Security

Solve RDP Error 'CredSSP Encryption Oracle Remediation'

Microsoft Security Risk Detection is Now Generally Available

In this Ask the Admin, I’ll explain how to resolve an RDP error that might appear after the May 2018 cumulative updates.

 

 

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

If you’ve had trouble logging in to remote Windows servers using Remote Desktop Protocol (RDP) recently, you are not alone. I started noticing an error last month when logging into Azure VMs running Windows Server. Because I use Windows Server VMs for testing, it isn’t updated with the latest Windows patches on a regular basis. The Windows PC from which I connect, on the other hand, is patched as soon updates are available on Windows Update. This disparity in patch level between client and server doesn’t usually cause a problem but can sometimes lead to issues.

Remote Desktop Connection 'CredSSP Encryption Oracle Remediation' error (Image Credit: Russell Smith)
Remote Desktop Connection ‘CredSSP Encryption Oracle Remediation’ Error (Image Credit: Russell Smith)

 

Microsoft fixed a remote code execution vulnerability in CredSSP in the March updates for Windows. The Credential Security Support Provider protocol (CredSSP) is a Security Support Provider that lets applications delegate user’s NTLM or Kerberos credentials from clients to servers for remote authentication over an encrypted Transport Layer Security (TLS) channel.

The vulnerability could allow a man-in-the-middle attack where user credentials are relayed and used to run code on the remote system. Microsoft outlined an example where an attacker could perform a man-in-the-middle attack against an RDP session, enabling them to install programs, view, change, or delete data, and create new user accounts.

Patch One, Two, Three

The first patch that Microsoft released in March updates CredSSP authentication and RDP clients for all supported platforms. It also required IT to update the Encryption Oracle Remediation Group Policy setting to ‘Force updated clients’ or ‘Mitigated’ on both client and server computers to receive full protection against the vulnerability. You can find the Encryption Oracle Remediation setting in Group Policy under Computer Configuration > Administrative Templates > System > Credentials Delegation.

In April, another patch was released to improve the error message that users see when RDP clients can’t connect to a server. Then in May, in another update, Microsoft changed the default Encryption Oracle Remediation Group Policy setting from ‘Vulnerable’ to ‘Mitigated’, meaning that patched clients could no longer connect to unpatched servers.

Getting a Connection

The simplest way to remediate this issue is to make sure that both clients and servers have the latest patches from Microsoft. If there’s a mismatch, you’ll likely see the error in the screenshot above when trying to establish an RDP session.

If for whatever reason you are not able to patch your servers, or vice versa cannot patch your clients, Microsoft has published two workarounds to address both scenarios here.

In this Ask the Admin, I explained why Microsoft has patched CredSSP in Windows and where to find information about establishing RDP connections to unpatched servers or from unpatched clients.

Follow Russell on Twitter @smithrussell.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: