Link to home
Create AccountLog in
Avatar of Jeanette Durham
Jeanette DurhamFlag for United States of America

asked on

window server 2008 r2 must set tcp (remote desktop) to use tls v1.2

Dear experts,

I have followed a bunch of instructions online for how to do this, and nothing seems to be working.

I have to somehow set it up so that the remote desktop doesn't use the tls v1.0 anymore. I've disabled all the cipher suites and such already. And it's working as expected for the http parts. But, just on the one port (which is different than the 3389 standard) which I use to remote into our web server (so can't disable rdp) we keep getting tagged by the pci compliance peoples with the error message below my question..

I even tried setting up a firewall rule to only allow our IP address to connect to it. But, that didn't fix the pci thing either.

From all the documentation I've read, it would seem that on server 2008, windows has always had an issue with this. They released a kb update which I downloaded and it is installed. The stuff I've read claims that if that's the case, and you go to the "remote desktop session host configuration" and set some settings.. and then it will use TLS 1.2 even though the GUI says TLS 1.0.
I believe that that might be true, but I don't think something, somewhere, is configured right.

I set the properties for the RDP-tcp connection to:
Security Layer: SSL (TLS 1.0)
Encryption Level: FIPS Compliant
X Allow connections only from computers running Remote Desktop with Network Level Authentication

So, that's where I'm at. If anyone would be willing to walk me through what I need to do I would be very, very grateful. Nothing I'm doing seems to be working.. although I was able to get the SQL server working, I think by checking a local security policy to only use FIPS Compliant algorithms.

Also, if I run qualsys on it, it shows the TLS Version 1.0 is completely disabled, but I believe that it is not detecting it because it is only being used on the TCP port, and not the rest of the website whatsoever.

I also do not get a thing in the connection bar for rdp indicating that the session is encrypted. NOT sure if I'm supposed to, either, necessarily. :)

Thanks a bunch! ~Jeffrey

Port
38999
Protocol
TCP
Service
unknown
Title
TLS Version 1.0 Protocol Detection (PCI DSS)
close
Synopsis:
The remote service encrypts traffic using a protocol with known weaknesses.

Impact:
The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. As per PCI Security Standards Council April 1, 2015 document `Migrating from SSL and Early TLS` all TLS 1.0 encryption usage must include a Mitigation and Migration plan detailing current risk management plus migration strategy off early TLS to secure TLS versions such as TLS 1.1 or 1.2 on or before June 30, 2016. Consult the application's documentation for information on how to upgrade TLS to version 1.1 or greater (TLS 1.2 strongly recommended) or upgrade the application to a version that uses TLS version 1.1 or greater.

Resolution:
All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018. If you are using TLS 1.0 with a mitigation and migration plan in place, you may contact support@securitymetrics.com to see if you are eligible to mark this vulnerability as a false positive. For more information, see https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

Data Received:
- TLSv1 is enabled and the server supports at least one cipher.
Avatar of Jeanette Durham
Jeanette Durham
Flag of United States of America image

ASKER

I've also got it set in the rdp-tcp properties to use the certificate for our web server, not the local self-generated one, because the PCI compliance people don't accept self-signed certs. Not sure if that's relevant either.
Avatar of David Johnson, CD
inform the pci compliance team of https://support.microsoft.com/en-ca/kb/3097192.. you are compliant but their scanner is reporting a false positive.
I found a very technical doc that is supposed to lay out how to dig down and fix this, but I can't vouch for it since we chose to have an outside vendor handle all our CC transactions and avoided PCI completely...
-MS-RDPBCGR-.pdf
David,

I'm not entirely sure it is a false positive. Is there a way I can myself see what protocol it is using? I'd love to find a way to test it without waiting 3 hours every time for the security scan. I don't think it is encrypting the rdp session because the symbol doesn't come up in the remote desktop "connection" bar..

~Jeffrey
There should be some sort of logging taking place when the rdp session connects...

And it might be possible that you have to use the newer win 8 and later rdp clients to even get higher encryption...
today I was fixing other errors at work, so wasn't able to really deal with it.

I tried changing it to rdp encryption and rescanned it and it still said the same thing.
Currently, I just rebooted (didn't do that before) and now I'm trying to rescan it again... hope it works.
Umm.. so guys.. can you think of any reason why putting it on the rdp encryption would still cause it to show up as tls version 1.0? I do have it on a different port than the standard rdp port.

All I did (maybe I'm missing a step) is go to to the remote desktop session host configuration and for our rdp-tcp connection I right-clicked it and went to the settings.

I set these settings..
security layer: rdp security layer
encryption level: fips compliant
allow connections only from computers running remote desktop with NLA is grayed out and is unchecked

Is there anything else, anywhere else, that I would need to change to make this work?

Thanks, Jeffrey!
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
David,
Yeah, my theory here is if it is indeed using the TLS at all, it would be using the 1.2 or whatnot. I can't prove (when I have the tls turned on, the past 3 days I've been trying to get the default rdp encryption protocol to work instead) that it is even using tls.
The issue though for me is I can't get the securitymetrics to stop saying that it detects TLS 1.0 on the rdp port, even though I'm no longer even using the tls.. and I've disabled tls 1.0 in the registry and everything else I can think of.
It's very confusing.
I'm currently debating writing a script that blocks the rdp port and then a protected web method to call it so I can switch it on and off remotely.. then turn it off while the computer is being scanned and then back on again when it's finished. This is, however, a rather drastic method and doesn't even fix the issue.. plus then I can't work on the webserver while it's running (which is kinda lame)..
~Jeffrey
So I simply turned off the rdp and ran the scan.. have no idea if there's any possible way to actually fix the error, but I'm through with it. I'm going to go with David's answer which basically boils down to there is a serious bug in windows server 2008 that microsoft must fix before people can pass scans again.. and before tls version 1.2 actually runs right.
It is possible though there is a way to configure it, but I was never able to get it to work.. after trying for days. <shrugs>
Thanks everyone for your input and help! ~Jeffrey