mrosier
asked on
Disabling weak ciphers without breaking RDP
Hello! I have a server I need to update in terms of ciphers. However I need to be sure I don't break RDP between my workstation and the server by accident. The server is 2012 Standard and my workstation for RDP is Windows 10 Pro. I want to use the tool IIS Crypto. Can someone tell me which ciphers I can disable without accidentally breaking connectivity to RDP?
ASKER
It's an IIS server yes. I use IIS Crypto because it's a good tool to easily disable ciphers and has a "Best Practices" button that automatically sets the ciphers to such. My problem is that in the past disabling ciphers had prevented RDP connections. So before making my ciphers up-to-date, I wanted to make sure I didn't accidentally break that connection. If I break the browser connections for clients to the server, at least with RDP working I can fix that. If I can't RDP after the update, I have to scramble to get at the console.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks McKnife, I am more concerned about the server than the laptop being unable to accept connections due to cipher disabling. I honestly don't have enough resources to set up a new VM on that box to test, so I will just have to wait for some downtime and physical access to be sure unless anyone knows for sure that might respond. But thanks for the guidance!
I wonder if you trust IIS crypto to be able to undo what it does.
You will use it and a reboot is required - if you find, RDP is broken, you can undo the change and reboot again - just one reboot more.
You will use it and a reboot is required - if you find, RDP is broken, you can undo the change and reboot again - just one reboot more.
ASKER
Oh I can revert back, all you have to do is take note of what ciphers are enabled before any chances (I usually screenshot or just printout for reference), and then just re-enable through that interface after the fact if it breaks things. The only problem is that I have to be on-hand at that data center if something does break is all. And I can be, just easier to do it from my office of course.
are the server on which you would like to restrict schannel, protocol or cipher exposed to the outside, if access use is internal?
You have access via hardware lights out management (ilo on HP, idrac on Dell, )
Registry edits of schannel to leave tls 1.0,1.1,1.2,..
You have access via hardware lights out management (ilo on HP, idrac on Dell, )
Registry edits of schannel to leave tls 1.0,1.1,1.2,..
ASKER
@arnold Thanks for the feedback! It's a web-facing server in a remote location. I access it via VPN and then RDP. With 1.0 as a minimum I am 99% sure I will be ok though.
Only web is exposed without VPN.
VPN goes to the Lan or terminates on the server?
Does your hardware have the lights out management access.
Use ssllabs.com to test ypur web server side security.
Over-tightening ....
TLS1.0 might have to remain active to avoid RDP break.
VPN goes to the Lan or terminates on the server?
Does your hardware have the lights out management access.
Use ssllabs.com to test ypur web server side security.
Over-tightening ....
TLS1.0 might have to remain active to avoid RDP break.
ASKER
@arnold that is correct, only web without VPN. And VPN terminates at the LAN. I honestly am not sure if I have iLO access since if so I never use it. Let me ask this. I am testing this on my Windows 10 laptop by RDP'ing to another Windows 10 laptop on which I have disabled the weak ciphers on including TLS 1.0 leaving 1.1 and 1.2 enabled. That works with RDP fine still. Should Server 2012 Std behave the same?
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
@Arnold Thanks, I forgot about hyper-v on Win10. I can just try that way. And yes, this is to tighten security by disabling out-dated encryption protocols and not breaking RDP in the process. I am doing this in the remedial user way using IIS Crypto. I know that vulnerability scans don't like TLS 1.0 anymore for example, so I am trying to make sure my ducks are in a row before doing anything.
I see no connection to RDP. It will not be influenced when used at defaults.