3

When connecting to a Remote Desktop on the client side: (in my case Windows 8.1 RD client to a Windows 10 Enterprise 1709/16299.98)

We need to enter&transfer username/password on the client first BEFORE check server's certificate.

1\If username/password is not right, RD client just reports CREDENTIAL does not work, then asks for a re-enter.

2\If username/password is right, RD client will then give a caution of warning the client for server CERTIFICATE issued by a non-trusted organization(most users case, the server itself auto-issued).

So is this correct for protecting username/password from Man-in-middle attack? Or it just uses username/password as a key for symmetric encryption?

imoc
  • 53
  • 5

2 Answers2

0

There is a lot of authorisation, authentication and handshaking going on, even before any client data has been submitted. In the different versions of the protocol, things changed quite a lot. If you need a special behaviour, use the appropriate version.

The good news: Your password is never sent through an unsecured connection nor is it used as a key for anything. This wouldn't be possible anyway, since the authenticating machine nevers has access to it.

2\If username/password is right, RD client will then give a cation for warning the Client Certificate

Are you sure that's not the sever's authentication certificate display? This certificate makes sure, the server you are sending your credentials to is the server (or gateway or broker service) you connected to in the first place (judging by it's name [CN] on the certificate).

bjoster
  • 4,805
  • 5
  • 25
  • 33
  • I mean warning the client for the server certificate...still not understand what's happening. You should check my question again. If my password isn't sent, then how does server know if client entered the right password? – imoc Feb 02 '18 at 13:25
  • Again: It is NOT. The server's certificate is checke BEFORE any data is sent. If you don't know how rdp works, it *may* look like it's done otherwise, but that's NOT the case. The warning is displayed, becuse EAP/2FA COULD happen as a next step (which *needs* a secure tunnel). – bjoster Feb 07 '18 at 12:03
0

It isn't secure. This is why Microsoft created Remote Credential Guard and Restricted Admin Mode. This is also one of the disadvantages of using Network Level Authentication.

https://docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard

If the target system is compromised or a MITM entity, you just gave them your credentials hash.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82