<div>
Is that an IIS, or why use IIS crypto?<br>I see no connection to RDP. It will not be influenced when used at defaults.
</div>


<div>
It's an IIS server yes. I use IIS Crypto because it's a good tool to easily disable ciphers and has a "Best Practices" button that automatically sets the ciphers to such. My problem is that in the past disabling ciphers had prevented RDP connections. So before making my ciphers up-to-date, I wanted to make sure I didn't accidentally break that connection. If I break the browser connections for clients to the server, at least with RDP working I can fix that. If I can't RDP after the update, I have to scramble to get at the console.
</div>


IT Specialist

mrosier

<div>
Thanks McKnife, I am more concerned about the server than the laptop being unable to accept connections due to cipher disabling. I honestly don't have enough resources to set up a new VM on that box to test, so I will just have to wait for some downtime and physical access to be sure unless anyone knows for sure that might respond. But thanks for the guidance!
</div>


<div>
I wonder if you trust IIS crypto to be able to undo what it does.<br>You will use it and a reboot is required - if you find, RDP is broken, you can undo the change and reboot again - just one reboot more.
</div>


<div>
Oh I can revert back, all you have to do is take note of what ciphers are enabled before any chances (I usually screenshot or just printout for reference), and then just re-enable through that interface after the fact if it breaks things. The only problem is that I have to be on-hand at that data center if something does break is all. And I can be, just easier to do it from my office of course.
</div>


<div>
are the server on which you would like to restrict schannel, protocol or cipher exposed to the outside, if access use is internal?<br>You have access via hardware lights out management (ilo on HP, idrac on Dell, )<br>Registry edits of schannel to leave tls 1.0,1.1,1.2,..<br><br>
</div>


<div>
@arnold Thanks for the feedback! It's a web-facing server in a remote location. I access it via VPN and then RDP. With 1.0 as a minimum I am 99% sure I will be ok though.
</div>


<div>
Only web is exposed without VPN.<br>VPN goes to the Lan or terminates on the server?<br>Does your hardware have the lights out management access.<br><br>Use <a target="_blank" rel="ugc nofollow">ssllabs.com</a> to test ypur web server side security.<br>Over-tightening ....<br><br>TLS1.0 might have to remain active to avoid RDP break.<br><br>
</div>


<div>
@arnold that is correct, only web without VPN. And VPN terminates at the LAN. I honestly am not sure if I have iLO access since if so I never use it. Let me ask this. I am testing this on my Windows 10 laptop by RDP'ing to another Windows 10 laptop on which I have disabled the weak ciphers on including TLS 1.0 leaving 1.1 and 1.2 enabled. That works with RDP fine still. Should Server 2012 Std behave the same?
</div>


<div>
@Arnold Thanks, I forgot about hyper-v on Win10. I can just try that way. And yes, this is to tighten security by disabling out-dated encryption protocols and not breaking RDP in the process. I am doing this in the remedial user way using IIS Crypto. I know that vulnerability scans don't like TLS 1.0 anymore for example, so I am trying to make sure my ducks are in a row before doing anything.
</div>


<div>
<div class="content wysiwyg-content">
Hello! I have a server I need to update in terms of ciphers. However I need to be sure I don't break RDP between my workstation and the server by accident. The server is 2012 Standard and my workstation for RDP is Windows 10 Pro. I want to use the tool IIS Crypto. Can someone tell me which ciphers I can disable without accidentally breaking connectivity to RDP?
</div>
</div>


Hello! I have a server I need to update in terms of ciphers. However I need to be sure I don't break RDP between my workstation and the server by accident. The server is 2012 Standard and my workstation for RDP is Windows 10 Pro. I want to use the tool IIS Crypto. Can someone tell me which ciphers I can disable without accidentally breaking connectivity to RDP?

Disabling weak ciphers without breaking RDP

Windows 10 is a personal computer operating system featuring the "universal application architecture" (UAP); apps can be designed to run across multiple devices with nearly identical code, including PCs, tablets, smartphones, embedded systems, Xbox One, Surface Hub and HoloLens. Windows 10 also includes a virtual desktop system, a window and desktop management feature called Task View, the Microsoft Edge web browser, support for fingerprint and face recognition login, voice-based search (Cortana), new security features for enterprise environments, and DirectX 12 and WDDM 2.0 to improve the operating system's graphics capabilities for games.

Windows 10

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

SSL / HTTPS

This topic area includes legacy versions of Windows prior to Windows 2000: Windows 3/3.1, Windows 95 and Windows 98, plus any other Windows-related versions including Windows Mobile.