |access-date=2014-02-13 |archive-date=October 25, 2012 |archive-url=https://web.archive.org/web/20121025162157/http://support.microsoft.com/kb/2592687 |url-status=live }}

The RDP 8.0 client and server components are available on Windows 7 SP1 and Windows Server 2008 R2 SP1 through KB2592687. The RDP 8.0 client is also available for Windows Server 2008 R2 SP1, but the server components are not. The RDC 8.0 client includes support for session encryption using the TLS 1.2 standard.{{cite web | url=https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/incorrect-tls-use-rdp-with-ssl-encryption#more-information | title=Incorrect TLS is displayed - Windows Server | date=June 5, 2024 }} The add-on requires the DTLS protocol to be installed as prerequisite. After installing the updates, for the RDP 8.0 protocol to be enabled between Windows 7 machines, an extra configuration step is needed using the Group Policy editor.{{cite web |url=http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx |title=Get the best RDP 8.0 experience when connecting to Windows 7: What you need to know – Remote Desktop Services (Terminal Services) Team Blog – Site Home – MSDN Blogs |publisher=Blogs.msdn.com |access-date=2014-02-13 |archive-date=February 12, 2014 |archive-url=https://web.archive.org/web/20140212081832/http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx |url-status=live }}

A new feature in RDP 8.0 is limited support for RDP session nesting; it only works for Windows 8 and Server 2012 though, Windows 7 and Server 2008 R2 (even with the RDP 8.0 update) do not support this feature.{{cite web |url=http://support.microsoft.com/kb/2754550 |title=Running a Remote Desktop Connection session within another Remote Desktop Connection session is supported with Remote Desktop Protocol 8.0 for specific scenarios |publisher=Support.microsoft.com |date=2012-11-02 |access-date=2014-02-13 |archive-date=January 17, 2014 |archive-url=https://web.archive.org/web/20140117204255/http://support.microsoft.com/kb/2754550 |url-status=live }}

The "shadow" feature from RDP 7, which allowed an administrator to monitor (snoop) on a RDP connection has been removed in RDP 8. The Aero Glass remoting feature (applicable to Windows 7 machines connecting to each other) has also been removed in RDP 8.{{cite web |url=http://searchvirtualdesktop.techtarget.com/tip/How-Microsoft-RDP-80-addresses-WAN-graphics-shortcomings |title=How Microsoft RDP 8.0 addresses WAN, graphics shortcomings |publisher=Searchvirtualdesktop.techtarget.com |access-date=2014-02-13 |archive-date=February 9, 2014 |archive-url=https://web.archive.org/web/20140209201016/http://searchvirtualdesktop.techtarget.com/tip/How-Microsoft-RDP-80-addresses-WAN-graphics-shortcomings |url-status=live }}

This version was released with Windows 8.1 and Windows Server 2012 R2. The RDP 8.1 client, like the RDP 8.0 client, is available on Windows 7 SP1 and Windows Server 2008 R2 SP1 through KB2923545 but unlike the RDP 8.0 update for Windows 7, it does not add a RDP 8.1 server component to Windows 7. Furthermore, if RDP 8.0 server function is desired on Windows 7, the KB 2592687 (RDP 8.0 client and server components) update must be installed before installing the RDP 8.1 update.{{cite web |url=http://support.microsoft.com/kb/2830477 |title=Update for RemoteApp and Desktop Connections feature is available for Windows |publisher=Support.microsoft.com |date=2014-02-11 |access-date=2014-03-11 |archive-date=February 9, 2014 |archive-url=https://web.archive.org/web/20140209174746/http://support.microsoft.com/KB/2830477 |url-status=live }}{{cite web |url=http://blogs.msdn.com/b/rds/archive/2013/11/12/remote-desktop-protocol-8-1-update-for-windows-7-sp1-released-to-web.aspx |title=Remote Desktop Protocol 8.1 Update for Windows 7 SP1 released to web – Remote Desktop Services (Terminal Services) Team Blog – Site Home – MSDN Blogs |publisher=Blogs.msdn.com |access-date=2014-02-13 |archive-date=February 22, 2014 |archive-url=https://web.archive.org/web/20140222013055/http://blogs.msdn.com/b/rds/archive/2013/11/12/remote-desktop-protocol-8-1-update-for-windows-7-sp1-released-to-web.aspx |url-status=live }}

Support for session shadowing was added back in RDP version 8.1. This version also fixes some visual glitches with Microsoft Office 2013 when running as a RemoteApp.

Version 8.1 of the RDP also enables a "restricted admin" mode. Logging into this mode only requires knowledge of the hashed password, rather than of its plaintext, therefore making a pass the hash attack possible.{{cite web |url=https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/ |title=New "Restricted Admin" feature of RDP 8.1 allows pass-the-hash |publisher=Labs.portcullis.co.uk |date=2013-10-20 |access-date=2014-03-11 |archive-date=February 10, 2014 |archive-url=https://web.archive.org/web/20140210131158/http://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/ |url-status=live }} Microsoft has released an 82-page document explaining how to mitigate this type of attack.{{cite web

|url=http://www.microsoft.com/en-gb/download/details.aspx?id=36036

|title=Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques

|publisher=Microsoft.com

|access-date=2014-03-11

|archive-date=April 21, 2014

|archive-url=https://web.archive.org/web/20140421164128/http://www.microsoft.com/en-gb/download/details.aspx?id=36036

|url-status=live

}}

Version 10.0 of the RDP was introduced with Windows 10 and includes the following new features: AutoSize zoom (useful for HiDPI clients).

In addition graphics compression improvements were included utilizing H.264/AVC.{{cite web|url=https://blogs.technet.microsoft.com/enterprisemobility/2016/01/11/remote-desktop-protocol-rdp-10-avch-264-improvements-in-windows-10-and-windows-server-2016-technical-preview/|title=Remote Desktop Protocol (RDP) 10 AVC/H.264 improvements in Windows 10 and Windows Server 2016 Technical Preview|publisher=Microsoft.com|access-date=2016-01-12|archive-date=August 17, 2016|archive-url=https://web.archive.org/web/20160817075600/https://blogs.technet.microsoft.com/enterprisemobility/2016/01/11/remote-desktop-protocol-rdp-10-avch-264-improvements-in-windows-10-and-windows-server-2016-technical-preview/|url-status=live}}

• 32-bit color support. 8-, 15-, 16-, and 24-bit color are also supported.
• Encryption: option of legacy 56-bit or 128-bit RC4 and modern MITM-resistant TLS since version 5.2
• Audio Redirection allows users to process audio on a remote desktop and have the sound redirected to their local computer.
• File System Redirection allows users to use their local files on a remote desktop within the terminal session.
• Printer Redirection allows users to use their local printer within the terminal session as they would with a locally- or network-shared printer.
• Port Redirection allows applications running within the terminal session to access local serial and parallel ports directly.
• The remote computer and the local computer can share the clipboard.
• Compression goes beyond a framebuffer and takes advantage of font knowledge and tracking of window states (inherited from T.128); later extensions add more content-aware features (e.g MS-RDPCR2).

Microsoft introduced the following features with the release of RDP 6.0 in 2006:

• Seamless Windows: remote applications can run on a client machine that is served by a Remote Desktop connection. It is available since RDP 6.{{cite web |url=http://msdn.microsoft.com/en-us/library/cc242568(v=prot.10).aspx |title=[MS-RDPERP]: Remote Desktop Protocol: Remote Programs Virtual Channel Extension |publisher=Msdn.microsoft.com |access-date=2014-02-13 |archive-date=April 14, 2012 |archive-url=https://web.archive.org/web/20120414024103/http://msdn.microsoft.com/en-us/library/cc242568(v=prot.10).aspx |url-status=live }}
• Remote Programs: application publishing with client-side file-type associations.
• Terminal Services Gateway: enables the ability to use a front-end IIS server to accept connections (over port 443) for back-end Terminal Services servers via an https connection, similar to how RPC over https allows Outlook clients to connect to a back-end Exchange 2003 server. Requires Windows Server 2008.
• Network Level Authentication
• Support for remoting the Aero Glass Theme (or Composed Desktop), including ClearType font-smoothing technology.
• Support for remoting Windows Presentation Foundation applications: compatible clients that have .NET Framework 3.0 support can display full Windows Presentation Foundation effects on a local machine.
• Rewrite of device redirection to be more general-purpose, allowing a greater variety of devices to be accessed.
• Fully configurable and scriptable via Windows Management Instrumentation.
• Improved bandwidth tuning for RDP clients.{{citation needed|date=November 2011}}
• Support for Transport Layer Security (TLS) 1.0 on both server and client ends (can be negotiated if both parties agree, but not mandatory in a default configuration of any version of Windows).
• Multiple monitor support for allowing one session to use multiple monitors on the client (disables desktop composition)

Release 7.1 of RDP in 2010 introduced the following feature:

• RemoteFX: RemoteFX provides virtualized GPU support and host-side encoding; it ships as part of Windows Server 2008 R2 SP1.

The latest version of RDP supports Transport Layer Security (TLS) version 1.1, 1.2 and 1.3 to protect RDP traffic.{{cite web | url=https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/592a0337-dc91-4de3-a901-e1829665291d | title=[MS-RDPBCGR]: Enhanced RDP Security | date=April 23, 2024 }}

Version 5.2 of the RDP in its default configuration is vulnerable to a man-in-the-middle attack. Administrators can enable transport layer encryption to mitigate this risk.{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794 |title=National Vulnerability Database (NVD) National Vulnerability Database (CVE-2005-1794) |publisher=Web.nvd.nist.gov |date=2011-07-19 |access-date=2014-02-13 |archive-date=September 14, 2011 |archive-url=https://web.archive.org/web/20110914061346/http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794 |url-status=live }}{{cite web

|url=http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx

|title=Configuring Terminal Servers for Server Authentication to Prevent "Man in the Middle" Attacks

|date=July 12, 2008

|publisher=Microsoft

|access-date=November 9, 2011

|archive-date=November 6, 2011

|archive-url=https://web.archive.org/web/20111106045600/http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx

|url-status=live

}}

RDP sessions are also susceptible to in-memory credential harvesting, which can be used to launch pass the hash attacks.{{Cite web|date=2019-06-06|title=Mimikatz and Windows RDP: An Attack Case Study|url=https://www.sentinelone.com/blog/mimikatz-windows-rdp-attack-case-study/|access-date=2020-10-12|website=SentinelOne|archive-date=October 16, 2020|archive-url=https://web.archive.org/web/20201016055118/https://www.sentinelone.com/blog/mimikatz-windows-rdp-attack-case-study/|url-status=live}}

In March 2012, Microsoft released an update for a critical security vulnerability in the RDP. The vulnerability allowed a Windows computer to be compromised by unauthenticated clients and computer worms.{{cite web|publisher=Microsoft|url=https://technet.microsoft.com/en-us/security/bulletin/ms12-020|title=Microsoft Security Bulletin MS12-020 – Critical|date=13 March 2012|access-date=16 March 2012|archive-date=February 13, 2014|archive-url=https://web.archive.org/web/20140213090241/http://technet.microsoft.com/en-us/security/bulletin/ms12-020|url-status=live}}

RDP client version 6.1 can be used to reveal the names and pictures of all users on the RDP Server (no matter which Windows version) in order to pick one, if no username is specified for the RDP connection.{{Citation needed|date=June 2015}}

In March 2018 Microsoft released a patch for {{CVE|2018-0886}}, a remote code execution vulnerability in CredSSP, which is a Security Support Provider involved in the Microsoft Remote Desktop and Windows Remote Management, discovered by Preempt.{{Cite web|url=https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886|title=CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability|website=microsoft.com|language=en|access-date=2018-03-23|archive-date=March 23, 2018|archive-url=https://web.archive.org/web/20180323155339/https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886|url-status=live}}{{Cite news|url=https://blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp|title=From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP|last=Karni|first=Eyal|access-date=2018-03-23|language=en-us|archive-date=March 23, 2018|archive-url=https://web.archive.org/web/20180323160028/https://blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp|url-status=live}}

In May 2019 Microsoft issued a security patch for {{CVE|2019-0708}} ("BlueKeep"), a vulnerability which allows for the possibility of remote code execution and which Microsoft warned was "wormable", with the potential to cause widespread disruption. Unusually, patches were also made available for several versions of Windows that had reached their end-of-life, such as Windows XP. No immediate malicious exploitation followed, but experts were unanimous that this was likely, and could cause widespread harm based on the number of systems that appeared to have remained exposed and unpatched.{{Cite web |url=https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/ |title=Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708) |last=Cimpanu |first=Catalin |website=ZDNet |access-date=2019-06-20 |archive-date=September 6, 2019 |archive-url=https://web.archive.org/web/20190906182427/https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/ |url-status=live }}{{cite news |url=https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/ |title=Microsoft practically begs Windows users to fix wormable BlueKeep flaw |last=Goodin |first=Dan |date=31 May 2019 |work=Ars Technica |access-date=31 May 2019 |archive-date=July 22, 2019 |archive-url=https://web.archive.org/web/20190722232414/https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/ |url-status=live }}{{Cite web |url=https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches |title=Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches |last=Warren |first=Tom |date=2019-05-14 |website=The Verge |access-date=2019-06-20 |archive-date=September 2, 2019 |archive-url=https://web.archive.org/web/20190902162957/https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches |url-status=live }}

In July 2019, Microsoft issued a security patch for {{CVE|2019-0887}}, a RDP vulnerability that affects Hyper-V.{{cite web |last=Ilascu |first=Ionut |title=Microsoft Ignored RDP Vulnerability Until it Affected Hyper-V |url=https://www.bleepingcomputer.com/news/security/microsoft-ignored-rdp-vulnerability-until-it-affected-hyper-v/ |date=August 7, 2019 |work=Bleeping Computer |access-date=August 8, 2019 | archive-url = https://web.archive.org/web/20190808020112/https://www.bleepingcomputer.com/news/security/microsoft-ignored-rdp-vulnerability-until-it-affected-hyper-v/ | archive-date = 2019-08-08 | df = dmy-all }}

{{Main|List of Remote Desktop Protocol clients}}

Since the release of Remote Desktop Connection, there have been several additional Remote Desktop Protocol clients created by both Microsoft and other parties including Microsoft Remote Desktop, rdesktop, and FreeRDP.

In addition to the Microsoft-created Remote Desktop Services, open-source RDP servers on Unix include FreeRDP (see above), ogon project and xrdp. The Windows Remote Desktop Connection client can be used to connect to such a server. There is also Azure Virtual Desktop which makes use of RDP and is a part of the Microsoft Azure platform.

There is also a VirtualBox Remote Display Protocol (VRDP) used in the VirtualBox virtual machine implementation by Oracle.{{cite web |title=VirtualBox Manual: 7.1. Remote Display (VRDP Support) |url=https://www.virtualbox.org/manual/UserManual.html#vrde |website=VirtualBox |access-date=27 February 2020 |archive-date=November 21, 2019 |archive-url=https://web.archive.org/web/20191121113114/http://www.virtualbox.org/manual/UserManual.html#vrde |url-status=live }} This protocol is compatible with all RDP clients, such as that provided with Windows but, unlike the original RDP, can be configured to accept unencrypted and password unprotected connections, which may be useful in secure and trusted networks, such as home or office LANs. By default, Microsoft's RDP server refuses connections to user accounts with empty passwords (but this can be changed with the Group Policy Editor{{cite web |last=Bens |first=Jelle |url=http://jellebens.blogspot.ru/2010/01/windows-7-rdp-with-blank-password.html |title=Jelle Bens: Windows 7 RDP with blank password |publisher=Jellebens.blogspot.ru |date=2010-01-31 |access-date=2014-03-11 |archive-date=May 8, 2013 |archive-url=https://web.archive.org/web/20130508053031/http://jellebens.blogspot.ru/2010/01/windows-7-rdp-with-blank-password.html |url-status=live }}). External and guest authorization options are provided by VRDP as well. It does not matter which operating system is installed as a guest because VRDP is implemented on the virtual machine (host) level, not in the guest system. The proprietary VirtualBox Extension Pack is required.

Microsoft requires third-party implementations to license the relevant RDP patents.{{cite web|url=https://cloudblogs.microsoft.com/enterprisemobility/2013/12/11/remote-desktop-protocol-licensing-available-for-rdp-8/ |title=Remote Desktop Protocol Licensing Available for RDP 8 |publisher=Blogs.msdn.com |date=2014-12-11 |access-date=2018-02-08 |archive-url=https://web.archive.org/web/20180208211152/https://cloudblogs.microsoft.com/enterprisemobility/2013/12/11/remote-desktop-protocol-licensing-available-for-rdp-8/ |archive-date=2018-02-08 |url-status=live}} {{As of|February 2014}}, the extent to which open-source clients meet this requirement remains unknown.

Security researchers reported in 2016-17 that cybercriminals were selling compromised RDP servers on underground forums as well as specialized illicit RDP shops.{{Cite web|url=https://securelist.com/xdedic-the-shady-world-of-hacked-servers-for-sale/75027/|title=xDedic – the shady world of hacked servers for sale|last=GReAT|date=June 15, 2016|website=SecureList|access-date=2018-12-15|archive-date=December 15, 2018|archive-url=https://web.archive.org/web/20181215123112/https://securelist.com/xdedic-the-shady-world-of-hacked-servers-for-sale/75027/|url-status=live}}{{Cite web|url=https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/|title="Ultimate Anonymity Services" Shop Offers Cybercriminals International RDP Servers|last1=Kremez|first1=Vitali|last2=Rowley|first2=Liv|date=2017-10-24|language=en-US|access-date=2018-12-15|archive-date=December 15, 2018|archive-url=https://web.archive.org/web/20181215171339/https://www.flashpoint-intel.com/blog/uas-shop-international-rdp-servers/|url-status=live}} These compromised RDPs may be used as a "staging ground" for conducting other types of fraud or to access sensitive personal or corporate data.{{Cite web|url=https://securityintelligence.com/news/dark-web-rdp-shops-offer-access-to-vulnerable-systems-for-as-little-as-3/|title=Dark Web 'RDP Shops' Offer Access to Vulnerable Systems for as Little as $3|last=Bisson|first=David|date=19 July 2018|website=Security Intelligence|language=en-US|access-date=2018-12-15|archive-date=December 15, 2018|archive-url=https://web.archive.org/web/20181215122030/https://securityintelligence.com/news/dark-web-rdp-shops-offer-access-to-vulnerable-systems-for-as-little-as-3/|url-status=live}} Researchers further report instances of cybercriminals using RDPs to directly drop malware on computers.{{Cite web|url=https://www.csoonline.com/article/3291617/security/samsam-infected-thousands-of-labcorp-systems-via-brute-force-rdp.html|title=Samsam infected thousands of LabCorp systems via brute force RDP|last=Ragan|first=Steve|date=2018-07-19|website=CSO Online|language=en|access-date=2018-12-15|archive-date=December 15, 2018|archive-url=https://web.archive.org/web/20181215122835/https://www.csoonline.com/article/3291617/security/samsam-infected-thousands-of-labcorp-systems-via-brute-force-rdp.html|url-status=live}}

• Comparison of remote desktop software
• Desktop virtualization
• Secure Shell
• SPICE and RFB protocol
• Virtual private server

{{Reflist|30em}}

• [http://msdn2.microsoft.com/en-us/library/aa383015.aspx Remote Desktop Protocol] – from Microsoft's Developer Network
• [https://support.microsoft.com/en-us/kb/186607 Understanding the Remote Desktop Protocol] – from support.microsoft.com
• [http://msdn.microsoft.com/en-us/library/cc240445(PROT.10).aspx MS-RDPBCGR: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting Specification] – from Microsoft's Developer Network

{{remote administration software}}

{{Use mdy dates|date=February 2012}}

Category:Microsoft server technology

Category:Remote desktop

Category:Windows components

Category:Application layer protocols

Category:Remote desktop protocols