2.2.8.1.1.2.1 Basic (TS_SECURITY_HEADER)

Article
09/03/2022

The TS_SECURITY_HEADER structure is used to store security flags.

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
flags																flagsHi

flags (2 bytes): A 16-bit, unsigned integer that contains security flags.

Flag	Meaning
SEC_EXCHANGE_PKT 0x0001	Indicates that the packet is a Security Exchange PDU (section 2.2.1.10). This packet type is sent from client to server only. The client only sends this packet if it will be encrypting further communication and Standard RDP Security mechanisms (section 5.3) are in effect.
SEC_TRANSPORT_REQ 0x0002	Indicates that the packet is an Initiate Multitransport Request PDU (section 2.2.15.1). This flag MUST NOT be present if the PDU containing the security header is being sent from client to server. This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (section 2.2.1.4.5).
SEC_TRANSPORT_RSP 0x0004	Indicates that the packet is an Initiate Multitransport Response PDU (section 2.2.15.2). This flag MUST NOT be present if the PDU containing the security header is being sent from server to client. This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (section 2.2.1.4.5).
SEC_ENCRYPT 0x0008	Indicates that the packet is encrypted.
SEC_RESET_SEQNO 0x0010	This flag is not processed by any RDP clients or servers and MUST be ignored.
SEC_IGNORE_SEQNO 0x0020	This flag is not processed by any RDP clients or servers and MUST be ignored.
SEC_INFO_PKT 0x0040	Indicates that the packet is a Client Info PDU (section 2.2.1.11). This packet type is sent from client to server only. If Standard RDP Security mechanisms are in effect, then this packet MUST also be encrypted.
SEC_LICENSE_PKT 0x0080	Indicates that the packet is a Licensing PDU (section 2.2.1.12).
SEC_LICENSE_ENCRYPT_CS 0x0200	Indicates to the client that the server is capable of processing encrypted licensing packets. It is sent by the server together with any licensing PDUs (section 2.2.1.12).
SEC_LICENSE_ENCRYPT_SC 0x0200	Indicates to the server that the client is capable of processing encrypted licensing packets. It is sent by the client together with the SEC_EXCHANGE_PKT flag when sending a Security Exchange PDU (section 2.2.1.10).
SEC_REDIRECTION_PKT 0x0400	Indicates that the packet is a Standard Security Server Redirection PDU (section 2.2.13.2.1) and that the PDU is encrypted.
SEC_SECURE_CHECKSUM 0x0800	Indicates that the MAC for the PDU was generated using the "salted MAC generation" technique (section 5.3.6.1.1). If this flag is not present, then the standard technique was used (sections 2.2.8.1.1.2.2 and 2.2.8.1.1.2.3).
SEC_AUTODETECT_REQ 0x1000	Indicates that the packet is an Auto-Detect Request PDU (section 2.2.14.3). This flag MUST NOT be present if the PDU containing the security header is being sent from client to server. This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (section 2.2.1.4.5).
SEC_AUTODETECT_RSP 0x2000	Indicates that the packet is an Auto-Detect Response PDU (section 2.2.14.4). This flag MUST NOT be present if the PDU containing the security header is being sent from server to client. This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (2.2.1.4.5).
SEC_HEARTBEAT 0x4000	Indicates that the packet is a Heartbeat PDU (section 2.2.16.1). This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (2.2.1.4.5).
SEC_FLAGSHI_VALID 0x8000	Indicates that the flagsHi field contains valid data. If this flag is not set, then the contents of the flagsHi field MUST be ignored.

Flag

Meaning

SEC_EXCHANGE_PKT

0x0001

Indicates that the packet is a Security Exchange PDU (section 2.2.1.10). This packet type is sent from client to server only. The client only sends this packet if it will be encrypting further communication and Standard RDP Security mechanisms (section 5.3) are in effect.

SEC_TRANSPORT_REQ

0x0002

Indicates that the packet is an Initiate Multitransport Request PDU (section 2.2.15.1). This flag MUST NOT be present if the PDU containing the security header is being sent from client to server.

This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (section 2.2.1.4.5).

SEC_TRANSPORT_RSP

0x0004

Indicates that the packet is an Initiate Multitransport Response PDU (section 2.2.15.2). This flag MUST NOT be present if the PDU containing the security header is being sent from server to client.

SEC_ENCRYPT

0x0008

Indicates that the packet is encrypted.

SEC_RESET_SEQNO

0x0010

This flag is not processed by any RDP clients or servers and MUST be ignored.

SEC_IGNORE_SEQNO

0x0020

This flag is not processed by any RDP clients or servers and MUST be ignored.

SEC_INFO_PKT

0x0040

Indicates that the packet is a Client Info PDU (section 2.2.1.11). This packet type is sent from client to server only. If Standard RDP Security mechanisms are in effect, then this packet MUST also be encrypted.

SEC_LICENSE_PKT

0x0080

Indicates that the packet is a Licensing PDU (section 2.2.1.12).

SEC_LICENSE_ENCRYPT_CS

0x0200

Indicates to the client that the server is capable of processing encrypted licensing packets. It is sent by the server together with any licensing PDUs (section 2.2.1.12).

SEC_LICENSE_ENCRYPT_SC

0x0200

Indicates to the server that the client is capable of processing encrypted licensing packets. It is sent by the client together with the SEC_EXCHANGE_PKT flag when sending a Security Exchange PDU (section 2.2.1.10).

SEC_REDIRECTION_PKT

0x0400

Indicates that the packet is a Standard Security Server Redirection PDU (section 2.2.13.2.1) and that the PDU is encrypted.

SEC_SECURE_CHECKSUM

0x0800

Indicates that the MAC for the PDU was generated using the "salted MAC generation" technique (section 5.3.6.1.1). If this flag is not present, then the standard technique was used (sections 2.2.8.1.1.2.2 and 2.2.8.1.1.2.3).

SEC_AUTODETECT_REQ

0x1000

Indicates that the packet is an Auto-Detect Request PDU (section 2.2.14.3). This flag MUST NOT be present if the PDU containing the security header is being sent from client to server.

SEC_AUTODETECT_RSP

0x2000

Indicates that the packet is an Auto-Detect Response PDU (section 2.2.14.4). This flag MUST NOT be present if the PDU containing the security header is being sent from server to client.

SEC_HEARTBEAT

0x4000

Indicates that the packet is a Heartbeat PDU (section 2.2.16.1). This flag MUST NOT be present if the PDU containing the security header is not being sent on the MCS message channel. The ID of the message channel is specified in the Server Message Channel Data (2.2.1.4.5).

SEC_FLAGSHI_VALID

0x8000

Indicates that the flagsHi field contains valid data. If this flag is not set, then the contents of the flagsHi field MUST be ignored.

flagsHi (2 bytes): A 16-bit, unsigned integer. This field is reserved for future use. It is currently unused and all values are ignored. This field MUST contain valid data only if the SEC_FLAGSHI_VALID bit (0x8000) is set in the flags field. If this bit is not set, the flagsHi field is uninitialized and MAY contain random data.

2.2.8.1.1.2.1 Basic (TS_SECURITY_HEADER)

Additional resources