none
RDP does not work after disabling TLS 1.0 RRS feed

  • Question

  • RDP does not work after disabling TLS 1.0

    Had to re-enable it .... what can i do to make it work with TLS 1.2 ??

    Monday, March 9, 2015 8:46 PM

Answers

  • Hi,

    Disabling TLS 1.0 will break RDP under default settings.  Did the security scan say specifically to disable TLS 1.0?  Normally you should be able to disable use of certain ciphers or prioritize ciphers.  You may want to try IISCrypto, on it you click the PCI button, then Apply button, then restart your server.
    Additionally there are still a substantial number of web browsers in use that do not support TLS 1.1/1.2.
    If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer.  To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.

    IMPORTANT:  You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication.  If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.  I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.

    Quoted from this thread answered by TP, for more information you can go through that thread. 

    Hope it helps!

    Thanks.

    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 11, 2015 12:56 AM
    Moderator

All replies

  • Hi,

    Disabling TLS 1.0 will break RDP under default settings.  Did the security scan say specifically to disable TLS 1.0?  Normally you should be able to disable use of certain ciphers or prioritize ciphers.  You may want to try IISCrypto, on it you click the PCI button, then Apply button, then restart your server.
    Additionally there are still a substantial number of web browsers in use that do not support TLS 1.1/1.2.
    If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer.  To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.

    IMPORTANT:  You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication.  If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.  I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.

    Quoted from this thread answered by TP, for more information you can go through that thread. 

    Hope it helps!

    Thanks.

    Dharmesh Solanki

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 11, 2015 12:56 AM
    Moderator
  • You have to replace the default self-signed RDP certificate created by Windows that is SHA1 with a new one that is SHA2 See my detailed post on this topic here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/9a6ac988-061a-4594-849c-dc8f037a70ad/rdp-protocol-tls11-support

    Please reply if you are able to get it to work for you or not.

    Tuesday, July 28, 2015 12:20 AM