none
RDS Security and Configuration RRS feed

  • Question

  • Hello All,

    We have deployed a new RDS environment with Server 2019. We have also Incorporated MFA with this new deployment. Since windows 7 support is about to end we have decided to only allow TLS 1.2. I have configured all of our servers in the environment with only this protocol enabled and I have enabled only GCM TLS 1.2 ciphers, as the CBC ciphers no longer provide forward security. Once I had everything configured I stated testing. I could connect no problem from any of the following OS's: Windows 10, Android 9, and Mac IOS. The only OS I had a problem with was Windows 10. Go figure. When the user signed out of the desktop the screen would stay black. The user would have to open task manager on their machine and end the RDP task to resolve the issue. I checked the Gateway server while the screen was black to see if the connection was hanging open or something and no it was not. According to the connection manager and the logs the user was logged out and the connection was closed successfully. After some testing I found the only way to resolve the black screen after log off issue was to enable the following cipher:

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    or its 128 counterpart. This removes the forward security aspect from my server and can allow a person to compromise the site or credentials at a later time.  

    I have not found a way to use better security and continue to use RDS reliably. I will continue testing; however, if someone has any information about this I would greatly appreciate it. If I find something I will post back.

    Thanks,

    Scott

    Friday, December 6, 2019 6:47 PM

All replies

  • Hi Scott,

     

    Thanks for your posting. I tried to find more details and will keep you updated if any findings.

     

    Best Regards,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 9, 2019 9:29 AM