5.4 Enhanced RDP Security

When Enhanced RDP Security is used, RDP traffic is no longer protected by using the techniques described in section 5.3. Instead, all security operations (such as encryption and decryption, data integrity checks, and server authentication) are implemented by one of the following External Security Protocols:

• TLS 1.0 ([RFC2246])

• TLS 1.1 ([RFC4346])

• TLS 1.2 ([RFC5246])

• TLS 1.3 ([RFC8446])

• CredSSP ([MS-CSSP])

• RDSTLS (section 5.4.5.3)

• RDS AAD Auth (section 5.4.5.4)

The benefit of using an External Security Protocol is that RDP developers no longer need to manually implement protocol security mechanisms, but can instead rely on well-known and proven security protocol packages (such as the Schannel Security Package which implements SSL, see [MSDN-SCHANNEL]) to provide end-to-end security.

Another key benefit of Enhanced RDP Security is that it enables the use of Network Level Authentication (NLA) when using CredSSP as the External Security Protocol.