none
Windows Remote Desktop Protocol Weak Encryption Method Allowed - Vulnerability Scan

    Question

  • Hello,

    We ran a vulnerability scan on one of our server recently from a third party. It showed up few vulnerabilities, I am able to fix most of them but I got stopped at vulnerability -- Windows Remote Desktop Protocol Weak Encryption Method Allowed

    Ours is Windows server 2012 R2, I have found fixes for Windows Server 2008 but not for Server 2012 R2.

    Solution Provided by our vendor is : RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider. To configure RDP encryption methods 'Terminal Services Configuration' snap-in can be launched in mmc.exe. In 'Terminal Services Configuration' properties dialog box General tab for the Encryption Level 'High' should be selected.

    Anybody has any idea how to fix this in Windows Server 2012 R2.


    Mallikarjuna YH, Windows / Exchange

    Tuesday, August 4, 2015 9:49 PM

Answers

  • Hi,

    For a 2012 R2 server that is not part of a RDS collection, you may open an administrator command prompt and enter the following commands:

     
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetSecurityLayer 2
     

    The above will set the Encryption Level to High and the Security Layer to SSL.  Depending on your needs you may want to install and configure a certificate from a trusted public authority such as GoDaddy, Digicert, Thawte, GeoTrust, etc.

    For servers that are part of a collection you would instead use Server Manager -- RDS -- Collections -- <collection> -- Tasks -- Edit properties -- Security tab.

    -TP

    Wednesday, August 5, 2015 4:18 PM
    Moderator

All replies

  • Hi,

    For a 2012 R2 server that is not part of a RDS collection, you may open an administrator command prompt and enter the following commands:

     
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetSecurityLayer 2
     

    The above will set the Encryption Level to High and the Security Layer to SSL.  Depending on your needs you may want to install and configure a certificate from a trusted public authority such as GoDaddy, Digicert, Thawte, GeoTrust, etc.

    For servers that are part of a collection you would instead use Server Manager -- RDS -- Collections -- <collection> -- Tasks -- Edit properties -- Security tab.

    -TP

    Wednesday, August 5, 2015 4:18 PM
    Moderator
  • Thanks TP,

    This worked for me. After running those commands the vulnerability in question didn't report.

    Once again thanks for Quick Tip


    Mallikarjuna YH, Windows / Exchange

    Friday, August 7, 2015 2:11 PM
  • Hello,

    in win 2012 Standard, I've method execution successful, but what does means Out Parameters as the following output?

    C:\Program Files (x86)\ICW>wmic /namespace:\\root\CIMV2\TerminalServices PATH Wi
    n32_TSGeneralSetting WHERE TerminalName="RDP-Tcp" CALL SetEncryptionLevel 3
    Executing (\\VM1-3X####-6\root\CIMV2\TerminalServices:Win32_TSGeneralSetting.Te
    rminalName="RDP-Tcp")->SetEncryptionLevel()
    Method execution successful.
    Out Parameters:
    instance of __PARAMETERS
    {
    };

    Thanks in advance,
    Sirag

    Thank yuo

    Tuesday, August 2, 2016 3:23 PM
  • Hi TP,

    Can you please share the remediation for windows 2008 r2 server as well. Will be any impact after doing these changes on servers or any known issues we face ?

    Regards,

    Jeet

    Friday, May 26, 2017 1:16 PM
  • I got the same error as in the original post reported in a Qualys scan that our Security team ran: "Windows Remote Desktop Protocol Weak Encryption Method Allowed , port 3389/tcp over SSL"

    This was on Windows Server 2012.

    I ran the following PowerShell commands to resolve the issue :

    $RDSSettings = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
    $RDSSettings.SetEncryptionLevel(3)
    $RDSSettings.SetSecurityLayer(2)

    After running the commands above, a Qualys rescan no longer reported the issue.

    The documentation for the 2 settings modified by the commands above:

    MinEncryptionLevel - https://msdn.microsoft.com/en-us/library/aa383800(v=vs.85).aspx

    SetSecurityLayer - https://msdn.microsoft.com/en-us/library/aa383801(v=vs.85).aspx

    Hope this helps,
    Mario


    Friday, September 1, 2017 8:11 PM