David Moorefield
asked on
"SSL Medium Strength Cipher Suites Supported" issue
security scan finding: "SSL Medium Strength Cipher Suites Supported (42873)" error on 2012 R2 / Win10 seems to be port 3389/TCP.
I've seen a solution using https://www.nartac.com/Products/IISCrypto/ but I have a secure environment and I'm not sure about using this product.
I've enabled the GPO 'SSL Cipher Suite Order' setting in admin templates / network which doesn't seem to have anything below 112bits and I've removed DES and 3DES.
is there a another or manual fix for this?
thanks
I've seen a solution using https://www.nartac.com/Products/IISCrypto/ but I have a secure environment and I'm not sure about using this product.
I've enabled the GPO 'SSL Cipher Suite Order' setting in admin templates / network which doesn't seem to have anything below 112bits and I've removed DES and 3DES.
is there a another or manual fix for this?
thanks
McKnife
3389 is rdp and not iis, so iis crypto is not suitable. Is the rdp server component even active?
ASKER
the Remote Desktop Services service is running
thanks!
thanks!
The service is running, sure, but is it being used, is this machine meant for RDP access?
If so, open the group policy editor at the server side, go to computer config - adm. templates - windows components - remote desktop services - security and set encryption layer and security level to the maximum and re-scan. Might need a restart of the server machine.
If so, open the group policy editor at the server side, go to computer config - adm. templates - windows components - remote desktop services - security and set encryption layer and security level to the maximum and re-scan. Might need a restart of the server machine.
It sounds like you are allowing direct RDP connections from outside, which is something you should get away from. Recommend trying to move to RD Gateway.
ASKER
McKnife,
I made the GP change setting the RDP encryption level to High and rebooted the clients and rebooted the DCs. But I am still getting the error from the scanner.
thanks!
I made the GP change setting the RDP encryption level to High and rebooted the clients and rebooted the DCs. But I am still getting the error from the scanner.
thanks!
Did you modify only one of the two which I mentioned?
ASKER
The GPO policy is only applied to the test client group, not to the domain controller. I guess it needs to be applied there too? I'm not sure how the vulnerability scanner works, you would think it only scans the client but maybe not?
thanks!
thanks!
1st: you need to know what the scanner does. I believe, it should not scan the DC as RDP access to the DC should not even be possible from the scanning PC (port should be closed to all but administrative workstations).
2nd: please answer my last question.
2nd: please answer my last question.
ASKER
I applied the GPO per below to the client machine and rebooted the DCs if that was both the necessary components.
"open the group policy editor at the server side, go to computer config - adm. templates - windows components - remote desktop services - security and set encryption layer and security level to the maximum and re-scan. Might need a restart of the server machine."
thanks!
"open the group policy editor at the server side, go to computer config - adm. templates - windows components - remote desktop services - security and set encryption layer and security level to the maximum and re-scan. Might need a restart of the server machine."
thanks!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You seem to misunderstand the concept of closing a question by selecting a solution, it seems, as you selected your own comment as solution.
ASKER
oh, sorry, I have marked yours as the solution
thanks for your help!
thanks for your help!
;-) You are welcome.