MinEncryptionLevel = 4 and problems with Windows 8 RDP client (mstsc)

-

here problem , solution.  may bug in windows 8 rdp client.

target server:
server 2008-r2 datacenter sp1
minencryptionlevel = 4

client one:
server 2008-r2 enterprise sp1
minencryptionlevel = 3
connection attempts work normally.

client two:
windows 8 enterprise
minencryptionlevel = tried possible values, including 3 , 4.
connection attempts fail.

solution:
changing minencryptionlevel 3 on target server allows connections windows 8 (client two).  not required allow connections 2008-r2 client (client one) using rdp 7.1 client.  changing securitylayer , userauthentication values on client 2 made no difference until after minencryptionlevel value on target server reduced 3. 

question:
bug in windows 8?  need enabled fips-compatible crypto on windows 8 enterprise?

thanks!


hello tp:

first of all, thank replying , testing this, appreciate time spent much.

the problem resolved.  "ssl cipher suite order" on windows 8 client had been modified through group policy deal beast attack against ssl , tls 1.0.  change removed tls 1.0 symmetric ciphers except rc4, rc4 not fips-compliant cipher aes (even though rc4 resists beast attack , aes/3des not).

unfortunately, has revealed different shortcoming in rdp, namely, not support tls 1.1 or 1.2.  microsoft's credit, tls 1.1 , 1.2 supported in ie, not in firefox or chrome, apparently rdp not support tls 1.1/1.2. 

it appears rdp hard coded accept rsa-3des-sha1 too, not aes supported (modern intel cpus have special instruction sets accelerate aes, not 3des, performance). 

hopefully these security shortcomings fixed soon.

again, thank you!




Windows Server  >  Remote Desktop Services (Terminal Services)



Comments

Post a Comment

Popular posts from this blog

Schannel Issue

-
hello there, i have windows 2008 r2 machine. , have hosted sharepoint 2010 on it. i have site have published on internet. i don't know whether it's related , getting error unable resolve or come conclusion. it's pretty frequent. my server patched latest updates. log name:      system source:        schannel date:          8/12/2011 3:49:43 pm event id:      36887 task category: none level:         error keywords:      user:          system computer:      mycomp.domain.com description: following fatal alert received: 42.   the above error doesn't provide info . could please me identify issue , possible solution ? there have been lot of posts one. i believe can safely ignored...
Read more

Indexing Server

-
just quick question - 2008 have indexing server? can't see option - , want setup web based search engine using indexing server catalogs , asp.net....   it availble? does not based on - http://technet2.microsoft.com/windowsserver2008/en/library/82bac070-bee4-452e-a783-3ce31b5e1d0f1033.mspx?mfr=true Windows Server  >  Management
Read more

oclist /xml or /?

-
oclist have qualifiers? can behaviour changed, example output xml?   given previous comments andrew m , comments in forums , blogs think answer no, it’s simple app calling underlying api, thought i'd ask can't seem find anything.   why asking question? i'd @ least 2 things oclist (apart nicer looking output [which i'm not going get], dependances listed [dicussed in forum , ruled out], , refrushing add ad componets , telling use dcpromo [which in banner know]): - whether installing component cuase / require reboot (currently believe qwave , printing services require reboot)   - xml output, can't justify team looking see if can commality with full server   fwiw :j   hi,   oclist not have qualifiers or ways change output. when iis came in late, make oclist output longer, unfortunately late make significant changes.   i'll take feedback , add our list next version.   thanks,   andrew   ...
Read more