5.4.1 Encryption Levels

Enhanced RDP Security (section 5.4) supports a subset of the encryption levels used by Standard RDP Security (section 5.3.1). The required Encryption Level is configured on the server.

1. Client Compatible: All data sent between the client and the server is protected using encryption techniques negotiated through mechanisms defined by the negotiated security protocol.

2. High: All data sent between the client and the server is protected using encryption techniques which employ at least a 128-bit symmetric key negotiated through mechanisms defined by the negotiated security protocol. The server enforces the key strength, and clients that do not support 128-bit symmetric keys cannot connect.

3. FIPS: All data sent between the client and server is protected by the negotiated security protocol using the following Federal Information Processing Standard 140-1 validated methods: RSA for key exchange, Triple DES for bulk encryption, and SHA-1 for any hashing operations. Clients that do not support these methods cannot connect.

When a client connects to a server configured for Enhanced RDP Security, the selected encryption level returned to the client is ENCRYPTION_LEVEL_NONE (0). This is due to the fact that the encryption for the session is provided by an External Security Protocol (section 5.4.5) and double-encryption of the RDP traffic (although possible) is not desirable from a performance standpoint.