Microsoft has released a new Remote Desktop Protocol (RDP) client for XP SP2 and W2K3 SP1 for connecting to Vista and later Windows computers.You can get the new client here.As much as I like RDP for managing remote Windows computers, it has had a serious flaw in it that makes it vulnerable to attack, as reported by several sources including the author of hacker tool Cain & Able. You can read his excellent article here.Essentially, with RDP there is a private key that should be private and unknown. Somehow, Microsoft chose to make this key the same key in every version of Windows and make it easy to obtain (a.k.a. "the public private key"). This crypto implementation error allows RDP traffic to be MitM'd and the session decoded.I have successfully used Cain & Able to decode RDP traffic, including the password sent between the RDP client and the remote server, no matter how long or complex that password is, or what the encryption settings are for Terminal Services\/RDP.Interestingly, I haven't always been able to get it to work successfully in all the environments I have tried it in. Not sure why. But it is successful enough that I always supplement RDP with another layer of encryption\/authentication, like IPSec, SSL, TLS, or SSH.Microsoft's defense is that while they have promised encryption, they did not promise authentication, and the public-private key is an authentication issue. Unfortunately, it means that RDP cannot be relied upon as being secure. Use RDP without another authentication supplement, and you are risking having your password stolen.Microsoft fixed the problem in Vista (and Longhorn server) by adding better authentication. You can configure Vista (and LH) to accept old RDP connections, or to require the new, updated RDP clients. The link above, and here, let's you install the new, more secure RDP client.Wikipedia has a great list of new RDP 6.0 (as the new client and server is called) features available here. Strangely, though, it doesn't mention upgraded security in the list.