- EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
- Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
- AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021
The issue ^
In March, Microsoft released a security update to address vulnerabilities for the Credential Security Support Provider protocol (CredSSP) used by Remote Desktop Protocol (RDP) connections for Windows clients and Windows Server.
Previously, you were able to connect remotely from the updated machine to machines without the update. However, with the latest update released this May, Microsoft hardened security, and you can no longer connect to machines without the update.
You will face the CredSSP encryption oracle remediation error if you have applications or services such as the Remote Desktop Connection that use CredSSP on an updated machine. Authentication will not work and you will get this error message:
An authentication error has occurred. The function requested is not supported. Remote computer: This could be due to CredSSP encryption oracle remediation.
The solution ^
To solve this issue, you have to install the update on the servers. However, if you need to connect to a computer that hasn't received the update, you can downgrade the protection level to Vulnerable. You can do this either via Group Policy or by changing the registry.
The Group Policy setting you need is Encryption Oracle Remediation. It provides three protection levels:
- Force Updated Clients: This is the highest level of protection because it requires applying the update to all clients you are going to communicate with using CredSSP. Thus, do not choose this option before applying the update to all of your clients and servers.
- Mitigated: This level blocks applications such as the Remote Desktop Connection to connect to servers that do not have the update. However, services that use CredSSP will work.
- Vulnerable: This is the lowest level of protection. It will allow you to connect to servers remotely using RDP. However, it will expose the servers to attacks.
To set the protection level to Vulnerable via Group Policy, follow these steps:
- Execute gpedit.msc.
- Navigate to the following path: Computer Configuration > Administrative Templates > System > Credentials Delegation.
- Edit the following setting: Encryption Oracle Remediation.
- Set it to Enabled, and set the protection level to Vulnerable.
Also, you can do it via the registry. This will provide the protection levels via numerical values:
- Force Updated Clients: 0
- Mitigated: 1
- Vulnerable: 2
To change the registry key to Vulnerable, you can run the following commands:
$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\" New-ItemProperty -Path $RegPath -Name AllowEncryptionOracle -Value 2 -PropertyType DWORD -Force