This could be due to CredSSP encryption oracle remediation - RDP to Windows 10 pro host

Based entirely on Graham Cuthbert's reply I created a text file in Notepad with the following lines, and just double clicked it afterwards (which should add to Windows Registry whatever parameters are in the file).

Just note that the first line varies depending on which Windows version you are using, so it might be a good idea to open regedit and export any rule just to see what's in the first line and use the same version in your file.

Also, I am not concerned about degrading security in this particular situation becase I am connecting to an encrypted VPN and the host Windows does not have access to the internet and thus doesn't have the latest update.

File rd_patch.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
"AllowEncryptionOracle"=dword:00000002

For those who would like something easy to copy / paste into an elevated command prompt:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2 /f

Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications.

A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.

[...]

March 13, 2018

The initial March 13, 2018, release updates the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible. These changes will require a reboot of the affected systems.

Pay close attention to Group Policy or registry settings pairs that result in “Blocked” interactions between clients and servers in the compatibility table later in this article.

April 17, 2018

The Remote Desktop Client (RDP) update update in KB 4093120 will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated.

May 8, 2018

An update to change the default setting from Vulnerable to Mitigated.

Source: https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018 [1]

See also this reddit thread: https://www.reddit.com/r/sysadmin/comments/8i4coq/kb4103727_breaks_remote_desktop_connections_over/ [2]

Microsoft's workaround:

  • Update server and client. (requires restart, recommended)

Not recommended workarounds if your server is publicly available, or if you do NOT have strict traffic control in your internal network, but sometimes restarting RDP server in work hours is a no go.

  • Set CredSSP patching policy via GPO or the Registry. (requires restart or gpupdate /force)
  • Uninstall KB4103727 (no restart required)
  • I think that disabling NLA (Network Layer Authentication) may work too. (no restart required)

Be sure to understand the risks when using those and patch your systems ASAP.

[1] All GPO CredSSP description and registry modifications are described here.

[2] examples of GPO and registry settings in case Microsoft's site goes down.


  1. Go to "Local Group Policy Editor > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation", edit and enable it, then set "Protection Level" to "Mitigated".
  2. Set registery key (from 00000001 to 00000002) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:
  3. Restart you system if needed.

Research

Referring to this article:

https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/

May 2018 tentative update that could impact the ability to establish remote host RDP session connections within an organization. This issue can occur if the local client and the remote host have differing “Encryption Oracle Remediation” settings within the registry that define how to build an RDP session with CredSSP. The “Encryption Oracle Remediation” setting options are defined below and if the server or client have different expectations on the establishment of a secure RDP session the connection could be blocked.

A second update, tentatively scheduled to be released on May 8, 2018, will change the default behavior from “Vulnerable” to “Mitigated”.

If you notice if both the client and server are patched, but the default policy setting is left at “Vulnerable” the RDP connection is “Vulnerable” to attack. Once the default setting is modified to “Mitigated” then the connection becomes “Secure” by default.

Resolution

Based on this information I am proceeding to ensure all clients are fully patched, I would then expect the issue to be mitigated.


The registry value was not there on my Windows 10 machine. I had to go to the following local group policy and apply the change on my client:

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation--Encryption Oracle Remediation

Enable and set to value to vulnerable.