10 May 2018

Users who have recently installed the security updates on Windows 10 workstations are finding that they have received an error when trying to establish a remote desktop connection to a server which had worked properly before installing the updates. The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. The CVE-2018-0886 consists of installing the update on all eligible client and server operating systems and then using Group Policy or registry settings to configure the options on both clients and servers.

Windows 10 RDP CredSSP Encryption Oracle Remediation Error Fix

Few days ago, the listed below cumulative updates were released for Windows 10, Server 2016, etc.  These updates include the fix for the CredSSP encryption vulnerability.

May 8, 2018 – KB4103721 (OS Build 1803)

May 8, 2018 – KB4103727 (OS Build 1709)

May 8, 2018 – KB4103731 (OS Build 1703)

May 8, 2018 – KB4103723 (OS Build 1609 & Server 2016)

After installing the patch on a vulnerable workstation when you try to connect to an unpatched server, you get the following error message after you provide your password to authenticate to the RDP session.

There is a local policy setting along with the installed security updates.  Check this at Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> Encryption Oracle Remediation.  By default this is set to Not configured.

In order to fix the issue, change the policy to Enabled and set the Protection Level to Vulnerable.  (This is not recommended by Microsoft, as making sure both the client and server is patched is best practice.)  While setting the policy to Vulnerable you can connect your workstation to the remote desktop session that was previously blocked by the mitigation.

CredSSP Encryption Oracle Remediation Policy Settings

There are three settings contained in the policy setting which could be enabled. They are

Force Updated Clients: Client applications using CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Make sure that this setting must not be deployed until all remote hosts uses the latest version.

Mitigated: Client applications using CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients.

Vulnerable: Client applications using CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.

CredSSP Encryption Oracle Remediation Registry Setting

An alternative way is to set this policy setting via the registry and a reboot.

Once the given registry key is created, you must restart your workstation / client / computer without fail. Now you will be able to successfully connect to the remote device again.

Patching is becoming more important with the present security vulnerabilities. Compromised systems can lead to risk, data loss and data leak and so security must be given the highest priority.  It is always recommended to keep up with Microsoft patches and have a routine schedule of patch application for organizations running Microsoft server operating systems.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.