1
I just hardened a Windows 10 machine (the TLS ciphers, using IIS Crypto by Nartec) to handle an issue from a vulnerability scan (this machine has RDP enabled). The issue went away, but RDP from this computer now fails to most computers (some still work, including to some 2008 R2 and 2012 R2 servers).
On the client, RDP just says, "An internal error has occured" and in the event logs:
A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
I checked the server event log of one of the servers and see these two messages:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
The following fatal alert was generated: 40. The internal error state is 1205.
However, the enabled protocols & cipher suites on both computers are identical:
Client (Windows 10)
Server (2008 R2)
Here is my question: What cipher needs to be enabled on the Windows 10 machine for RDP to work from it again (to RDP hosts running Windows 7 and above), without adding back a TLS vulnerability, such as Sweet32?
This is probably better suited for SuperUser.com - Not really a security related issue at this point. – HashHazard – 2016-11-04T17:23:26.293
@Hollowproc I can post there as well, but fail to see how this is not security related. – None – 2016-11-04T17:26:59.193
Your question is more closely related to the configuration of the systems than the security. If you had a question about the results of the vuln scan finding, that would be more appropriate here. This question is really about troubleshooting broken RDP connections. Make sense? – HashHazard – 2016-11-04T17:30:37.860
@Hollowproc I am trying to handle a failed vulnerability scan (TLS issue, Sweet32) for an RDP host. In applying the "Best practices" cipher suites, RDP stops working. I am not familiar with the cipher needs of RDP. The issue bridges security and server configuration, but it is certainly security related. BTW, I posted this question on ServerFault yesterday and received zero useful responses, which is why I turned to this site (hoping that someone here has the knowledge to provide some help or pointers). – None – 2016-11-04T17:43:24.077
@Hollowproc: FYI, I have some new information and have created a new post on Serverfault (and deleted the original one): http://serverfault.com/questions/813271/removing-vulnerable-cipher-on-windows-10-breaks-outgoing-rdp
– None – 2016-11-04T18:22:30.967Yea I thought you'd have better luck with either site (SU or SF). Their communities are prob where you'll find your answer. Good Luck. – HashHazard – 2016-11-04T18:26:25.307