I remember when I first started using Remote Desktop with Windows XP Pro many years ago, that it wasn’t secure to use without vpn.
Now, with Windows 7, when I connect to my home computer i get some message about the certificate not being from a trusted CA. Are my remote desktop connections being encrypted?
Changes have been made regarding FIPS since Windows Server 2003 SP1 and it is now much more secure to use. You can enable certain security features via the group policy editor (run gpedit.msc from start menu):
Correct me if I am wrong, but you didn’t need a VPN before to access RDP securely, it was just considered safer, as you had another barrier that you would have to access to get through in order to connect to the remote machine.
That in itself doesn’t speak to the security of Windows / RDP, which has RSA RC4 encryption for the RDP connection.
Those settings are all available from (Windows 2003/2008 Server):
Programs > Administrative Tools > Terminal Services Configuration
And from there you could set 3 different types of encryption, high / med / low, there are details on that here: http://www.windowsecurity.com/articles/Windows_Terminal_Services.html
There are many other sources that speak on its security.
Now is it insecure? Could be, it is vulnerable to the same attacks that any Windows server suffers from. Depends on how the server itself is setup.
Since Version 6 (Vista/2003 SP1 upwards) the RDP protocol has supported TLS and 128bit encryption via RC4. It’s not military grade unless you are talking about the military in the 90s, but for most uses it will be more than enough.
As far as the trusted CA message goes, do you trust your server to be the one providing the certificate? It’s akin to signing your own SSL certificate as far as I know.