PCI - Can I access Windows server 2012 through Remote desktop Connection (RDP) after disabling TLS 1.0 for PCI compliance?

PCI - Can I access Windows server 2012 through Remote desktop Connection (RDP)  after disabling TLS 1.0 for PCI compliance since PCI DSS 3.1 requires TLS 1.0 disabled.

Thanks Experts!You are doing a great job.
gracesoftAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Probably the iiscrypto (an useful tool that you probably already know of) shares on RDP impact

Will Remote Desktop (RDP) continue to work after using IIS Crypto? 

Yes. The default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. However, if you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 in IIS Crypto you will be unable to connect to RDP. To check your settings, open Remote Desktop Session Host Configuration in Administrative Tools and double click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0), make sure that you do not disable TLS 1.0 in IIS Crypto.

 Network Level Autentication only supports the SSL (TLS 1.0) security layer.
https://www.nartac.com/Support/IISCrypto/FAQ
h1r0Commented:
Single sign on will fail if you are using the rdweb role
btanExec ConsultantCommented:
Others have tried to change the RDP-Tcp security layer to use "RDP Security Layer", the native RDP encryption (before you actually disabled TLS1.0) - you cannot use Network Level Authentication that is more secure. https://technet.microsoft.com/en-us/library/cc770833.aspx

For other considerations: -  Server 2012 machine with IIS 8, you need to upgrade SQL server to 2014 CU6 or newer. older versions only support SSL 3 and TLS 1.0. https://support.microsoft.com/en-us/kb/3052404

Till TLS1.2 is supported full fledged by RDP "officially" (even with mentioned in https://msdn.microsoft.com/en-us/library/cc240804.aspx?f=255&MSPPError=-2147217396), I have no assurance that it is going to work w/o errors popping out in the connection., though some say it is alright for Windows Server 2012 and 2012 R2 which I can confirm works perfectly using the Windows 7 RDP Client. Not Windows 2008R2 though.

Disable of TLS1.0 remains a balance and trade-off to decide btw the business need and security priority.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gracesoftAuthor Commented:
Alright Thanks Everybody.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.