Microsoft has released a new Remote Desktop Protocol (RDP) client for XP SP2 and W2K3 SP1 for connecting to Vista and later Windows computers. You can get the new client here. As much as I like RDP for managing remote Windows computers, it has had a serious flaw in it that makes it vulnerable to attack, as reported by several sources including the author of hacker tool Cain & Able. You can read his excellent art Microsoft has released a new Remote Desktop Protocol (RDP) client for XP SP2 and W2K3 SP1 for connecting to Vista and later Windows computers.You can get the new client here.As much as I like RDP for managing remote Windows computers, it has had a serious flaw in it that makes it vulnerable to attack, as reported by several sources including the author of hacker tool Cain & Able. You can read his excellent article here.Essentially, with RDP there is a private key that should be private and unknown. Somehow, Microsoft chose to make this key the same key in every version of Windows and make it easy to obtain (a.k.a. “the public private key”). This crypto implementation error allows RDP traffic to be MitM’d and the session decoded. I have successfully used Cain & Able to decode RDP traffic, including the password sent between the RDP client and the remote server, no matter how long or complex that password is, or what the encryption settings are for Terminal Services/RDP.Interestingly, I haven’t always been able to get it to work successfully in all the environments I have tried it in. Not sure why. But it is successful enough that I always supplement RDP with another layer of encryption/authentication, like IPSec, SSL, TLS, or SSH. Microsoft’s defense is that while they have promised encryption, they did not promise authentication, and the public-private key is an authentication issue. Unfortunately, it means that RDP cannot be relied upon as being secure. Use RDP without another authentication supplement, and you are risking having your password stolen.Microsoft fixed the problem in Vista (and Longhorn server) by adding better authentication. You can configure Vista (and LH) to accept old RDP connections, or to require the new, updated RDP clients. The link above, and here, let’s you install the new, more secure RDP client.Wikipedia has a great list of new RDP 6.0 (as the new client and server is called) features available here. Strangely, though, it doesn’t mention upgraded security in the list. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe