none
Unable to RDP from Windows XP to Windows 7 machine configured with Windows 7 EC Desktop baseline RRS feed

  • Question

  • Scenario:

    I have two machines, a Windows XP and a Windows 7 machine in OU 1. There is another Windows 7 machine in OU 2. Both OUs are subject to exactly the same policies, namely the Windows 7 EC Desktop policy and a firewall policy that allows inbound Remote Desktop exceptions set to * (All). Both OUs have all other policies bar the Default Domain Policy blocked from inheritance.

    I can RDP to the third Windows 7 machine in OU 2 from my Windows 7 machine in OU 1 fine. However, I am unable to get a Remote Desktop Connection to the third machine from my Windows XP box in OU 1. The same account are being used throughout. I have also upgraded the RD client on the XP box to 7.0, but it's made no difference. If I disable the Win7EC desktop policy in OU 2, all is well and I can RDP from the XP box.

    I assume Windows 7 must be sending some information with improved encryprtion by default. Indeed, looking at the event viewer on the machine in OU 2 I see: 

    IPsec dropped an inbound clear text packet that should have been secured. If the remote computer is configured with a Request Outbound IPsec policy, this might be benign and expected. This can also be caused by the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.

    Can anyone suggest what element of the policy I should change (or more to the point, how I should change it) to keep security as strong as possible but allow the XP client to reach the machine via RDP?

    Thanks

    Simon


    • Edited by SJBond Thursday, June 28, 2012 9:30 AM Missed a paragraph
    Thursday, June 28, 2012 9:24 AM

Answers

  • I found the eventual answer to this. The firewall settings for the EC-Desktop are set to 'Allow the connection if it is secure'. This setting doesn't appear to be compatible with Windows XP from my experience and it wasn't until I changed it to simply 'Allow this connection' that I was able to connect from an XP workstation.

     

    • Marked as answer by SJBond Monday, July 23, 2012 9:58 AM
    Monday, July 23, 2012 9:58 AM

All replies

  • bondy;

    This is a well-known issue caused by the requirement for FIPS-140 compliant encryption algorithms. You can update the RDP client on the XP machines and connect from them to the Windows 7 machines, however you won't be able to connect to the XP machines via RDP because there is no update avialable for the XP RDP server component. Look at the detailed information for the setting called "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" in SCM, there are links to related articles and downloads.


    Kurt Dillard http://www.kurtdillard.com

    Thursday, June 28, 2012 4:52 PM
    Moderator
  • Thanks Kurt.

    This sounds likely. However, I am having trouble remoting from an XP machine to the Windows 7 machine. Can you think of any reasons this might be the case?

    Friday, June 29, 2012 10:41 AM
  • Bondy;

    Please read the details in SCM about the setting I mentioned.

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, June 29, 2012 4:11 PM
    Moderator
  • I found the eventual answer to this. The firewall settings for the EC-Desktop are set to 'Allow the connection if it is secure'. This setting doesn't appear to be compatible with Windows XP from my experience and it wasn't until I changed it to simply 'Allow this connection' that I was able to connect from an XP workstation.

     

    • Marked as answer by SJBond Monday, July 23, 2012 9:58 AM
    Monday, July 23, 2012 9:58 AM
  • Bondy;

    I'm glad you found the root cuase, that firewall rule isn't part of our baseline, it must be something you guys configured locally or via group policy. The 'if secure' option only allows the connection if its protected via IPsec, aka a "Connection Security Rule."

    Regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    Friday, August 10, 2012 7:33 PM
    Moderator