none
Windows Remote Desktop Protocol Weak Encryption Method Allowed - Vulnerability Scan RRS feed

  • Question

  • Hello,

    We ran a vulnerability scan on one of our server recently from a third party. It showed up few vulnerabilities, I am able to fix most of them but I got stopped at vulnerability -- Windows Remote Desktop Protocol Weak Encryption Method Allowed

    Ours is Windows server 2012 R2, I have found fixes for Windows Server 2008 but not for Server 2012 R2.

    Solution Provided by our vendor is : RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider. To configure RDP encryption methods 'Terminal Services Configuration' snap-in can be launched in mmc.exe. In 'Terminal Services Configuration' properties dialog box General tab for the Encryption Level 'High' should be selected.

    Anybody has any idea how to fix this in Windows Server 2012 R2.


    Mallikarjuna YH, Windows / Exchange

    Tuesday, August 4, 2015 9:49 PM

Answers

  • Hi,

    For a 2012 R2 server that is not part of a RDS collection, you may open an administrator command prompt and enter the following commands:

     
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetSecurityLayer 2
     

    The above will set the Encryption Level to High and the Security Layer to SSL.  Depending on your needs you may want to install and configure a certificate from a trusted public authority such as GoDaddy, Digicert, Thawte, GeoTrust, etc.

    For servers that are part of a collection you would instead use Server Manager -- RDS -- Collections -- <collection> -- Tasks -- Edit properties -- Security tab.

    -TP

    Wednesday, August 5, 2015 4:18 PM
    Moderator

All replies

  • Hi,

    For a 2012 R2 server that is not part of a RDS collection, you may open an administrator command prompt and enter the following commands:

     
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetSecurityLayer 2
     

    The above will set the Encryption Level to High and the Security Layer to SSL.  Depending on your needs you may want to install and configure a certificate from a trusted public authority such as GoDaddy, Digicert, Thawte, GeoTrust, etc.

    For servers that are part of a collection you would instead use Server Manager -- RDS -- Collections -- <collection> -- Tasks -- Edit properties -- Security tab.

    -TP

    Wednesday, August 5, 2015 4:18 PM
    Moderator
  • Thanks TP,

    This worked for me. After running those commands the vulnerability in question didn't report.

    Once again thanks for Quick Tip


    Mallikarjuna YH, Windows / Exchange

    Friday, August 7, 2015 2:11 PM
  • Hello,

    in win 2012 Standard, I've method execution successful, but what does means Out Parameters as the following output?

    C:\Program Files (x86)\ICW>wmic /namespace:\\root\CIMV2\TerminalServices PATH Wi
    n32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    Executing (\\VM1-3X####-6\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.Te
    rminalName="RDP-Tcp")->SetEncryptionLevel()
    Method execution successful.
    Out Parameters:
    instance of __PARAMETERS
    {
    };

    Thanks in advance,
    Sirag

    Thank yuo

    Tuesday, August 2, 2016 3:23 PM
  • Hi TP,

    Can you please share the remediation for windows 2008 r2 server as well. Will be any impact after doing these changes on servers or any known issues we face ?

    Regards,

    Jeet

    Friday, May 26, 2017 1:16 PM
  • I got the same error as in the original post reported in a Qualys scan that our Security team ran: "Windows Remote Desktop Protocol Weak Encryption Method Allowed , port 3389/tcp over SSL"

    This was on Windows Server 2012.

    I ran the following PowerShell commands to resolve the issue :

    $RDSSettings = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
    $RDSSettings.SetEncryptionLevel(3)
    $RDSSettings.SetSecurityLayer(2)

    After running the commands above, a Qualys rescan no longer reported the issue.

    The documentation for the 2 settings modified by the commands above:

    MinEncryptionLevel - https://msdn.microsoft.com/en-us/library/aa383800(v=vs.85).aspx

    SetSecurityLayer - https://msdn.microsoft.com/en-us/library/aa383801(v=vs.85).aspx

    Hope this helps,
    Mario


    Friday, September 1, 2017 8:11 PM
  • All I had to do was this to fix my W2012:

    The reason this vulnerability (Windows Remote Desktop Protocol Weak Encryption method) shows up is because “Allow connections only from computers running Remote Desktop with Network Level Authentication (NLA)” is disabled (unchecked) on the server in remote settings.  For us to fix this vulnerability, we will need to enable (check) this option.  

    I checked the box and rebooted server and ran a new Qualys scan and it came back clean.

    Saturday, October 19, 2019 12:53 AM