- Reserved EC2 Instances vs. AWS Savings Plans - Thu, Oct 21 2021
- Amazon EC2 on-demand Capacity Reservations: A step-by-step guide - Thu, Oct 7 2021
- Delete the Amazon Machine Image (AMI) and its associated snapshots - Tue, Oct 5 2021
The issue ^
In March, Microsoft released a security update to address vulnerabilities for the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) connections for Windows clients and Windows Server.
Previously, you were able to connect remotely from the updated machine to machines without the update. However, with the latest update released this May, Microsoft hardened security, and you can no longer connect to machines without the update.
You will face the CredSSP encryption oracle remediation error if you have applications or services such as the Remote Desktop Connection that use CredSSP on an updated machine. Authentication will not work and you will get this error message:
An authentication error has occurred. The function requested is not supported. Remote computer: This could be due to CredSSP encryption oracle remediation.
The solution ^
To solve this issue, you have to install the update on the servers. However, if you need to connect to a computer that hasn't received the update, you can downgrade the protection level to Vulnerable. You can do this either via Group Policy or by changing the registry.
The Group Policy setting you need is Encryption Oracle Remediation. It provides three protection levels:
- Force Updated Clients: This is the highest level of protection because it requires applying the update to all clients you are going to communicate with using CredSSP. Thus, do not choose this option before applying the update to all of your clients and servers.
- Mitigated: This level blocks applications such as the Remote Desktop Connection to connect to servers that do not have the update. However, services that use CredSSP will work.
- Vulnerable: This is the lowest level of protection. It will allow you to connect to servers remotely using RDP. However, it will expose the servers to attacks.
To set the protection level to Vulnerable via Group Policy, follow these steps:
- Execute gpedit.msc.
- Navigate to the following path: Computer Configuration > Administrative Templates > System > Credentials Delegation.
- Edit the following setting: Encryption Oracle Remediation.
- Set it to Enabled, and set the protection level to Vulnerable.
Also, you can do it via the registry. This will provide the protection levels via numerical values:
- Force Updated Clients: 0
- Mitigated: 1
- Vulnerable: 2
To change the registry key to Vulnerable, you can run the following commands:
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\" New-ItemProperty -Path $RegPath -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force