How do I change encryption from RC4 to AES in order to allow RDP to my remote servers?

I have multiple physical and virtual servers on a company domain. The physical and virtual servers are all still Windows 2008 R2. The clients have all been updated to Windows 10 from Windows 7 in the past couple of weeks.

In order to satisfy STIG requirements, the Active Directory owners pushed a GPO to all of the Windows 10 boxes which disabled RC4 encryption and are now only allowing AES 128/256. They did not push similar GPO's to my Server 2008 R2 machines.

Now our employees cannot RDP into the server to perform routine tasks.

When I asked our IT department how to resolve this, they said that I need to disable RC4 and enable AES 128/256 or any "Future Encryption Types". However, this is not something I've ever handled before. Where and how do I disable RC4 and enable AES in order to restore RDP functionality?


Solution 1:

There is a patch for it from Microsoft: https://support.microsoft.com/en-us/kb/3080079

Solution 2:

Try setting in the Active Directory object of every user/computer involved the LDAP attribute msDS-SupportedEncryptionType to 8 (= 128-bit AES only) or 24 (= 8+16 = 128 and 256-bit AES). In the Active Directory Users and Computers GUI, this corresponds to ticking in the Account tab the boxes “This Account supports Kerberos 128/256 encryption.”, although you can't easily disable RC4 there as well.

Two notes on choice of encryption types:

  • Nobody actually needs 256-bit AES encryption (16) until quantum computers become available, so in the interest of performance, best enable only 128-bit AES and not 256-bit AES.
  • Disabling RC4 (4) is desirable, because Microsoft's Kerberos RC4 encryption type uses the same password hashes as NTLMv2, so if you had a pass-the-hash/mimikatz attack stealing one of these, Kerberos with RC4 enabled is also vulnerable. The Windows 2000 developers designed the Kerberos RC4 encryption type specifically to be compatible with NTLMv2 hashes, therefore I sleep much better with RC4 switched off everywhere.

See also: https://blogs.msdn.microsoft.com/openspecification/2011/05/30/windows-configurations-for-kerberos-supported-encryption-type/