Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Remote Desktop Protocol
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Security issues == Version 5.2 of the RDP in its default configuration is vulnerable to a [[man-in-the-middle attack]]. Administrators can enable [[transport layer encryption]] to mitigate this risk.<ref>{{cite web |url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794 |title=National Vulnerability Database (NVD) National Vulnerability Database (CVE-2005-1794) |publisher=Web.nvd.nist.gov |date=2011-07-19 |access-date=2014-02-13 |archive-date=September 14, 2011 |archive-url=https://web.archive.org/web/20110914061346/http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1794 |url-status=live }}</ref><ref>{{cite web |url=http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx |title=Configuring Terminal Servers for Server Authentication to Prevent "Man in the Middle" Attacks |date=July 12, 2008 |publisher=Microsoft |access-date=November 9, 2011 |archive-date=November 6, 2011 |archive-url=https://web.archive.org/web/20111106045600/http://blogs.msdn.com/b/rds/archive/2008/07/21/configuring-terminal-servers-for-server-authentication-to-prevent-man-in-the-middle-attacks.aspx |url-status=live }}</ref> RDP sessions are also susceptible to in-memory credential harvesting, which can be used to launch [[pass the hash]] attacks.<ref>{{Cite web|date=2019-06-06|title=Mimikatz and Windows RDP: An Attack Case Study|url=https://www.sentinelone.com/blog/mimikatz-windows-rdp-attack-case-study/|access-date=2020-10-12|website=SentinelOne|archive-date=October 16, 2020|archive-url=https://web.archive.org/web/20201016055118/https://www.sentinelone.com/blog/mimikatz-windows-rdp-attack-case-study/|url-status=live}}</ref> In March 2012, Microsoft released an update for a critical security vulnerability in the RDP. The vulnerability allowed a Windows computer to be compromised by unauthenticated clients and [[computer worm]]s.<ref>{{cite web|publisher=[[Microsoft]]|url=https://technet.microsoft.com/en-us/security/bulletin/ms12-020|title=Microsoft Security Bulletin MS12-020 β Critical|date=13 March 2012|access-date=16 March 2012|archive-date=February 13, 2014|archive-url=https://web.archive.org/web/20140213090241/http://technet.microsoft.com/en-us/security/bulletin/ms12-020|url-status=live}}</ref> RDP client version 6.1 can be used to reveal the names and pictures of all users on the RDP Server (no matter which Windows version) in order to pick one, if no username is specified for the RDP connection.{{Citation needed|date=June 2015}} In March 2018 Microsoft released a patch for {{CVE|2018-0886}}, a remote code execution vulnerability in CredSSP, which is a Security Support Provider involved in the Microsoft Remote Desktop and Windows Remote Management, discovered by Preempt.<ref>{{Cite web|url=https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886|title=CVE-2018-0886 β CredSSP Remote Code Execution Vulnerability|website=microsoft.com|language=en|access-date=2018-03-23|archive-date=March 23, 2018|archive-url=https://web.archive.org/web/20180323155339/https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886|url-status=live}}</ref><ref>{{Cite news|url=https://blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp|title=From Public Key to Exploitation: How We Exploited the Authentication in MS-RDP|last=Karni|first=Eyal|access-date=2018-03-23|language=en-us|archive-date=March 23, 2018|archive-url=https://web.archive.org/web/20180323160028/https://blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp|url-status=live}}</ref> In May 2019 Microsoft issued a security patch for {{CVE|2019-0708}} ("[[BlueKeep]]"), a vulnerability which allows for the possibility of [[remote code execution]] and which Microsoft warned was "wormable", with the potential to cause widespread disruption. Unusually, patches were also made available for several versions of Windows that had reached their end-of-life, such as [[Windows XP]]. No immediate malicious exploitation followed, but experts were unanimous that this was likely, and could cause widespread harm based on the number of systems that appeared to have remained exposed and unpatched.<ref name= zdnet>{{Cite web |url=https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/ |title=Even the NSA is urging Windows users to patch BlueKeep (CVE-2019-0708) |last=Cimpanu |first=Catalin |website=ZDNet |access-date=2019-06-20 |archive-date=September 6, 2019 |archive-url=https://web.archive.org/web/20190906182427/https://www.zdnet.com/article/even-the-nsa-is-urging-windows-users-to-patch-bluekeep-cve-2019-0708/ |url-status=live }}</ref><ref name="AT-20190531">{{cite news |url=https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/ |title=Microsoft practically begs Windows users to fix wormable BlueKeep flaw |last=Goodin |first=Dan |date=31 May 2019 |work=[[Ars Technica]] |access-date=31 May 2019 |archive-date=July 22, 2019 |archive-url=https://web.archive.org/web/20190722232414/https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/ |url-status=live }}</ref><ref>{{Cite web |url=https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches |title=Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches |last=Warren |first=Tom |date=2019-05-14 |website=The Verge |access-date=2019-06-20 |archive-date=September 2, 2019 |archive-url=https://web.archive.org/web/20190902162957/https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches |url-status=live }}</ref> In July 2019, Microsoft issued a security patch for {{CVE|2019-0887}}, a RDP vulnerability that affects [[Hyper-V]].<ref name="BC-20190807">{{cite web |last=Ilascu |first=Ionut |title=Microsoft Ignored RDP Vulnerability Until it Affected Hyper-V |url=https://www.bleepingcomputer.com/news/security/microsoft-ignored-rdp-vulnerability-until-it-affected-hyper-v/ |date=August 7, 2019 |work=[[Bleeping Computer]] |access-date=August 8, 2019 | archive-url = https://web.archive.org/web/20190808020112/https://www.bleepingcomputer.com/news/security/microsoft-ignored-rdp-vulnerability-until-it-affected-hyper-v/ | archive-date = 2019-08-08 | df = dmy-all }}</ref> In April 2025, a security researcher discovered that it is possible to log into accounts through RDP using passwords that have already been revoked. According to Microsoft, this was by design, and not a bug or vulnerability.<ref>{{Cite web |last=Goodin |first=Dan |date=2025-04-30 |title=Windows RDP lets you log in using revoked passwords. Microsoft is OK with that. |url=https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/ |access-date=2025-05-13 |website=[[Ars Technica]] |language=en}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)