RDP protocol TLS1.2 Support

All replies

• 

  

  0

  Sign in to vote

  Hi,

   

  Sorry for the delay of response.

   

  After discussed with my colleagues who are good at RDP protocol, and we made some research, but the result is the RDP does not support the TLS1.2 currently.

   

  We greatly apologize for any inconvenience this may cause you.

  • Marked as answer by Alan Zhu Tuesday, November 16, 2010 1:56 AM

  Tuesday, November 16, 2010 1:54 AM
• 

  

  0

  Sign in to vote

  Thanks, I thought as much.

  Are there any plans to support this in the future?  After all one the the championed additions to Win7/2008 R2 was TLS1.2 support (and its nice to see Microsoft so far ahead of the curve here, well done!) but your own in box remote desktop solution for this platform wasn't upgraded to match??? Shows a lack of joined up thinking....

  Tuesday, November 16, 2010 1:49 PM
• 

  

  0

  Sign in to vote

  EDIT:

  I've been doing some extensive testing on this subject. Based on the results of my testing,  you can imagine a continuum of five different RDP certificate security levels, ranging from "least secure" to "most secure". Start with the highest level and work your way backwards (as needed) to meet the specifications of your CA/PKI and compatibility needs.

  Please post comments if any of this data is inaccurate or missing and I will do my best to update this post.

  Level 1 (Lease Secure; Highest Level Supporting Windows 2000 RDP Clients):

  Certificate Specifications (Issued Certificate):

  • Signature algorithm: RSA
  • Key length: at least 2048
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not enabled (Server 2003 CA certificate templates won't ask for this anyway)
  • Signature hash algorithm: SHA-1
  • Key usage: signature & encryption
  • Application policy: Server Authentication
  • Enterprise CA template version: Server 2003

  Certificate Specifications (Certificate Chain):

  • Signature algorithm: RSA (throughout chain)
  • Key length: at least 2048 (throughout chain - 4096 recommended)
  • "Alternate Signature Algorithm" (RSASSA-PSS):  Not enabled (anywhere in chain)
  • Signature hash algorithm: SHA-1 (throughout chain)

  Minimum RDP Client Versions that Work:

  • Windows 2000 With RDP Client v5.2
  • Windows XP SP3 (32-bit) with RDP Client 6.1
  • Windows XP SP2 (64-bit) with RDP Client 5.2
  • Windows Server 2003 SP2 with RDP Client 5.2
  • Windows Server 2003 R2 SP2 with RDP Client 5.2
  • Windows Vista with RDP Client 6.0
  • Windows Server 2008 SP1 with RDP Client 6.1
  • Windows 7 with RDP Client 7.0
  • Windows Server 2008 R2 with RDP Client 7.0

  Minimum RDP Server Versions that Work (can encrypt the incoming RDP connection with SSL):

  • Windows Server 2003
  • Windows Server 2003 R2
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2

  Level 2 (Lowest Recommended Level; Highest Level Supporting Windows XP 64-Bit, Windows Server 2003, and Windows Server 2003 R2; Minimum Level Required for FBCA Compliance):

  Certificate Specifications (Issued Certificate):

  • Signature algorithm: RSA
  • Key length: at least 2048
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not enabled (Server 2003 CA certificate templates won't ask for this anyway)
  • Signature hash algorithm: SHA-256 or SHA-384
  • Key usage: signature & encryption
  • Application policy: Server Authentication
  • Enterprise CA template version: Server 2003

  Certificate Specifications (Certificate Chain):

  • Signature algorithm: RSA (throughout chain)
  • Key length: at least 2048 (throughout chain - 4096 recommended)
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not enabled (anywhere in chain)
  • Signature hash algorithm: SHA-256 or SHA-384 (throughout chain)

  Minimum RDP Client Versions that Work:

  • Windows XP SP3 (32-bit) with RDP Client 6.1
  • Windows XP SP2 (64-bit) with RDP Client 5.2 and KB968730
  • Windows Server 2003 SP2 with RDP Client 5.2 and KB968730
  • Windows Server 2003 R2 SP2 with RDP Client 5.2 and KB968730
  • Windows Vista with RDP Client 6.0
  • Windows Server 2008 SP1 with RDP Client 6.1
  • Windows 7 with RDP Client 7.0
  • Windows Server 2008 R2 with RDP Client 7.0

  Minimum RDP Server Versions that Work (can encrypt the incoming RDP connection with SSL):

  • Windows Server 2003 SP2 and KB968730
  • Windows Server 2003 R2 SP2 and KB968730
  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2

  Level 3 (Highest Level Supporting Windows XP 32-Bit RDP Clients):

  Certificate Specifications (Issued Certificate):

  • Signature algorithm: RSA
  • Key length: at least 2048
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not enabled
  • Signature hash algorithm: SHA-256 or SHA-384
  • Key usage: signature & encryption
  • Application policy: Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2)
  • Enterprise CA template version: Server 2008

  Certificate Specifications (Certificate Chain):

  • Signature algorithm: RSA (throughout chain)
  • Key length: at least 2048 (throughout chain - 4096 recommended)
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not enabled (anywhere in chain)
  • Signature hash algorithm: SHA-256 or SHA-384 (throughout chain)

  Minimum RDP Client Versions that Work:

  • Windows XP SP3 (32-bit) with RDP Client 6.1
  • Windows Vista with RDP Client 6.1
  • Windows Server 2008 SP1 with RDP Client 6.1
  • Windows 7 with RDP Client 7.0
  • Windows Server 2008 R2 with RDP Client 7.0

  Minimum RDP Server Versions that Work (can encrypt the incoming RDP connection with SSL):

  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2

  Level 4 (Lowest Level Supporting ECDSA Signature Algorithms; Highest Level Supporting Windows Vista and Server 2008)

  Certificate Specifications (Issued Certificate):

  • Signature algorithm: ECDSA 256 or ECDSA 384
  • Key length: at least 256
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not relevant with ECDSA algorithms
  • Signature hash algorithm: SHA-256 or SHA-384
  • Key usage: signature & encryption
  • Application policy: Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2)
  • Enterprise CA template version: Server 2008

  Certificate Specifications (Certificate Chain):

  • Signature algorithm: ECDSA 256 or ECDSA 384 (throughout chain)
  • Key length: at least 256 (throughout chain)
  • "Alternate Signature Algorithm" (RSASSA-PSS):  Not relevant with ECDSA algorithms
  • Signature hash algorithm: SHA-256 or SHA-384 (throughout chain)

  Minimum RDP Client Versions that Work:

  • Windows Vista with RDP Client 6.1
  • Windows Server 2008 SP1 with RDP Client 6.1
  • Windows 7 with RDP Client 7.0
  • Windows Server 2008 R2 with RDP Client 7.0

  Minimum RDP Server Versions that Work (can encrypt the incoming RDP connection with SSL):

  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2 

  Level 5 (Most Secure; Minimum Level for Suite B-Compliance)

  Certificate Specifications (Issued Certificate):

  • Signature algorithm: ECDSA 256 or ECDSA 384
  • Key length: at least 256
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not relevant with ECDSA algorithms
  • Signature hash algorithm: SHA-256 or SHA-384
  • Key usage: signature only
  • Application policy: Remote Desktop Authentication (1.3.6.1.4.1.311.54.1.2)
  • Enterprise CA template version: Server 2008

  Certificate Specifications (Certificate Chain):

  • Signature algorithm: ECDSA 256 or ECDSA 384 (throughout chain)
  • Key length: at least 256 (throughout chain)
  • "Alternate Signature Algorithm" (RSASSA-PSS): Not relevant with ECDSA algorithms
  • Signature hash algorithm: SHA-256 or SHA-384 (throughout chain)

  Minimum RDP Client Versions that Work:

  • Windows 7 with RDP Client 7.0
  • Windows Server 2008 R2 with RDP Client 7.0

  Minimum RDP Server Versions that Work (can encrypt the incoming RDP connection with SSL):

  • Windows 7
  • Windows Server 2008 R2

   

  /EDIT

   

  HackedOffAdmin,

  As a workaround, you might consider implementing IPSec to secure the connection. Of course, this won't get you the Remote Desktop Services single sign-on (SSO) functionality... but it can ensure that the connection is secured with a "Suite B" compliant protocol. For "Suite B" compliance + SSO, you might secure the RDP "application" with a RSA 2048 / SHA1 certificate chain and then secure the IP protocol with IPSec. I suggest RSA 2048 and SHA1 only because I do not know if RDP supports RSA 4096 or SHA256/384. TLS 1.0 + IPsec is definitely double-encryption, but currently the only way to remain Suite B compliant with RDP.

  Microsoft,

  It would be very helpful if you could publish a document/spreadsheet with the following example columns:

  • Application (e.g. SQL; or OS "application" e.g. RDP)
  • Application Service Pack / Hotfixes
  • Operating System
  • OS Service Pack
  • OS Hotfixes
  • "Suite B" Compliant?
  • TLS 1.2 Compliant?
  • Supports SHA-256?
  • Supports RSA 4096-bit key length?
  • Impact of enabling FIPS compliance?

  As a best practice, I've been recommending "Suite B" algorithms, but the number of applications that don't yet support them is staggering. And short of building a test lab for every app, it's really hard to find the above information.

  Thanks!
  Frank

  
  

  • Edited by Frank E Lesniak Wednesday, December 7, 2011 2:04 AM Added lots of details on RDP certs
  • Proposed as answer by Frank E Lesniak Wednesday, December 7, 2011 2:04 AM
  • Marked as answer by HackedOffAdmin Sunday, January 22, 2012 2:12 PM

  Tuesday, November 1, 2011 12:51 AM
• 

  

  0

  Sign in to vote

  Well, its a year old thread but thanks for the effort (have a answer mark)... Nice summary, enhanced certificate support doesn't really help when TLS1.0 is limited to HMAC-SHA1 or HMAC-MD5 for packet MAC and SHA1 signing for server Key Exchange when using DHE or ECDHE key exchange. Like you say IPSec isn't a very neat solution. Seconded on the support list from Microsoft. Mixed (i.e. minimal) support for TLS1.1 and TLS1.2 in their software even though the new OS varients support it, and often missing support for ECDSA certs too...

  • Edited by HackedOffAdmin Sunday, January 22, 2012 2:28 PM

  Sunday, January 22, 2012 2:10 PM
• 

  

  0

  Sign in to vote

  Sorry to necro an old thread but if you are still interested in doing this I believe it is possible to do in 2012R2. You have to replace the default self-signed RDP certificate created by Windows that is SHA1 with a new one that is SHA2. See my detailed post on this topic here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/9a6ac988-061a-4594-849c-dc8f037a70ad/rdp-protocol-tls11-support

  Tuesday, July 28, 2015 12:26 AM
• 

  

  0

  Sign in to vote

  Below is a write up on how we enabled TLS 1.2 only for IIS and TLS 1.0 only for RDP.  Also see the post above where I was able to use the 2012r2 instructions to get it to work on 2008r2.  I started from a 2008r2 base image with rdp feature enabled.

  • Installed - KB2574819 (may not be needed)  
  • (Use IIS Crypto or Reg keys, many places to find these settings)
    1. Disabled TLS protocols 1.0 and 1.1
    2. Ensure TLS v1.2 enabled
    3. Disabled all ciphers except AES 256
    4. Disabled all hashes except SHA 256
    5. Disabled all Cipher Suites except TLS_RSA_WITH_AES_128_GCM_SHA256
  • Run gpedit.msc  
    1. Browse to Computer\windows settings\Security settings\local policies\security options.
       1. Network Security: LAN Manger Auth. - Choose NTLM v2 response only
       2. Network Security: Minimum Session for NTML SSP - Check NTMLv2 and 128 -
       3. Network Security: Minimum Session for NTML SSP  - Check NTMLv2 and 128 -
       4. System Cryptography: Use FIPS Algorithms - select Enabled 
    2. Browse to Computer\Adminstrative templates\Windows\Components\Remote Desktop Services\Remote Desktop Session Host\Security
       1. Require use of specific security layer for remote rdp connections – Choose TLS 1.0 Only

   

  4. Run tsconfig.msc
     1. Right Click RDP-Tcp in the connection area
     2. Change encryption level to high
     3. Click ok

   

  5. Rebooted

   

  6. Test rdp

   

  7. Nmap testing

  NMAP Command  - nmap -p 3389 --script ssl-enum-ciphers 172.2.8.7

  PORT     STATE SERVICE

  3389/tcp open  ms-wbt-server

  | ssl-enum-ciphers:

  |   TLSv1.0:

  |     ciphers:

  |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

  |     compressors:

  |       NULL

  |     cipher preference: indeterminate

  |     cipher preference error: Too few ciphers supported

   

   

  NMAP Command  - nmap -p 443 --script ssl-enum-ciphers 172.2.8.7

   

  PORT    STATE SERVICE

  443/tcp open  https

  | ssl-enum-ciphers:

  |   TLSv1.2:

  |     ciphers:

  |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

  |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

  |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

  |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

  |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256) - A

  |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256) - A

  |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256) - A

  |     compressors:

  |       NULL

  |     cipher preference: server

  |     warnings:

  |       Weak certificate signature: SHA1

  |_  least strength: C

   

  NMAP Command - nmap -p 3389 --script rdp-enum-encryption 172.2.8.7

  PORT     STATE SERVICE

  3389/tcp open  ms-wbt-server

  | rdp-enum-encryption:

  |   Security layer

  |     CredSSP: SUCCESS

  |_    SSL: SUCCESS

  • Proposed as answer by Jeff Jagoda Thursday, August 20, 2015 5:14 PM
  • Unproposed as answer by HackedOffAdmin Thursday, August 20, 2015 5:45 PM

  Thursday, August 20, 2015 5:14 PM
• 

  

  0

  Sign in to vote

  Thanks for posting but just a few points....

  Your configuration is horribly broken and self conflicting (e.g. you are using a AEAD ciphersuit with AES128+GHASH but have apparently disabled everything but AES256 and SHA256) - you are just exploiting unintentional edge cases, expect it to fail (or behaviour to change)  potentially with any future updates. I really hope you are not using that in a production environment.

  In any case how does that answer the original question (to enable TLS1.2 for RDP) in this thread (which is now obsolete since Microsoft have pushed out the RDP8 stack)?

  General thread etiquette issues:

  You cross posted this to the other thread which is linked to by the post above yours...

  This thread is 5 years old and now obsolete...

  
  

  • Edited by HackedOffAdmin Thursday, August 20, 2015 5:59 PM

  Thursday, August 20, 2015 5:45 PM
• 

  

  0

  Sign in to vote

  Not a solution to RDP with TLS 1.2, but a work around to have TLS 1.2 only on the IIS 443 and TLS 1.0 still available for RDP.  Not the most elegant, but until Microsoft releases a fix for TLS 1.2 for RDP, and are required to meet NIST, PCI, or another compliance standard where TLS 1.0 must be disabled but still want TLS availble for RDP.  Otherwise if you only have TLS 1.2 enable then RDP will not function and you would need a different remote server application.

  I think this is hot issue as my security pen tester are mandaditing TLS 1.1 and 1.2 only and to disable TLS 1.0.  This presents a problem if you do not have physical access to the server to manage it.

  Thursday, August 20, 2015 6:14 PM
• 

  

  0

  Sign in to vote

  It took Microsoft a while, but there's finally TLS1.1+ support for RDP in Windows 7 and Windows Server 2008 R2.

  Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2
  https://support.microsoft.com/en-us/kb/3080079

  Saturday, October 17, 2015 8:43 AM
• 

  

  0

  Sign in to vote

  This is great, and I've installed it, but I can't find any way to force the use of TLS 1.2 on the client side - nor a way to check and see what method was used once connected.  I have disabled everythign but TLS 1.2 on the server side (supposedly), but when I run gpedit.msc on the client PC running windows 7, and browse to here Computer\Adminstrative templates\Windows\Components\Remote Desktop Services\Remote Desktop Session Host\Security

  my only choices for "Require use of specific security layer for remote rdp connections"are still RDP and TLS1.0.  Has anyone gotten this to work, and can you prove it to an auditor?  Thanks!!!

  Saturday, October 24, 2015 10:08 PM
• 

  

  0

  Sign in to vote

  Incorrect TLS is displayed when you use RDP with SSL encryption
  https://support.microsoft.com/en-us/kb/3097192

  Monday, October 26, 2015 4:27 PM
• 

  

  0

  Sign in to vote

  did you get this to work?  ive been testing today and after install the windows 7 patch to enable tls 1.2 over rdp it doesn't work (connecting to windows 2012 r2 RDS collection). after disabling tls 1.0 on the RDS server and connecting using RDWEB it logs on using tls 1.2 but when you try to connect to a RD connection host it fails. turn tls 1.0 back on and it works 

  only tried this with 1 windows 7 pc will try another tomorrow

  Wednesday, October 28, 2015 6:35 PM
• 

  

  0

  Sign in to vote

  KB3140245 fixes this.  The problem is not with RDP exactly, it's with WinHTTP which is what RDWeb communicates under.  The connection connects with TLS1.2 but then http SSL connections can only initiate communication on TLS 1.0 and the connection fails.  Even published apps fail

  Download the following patch.  There is a x64 and x32 version for Windows 2008 R2, Windows 7 and Server 2012 (not R2).  They all require a registry entry to force TLS 1.1 or TLS 1.2 WinHTTP communications also.

  https://support.microsoft.com/en-us/kb/3140245

  Monday, May 23, 2016 11:20 PM