CredSSP: RDP problem when not all the systems are update

In April 2018 Microsoft released an update to address a specific CVE that involve Credential Security Support Provider protocol (CredSSP): CVE-2018-0886 

This update was released for all the supported Windows Operating Systems. Even though I recommend to keep your server up to date, most of the customers don’t have automatic procedure to update the systems on regular basis (SCCM could be the right answer).

Here is where problems start.

Scenario

An update client with 2018-05 Update try to connect to a servers without the May update or vice versa a client without the update try to connect to a server with the May update installed.

In both situation the same error pop up:

An authentication error has occurred. The function requested is not supported. Remote computer: <computer name or IP>. This could be due to CredSSP encryption oracle remediation. For more information, see https://go.microsoft.com/fwlink/?linkid=866660.

In this case we have two options:

  1. Update the server and client to the latest released Update (suggested)
  2. Disable the Oracle CredSSP remediation (less secure RDP connection)

As I can understand that the option 1. is not the fastest one, here we have a workaround to disable this security feature (on the updated system):

  • Open a Command Prompt window as Administrator and add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
  • Open an elevated Powershell session and add a registry key:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord

Conclusion

This should be a temporary workaround and the best way is to keep al the systems up to date. There is also the possibility to create a GPO to deploy this workaround until all the systems are not updated. This could be an easy way to revert the RDP configuration to a better and most secure standard.

Here the GPO details:

  1. GPO path: Computer Configuration > Administrative Templates > System > Credentials Delegation
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

Certification Authority Enhanced RPC security

Certification Authority 2012/2012R2 and XP clients

Some Customers still have Windows XP though it is in End of Support since 8 April 2014. I found one of this *#$%§ clients where I have an 802.1x implementation with an Enterprise Certification Authority with Windows Server 2012 R2.

Why I detailed my configuration? Because Windows 2012 and newer raised RPC security settings even on PKI CA and this cause failing certificate requests on Windows XP/Windows Server 2003.
When trying to issue certificate on Windows XP I got the error “The certificate request failed. The permissions on this certification authority do not allow the current user to enroll for certificates. ”

At first glance it has to be Permissions issue but when I verify them on CA and on the template level they are ok. If we go to the “Failed Request” container on CA we cannot see any request which has been denied by the CA. This is because the request is never delivered to the server.

So how to let Windows XP enroll certificates from Windows 2012/2012R2 Certification Authority?

  1. Upgrade Windows clients to higher OS as XP is not supported anymore
  2. Disable Enhanced RPC security for certificate requests

In my case, the first option wasn’t viable.

Read More