Published on November 9th, 2019 | by Bibhuranjan
0Remote Desktop Protocol Architecture and features
The RDP protocol is a convenient, effective and practical tool for remote access both for administration purposes and for everyday work.
Given that its implementation is almost everywhere (various platforms and OS), and there are many, you need to be well aware of its capabilities.
At least this will be needed for a number of reasons:
- Often, instead of RDP, another solution is used (VNC, Citrix ICA) for a simple reason – it is assumed that “the built-in RDP is minimal and does not know anything”.
- In many decisions related to cloudy technologies that are now fashionable (switching offices to “thin clients”, and simply organizing terminal servers), there is an opinion that “RDP is bad because it’s built-in”.
- There is a standard myth that “RDP cannot be exposed without a VPN, they will break it” (the myth has a justification, but has not been relevant for a long time).
- Well, since they started talking about myths, there is an opinion that “Having switched from RDP to Citrix, traffic drops a couple of times.” After all, citrix is expensive, therefore, at least 157% cooler
RDP History
The Remote Desktop protocol was created by Microsoft to provide remote access to Windows servers and workstations. The RDP protocol is designed to use the resources of a high-performance terminal server by many less productive workstations. The terminal server (version 4.0) first appeared in 1998 as part of the Windows NT 4.0 Terminal Server, at the time of writing (January 2009), the latest version of the terminal server is version 6.1, which is included in the distributions of Windows 2008 Server and Windows Vista SP1. Currently, RDP is the main remote access protocol for systems of the Windows family, and client applications exist for both Microsoft’s OC, and for Linux, FreeBSD, MAC OS X, etc.
Speaking about the history of the emergence of RDP, one cannot help but mention the company Citrix. Citrix Systems in the 1990s specialized in multi-user systems and remote access technologies. After acquiring a Windows NT 3.51 source code license in 1995, the company released a multi-user version of Windows NT, known as WinFrame. In 1997, Citrix Systems and Microsoft entered into an agreement under which the Windows NT 4.0 multi-user environment was based on Citrix technology. In turn, Citrix Systems refused to distribute a full-fledged operating system and received the right to develop and implement extensions for Microsoft products. These extensions were originally called MetaFrame. Rights to ICA (Independent Computing Architecture),
Currently, the main competition between Citrix and Microsoft has flared up in the field of application servers for small and medium-sized businesses. Traditionally, solutions based on Terminal Services win in systems with a not very large number of servers of the same type and similar configurations, while Citrix Systems has firmly established itself in the market of complex and high-performance systems. Competition is fueled by Citrix’s lightweight solutions for small systems and Microsoft’s ongoing expansion of Terminal Services functionality. It is pretty easy to buy RDP. There are a lot of sites or online platforms that are providing RDP at an affordable price.
RDP Protocol Versions
The protocol has a fairly long history starting with NT 4.0. We will leave historical details aside for a simple reason – at the moment it makes sense to talk only about the version of RDP 7.0, which is in Windows Vista SP1 / Windows Server 2008 and is added free of charge in Windows XP by installing SP3 and the updated RDP client (located on the KB link 969084 ). I assume that you have at least Windows XP, and that you installed / can install the latest Service Pack and do not spend your time discussing the advantages of RDP in Windows 2000 SP2 over NT 4.0 SP5.
Consider the benefits of these solutions.
Strengths of Terminal Services:
- Easy installation of applications for the client part of the application server
- Centralized user session maintenance
- License only required for Terminal Services
Strengths of Citrix Solutions:
- Ease of scaling
- Ease of administration and monitoring
- Access Control Policy
- Third-party enterprise product support (IBM WebSphere, BEA WebLogic)
How RDP Works
Remote Desktop is a TCP-based online application protocol. After a connection is established at the transport level, an RDP session is initialized, within which various data transfer parameters are coordinated. After the initialization phase is successfully completed, the terminal server starts sending graphic output to the client and expects input from the keyboard and mouse.
The graphic output can be either an exact copy of the graphic screen, transmitted as an image, or commands for rendering graphic primitives (rectangle, line, ellipse, text, etc.). The transfer of output using primitives is a priority for the RDP protocol, as it significantly saves traffic; and the image is transmitted only if unless otherwise possible for any reason (it was not possible to agree on the transmission parameters of the primitives when installing the RDP session).
RDP supports several virtual channels within a single connection, which can be used to provide additional functionality:
- Using a printer or serial port
- File system redirection
- Clipboard support
- Use of audio subsystem
The characteristics of the virtual channels are consistent during the connection setup phase.
Securing Using RDP
The RDP protocol specification provides for one of two security approaches:
- Standard RDP Security (Integrated Security Subsystem)
- Enhanced RDP Security (external security subsystem)
Standard RDP Security
With this approach, authentication, encryption and integrity are implemented by means of the RDP protocol. [one]
Authentication
Server authentication is performed as follows:
- When the system starts, a pair of RSA keys is generated
- Generates a Proprietary Certificate for the public key
- The certificate is signed with an RSA key wired into the operating system (any RDP client contains the public key of this built-in RSA key). [12]
- The client connects to the terminal server and receives the Proprietary Certificate
- The client verifies the certificate and receives the server’s public key (this key is used in the future to negotiate encryption settings)
Client authentication is performed by entering a username and password.
Encryption
The encryption algorithm is RC4 stream cipher. Depending on the version of the operating system, various key lengths from 40 to 168 bits are available.
Maximum key length for Windows operating systems:
- Windows 2000 Server – 56 bit
- Windows XP, Windows 2003 Server – 128 bit
- Windows Vista, Windows 2008 Server – 168 bit
When a connection is established after length negotiation, two different keys are generated: for encrypting data from the client and from the server.
Integrity
Message integrity is achieved by applying the Message Authentication Code (MAC) algorithm based on MD5 and SHA1 algorithms.
Starting with Windows 2003 Server, to ensure compatibility with the requirements of the FIPS (Federal Information Processing Standard) 140-1 standard, it is possible to use the 3DES algorithm for message encryption and the MAC generation algorithm using only SHA1 to ensure integrity. [fifteen]
Enhanced RDP Security
This approach uses external security modules:
- TLS 1.0
- Creedssp
TLS can be used starting with the version of Windows 2003 Server, but only if it is supported by the RDP client. TLS support has been added since the RDP client version 6.0.
When using TLS, a server certificate can be generated using Terminal Services or select an existing certificate from the Windows store. [13] [16]
CredSSP is a combination of TLS, Kerberos, and NTLM.
Consider the main advantages of the CredSSP protocol:
- Checking permission to enter the remote system before setting up a full-fledged RDP connection, which allows saving terminal server resources with a large number of connections
- Strong TLS authentication and encryption
- Using Single Sign On with Kerberos or NTLM
CredSSP features can only be used on Windows Vista and Windows 2008 Server. This protocol is enabled by the Use Network Level Authentication flag in the terminal server settings (Windows 2008 Server) or in the remote access settings (Windows Vista)