asked on
window server 2008 r2 must set tcp (remote desktop) to use tls v1.2
Dear experts,
I have followed a bunch of instructions online for how to do this, and nothing seems to be working.
I have to somehow set it up so that the remote desktop doesn't use the tls v1.0 anymore. I've disabled all the cipher suites and such already. And it's working as expected for the http parts. But, just on the one port (which is different than the 3389 standard) which I use to remote into our web server (so can't disable rdp) we keep getting tagged by the pci compliance peoples with the error message below my question..
I even tried setting up a firewall rule to only allow our IP address to connect to it. But, that didn't fix the pci thing either.
From all the documentation I've read, it would seem that on server 2008, windows has always had an issue with this. They released a kb update which I downloaded and it is installed. The stuff I've read claims that if that's the case, and you go to the "remote desktop session host configuration" and set some settings.. and then it will use TLS 1.2 even though the GUI says TLS 1.0.
I believe that that might be true, but I don't think something, somewhere, is configured right.
I set the properties for the RDP-tcp connection to:
Security Layer: SSL (TLS 1.0)
Encryption Level: FIPS Compliant
X Allow connections only from computers running Remote Desktop with Network Level Authentication
So, that's where I'm at. If anyone would be willing to walk me through what I need to do I would be very, very grateful. Nothing I'm doing seems to be working.. although I was able to get the SQL server working, I think by checking a local security policy to only use FIPS Compliant algorithms.
Also, if I run qualsys on it, it shows the TLS Version 1.0 is completely disabled, but I believe that it is not detecting it because it is only being used on the TCP port, and not the rest of the website whatsoever.
I also do not get a thing in the connection bar for rdp indicating that the session is encrypted. NOT sure if I'm supposed to, either, necessarily. :)
Thanks a bunch! ~Jeffrey
I have followed a bunch of instructions online for how to do this, and nothing seems to be working.
I have to somehow set it up so that the remote desktop doesn't use the tls v1.0 anymore. I've disabled all the cipher suites and such already. And it's working as expected for the http parts. But, just on the one port (which is different than the 3389 standard) which I use to remote into our web server (so can't disable rdp) we keep getting tagged by the pci compliance peoples with the error message below my question..
I even tried setting up a firewall rule to only allow our IP address to connect to it. But, that didn't fix the pci thing either.
From all the documentation I've read, it would seem that on server 2008, windows has always had an issue with this. They released a kb update which I downloaded and it is installed. The stuff I've read claims that if that's the case, and you go to the "remote desktop session host configuration" and set some settings.. and then it will use TLS 1.2 even though the GUI says TLS 1.0.
I believe that that might be true, but I don't think something, somewhere, is configured right.
I set the properties for the RDP-tcp connection to:
Security Layer: SSL (TLS 1.0)
Encryption Level: FIPS Compliant
X Allow connections only from computers running Remote Desktop with Network Level Authentication
So, that's where I'm at. If anyone would be willing to walk me through what I need to do I would be very, very grateful. Nothing I'm doing seems to be working.. although I was able to get the SQL server working, I think by checking a local security policy to only use FIPS Compliant algorithms.
Also, if I run qualsys on it, it shows the TLS Version 1.0 is completely disabled, but I believe that it is not detecting it because it is only being used on the TCP port, and not the rest of the website whatsoever.
I also do not get a thing in the connection bar for rdp indicating that the session is encrypted. NOT sure if I'm supposed to, either, necessarily. :)
Thanks a bunch! ~Jeffrey
Port
38999
Protocol
TCP
Service
unknown
Title
TLS Version 1.0 Protocol Detection (PCI DSS)
close
Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.
Impact:
The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the application's documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater.
Resolution:
All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018. If you are using TLS 1.0 with a mitigation and migration plan in place, you may contact support@securitymetrics.co
Data Received:
- TLSv1 is enabled and the server supports at least one cipher.
38999
Protocol
TCP
Service
unknown
Title
TLS Version 1.0 Protocol Detection (PCI DSS)
close
Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.
Impact:
The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the application's documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater.
Resolution:
All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018. If you are using TLS 1.0 with a mitigation and migration plan in place, you may contact support@securitymetrics.co
Data Received:
- TLSv1 is enabled and the server supports at least one cipher.
Windows Server 2008Microsoft IIS Web Server
Last Comment
Jeanette Durham