How to disable TLS 1.0 in Windows 2012 RDP

windows windows-server-2012 rdp tls

Background: The only thing I can find on how to do this relates to RDP on windows 2008, which seems to have something called "Remote Desktop Session Host Configuration" in Administrative Tools. This does NOT exist in windows 2012 and there appears to be now way to add it via a MMC as well. I read here for 2008, using RDS Host Config, you can just it off.

Question: So, in windows 2012, how can you turn off TLS 1.0, but still be able to RDP into a Windows 2012 server?

Originally, my understanding is that ONLY TLS 1.0 was supported in Win2012 RDP. However, TLS 1.0 according to PCI is no longer allowed. This was supposed fixed for Windows server 2008r2 according to this article. However, this does not address Server 2012 that doesn't even have an administrative gui apparatus to make changes to the protocols that RDP will use that I'm aware of.


Solution 1:

Disabling TLS is a system-wide registry setting:

https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10 

Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  
Value: Enabled  
Value type: REG_DWORD
Value Data: 0

Also, the PCI requirement for disabling early TLS does not go into effect until June 30, 2016.

Internet Explorer is one product I know of that has a separate configuration option for the TLS/SSL encryption settings. There may be others.

I have a Windows 2012 R2 server with TLS 1.0 disabled and I can remote desktop to it.

If you are wondering, below is a screenshot of tsconfig.msc on a Windows 2008 R2 server that has KB3080079 installed. There's nothing to configure because the only thing the update did was add support for the other two TLS encryption levels so that when TLS 1.0 is disabled it continues to work.

enter image description here

Solution 2:

If you disable TLS 1.0 and want RDP to keep working, then using local Group Policy Editor you have to select the "Negotiate" Security Layer for RDP in "Computer Configuration\Administrative Templates\Windows\Components\Remote Desktop Services\Remote Desktop Session Host\Security" "Require use of specific security layer for remote (RDP) connections." and also select "Enabled". This also works in 2012R2.

Solution 3:

After almost a year, I finally figured out a working solution for disabling TLS 1.0/1.1 without breaking RDP and Remote Desktop Services connectivity.

Run IISCrypto and disable TLS 1.0, TLS 1.1 and all bad ciphers.

On the Remote Desktop Services server running the gateway role, open the Local Security Policy and navigate to Security Options - System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Change the security setting to Enabled. Reboot for the changes to take effect.

Note that in some cases (especially if using self signed certificates on Server 2012 R2), the Security Policy option Network Security: LAN Manager authentication level may need to be set to Send NTLMv2 responses only.

Let me know if this works for you as well.

Related

Why is ZFS on Linux unable to fully utilize 8x SSDs on AWS i2.8xlarge instance?
Updating AWS CLI on Ubuntu 14.04
downgrade cluster functional level
Nginx defaults to /usr/share/nginx/html
Racktables/Rackmonkey any usefull rack management Software out there? [closed]
How to do central home directories and user accounts on Ubuntu?
Running router as virtual machine, can it be realible?
What is the maximum number of TCP connections I can have in Windows Server 2008?
Make Adobe fonts work with CSS3 @font-face in IE9
Byte[] to InputStream or OutputStream
Pure Javascript listen to input value change
What is the difference between "pom" type dependency with scope "import" and without "import"?