5

When viewing the events in Server Manager under Windows Server 2012 R2, I have many schannel error messages that say "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 10. The Windows SChannel error state is 1203." Several sites suggest "allow local activation security check exemptions" as a solution. While this might decrease the number of error messages in the event list, I'm interested in the practical security risks introduced as a result of allowing these exemptions.

enharmonic
  • 166
  • 1
  • 9

1 Answers1

5

My advice is to not alter the security policy in your link. For reference, here is the policy and its description:

local security policy

It's possible, but unlikely that the security setting will fix the issue. It's possibly not even related at all. And it's generally ill-advised to change system-wide security policy without knowing whether it will even solve the problem you're having.

The error you're seeing is from Schannel. Schannel handles SSL and TLS connections over a network. That's usually web sites on the internet over HTTPS, but many different kinds of services leverage TLS.

The TLS protocol defined fatal error code is 10.

That error code is defined by RFC as "unexpected message" :

tls alert

The rest of the TLS alert codes can be found here.

The Windows SChannel error state is 1203.

These error state codes are internal and not publicly documented, but I can tell you that 1203 means there was an error parsing a Client Hello. It means that someone sent you a Client Hello and you couldn't parse it. The data was malformed in some way.

If nothing's broken, consider just disabling the Schannel error logging:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" /v "EventLogging" /t REG_DWORD /d 0 /f

Schannel logging can be noisy, and you can spend the rest of your life trying to track down every node on the network coming at you with incompatible cipher suites or invalid SSL certificates or disabled protocol versions or broken SSL implementations, etc.

Now, back to your original question. I'm not saying it's impossible, but I'm having a hard time seeing what that policy has to do with the Schannel errors. It seems irrelevant to me at this time.

The security implications of modifying that particular security policy are relatively small. It gives local administrators the ability to augment the list of who is allowed to activate DCOM applications. Since we're talking about an ACL that only administrators are allowed to manipulate anyway, I don't see much potential for privilege escalation. Maybe some potential for post-exploit persistence.

(In my opinion, DCOM is possibly the worst idea ever conceived but that's a topic for another day.)

DCOM applications, especially misconfigured security permissions on DCOM severs, are the source of a great many cryptic event log messages. But I don't see them as a common vector for malware or security exploits.

So in summary, I don't think it's a big deal if you enable that policy, but I also doubt it will make the Schannel errors go away.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197