90
25
After Windows Update, I get this error when trying to connect to a server using Remote Desktop Connection.
When read the link provided by error message, it seems because of an update at 2018/05/08:
May 8, 2018
An update to change the default setting from Vulnerable to Mitigated.
Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.
Is there a solution for this?
Pham X. Bach
Posted 2018-05-09T03:54:35.757
Reputation: 1 193
21
(Posted an answer on behalf of the question author).
As in some answers, the best solution for this error is to update both server and clients to version >= the 2018-05-08 update from Microsoft.
If you cannot update both of them (i.e. you can only update client or server) then you could apply one of the workarounds from the answers below, and change the configuration back ASAP so that you minimise the duration of the vulnerability introduced by the workaround.
halfer
Posted 2018-05-09T03:54:35.757
Reputation: 93
This is one of those rare cases where the accepted answer is also the best answer. Other answers leave you vulnerable to CVE-2018-0886: "A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack." – Braiam – 2018-05-10T11:57:08.023
We found a handy, non-invasive workaround - we were able to RDP using one of our servers as a jump box – OutstandingBill – 2018-05-10T23:31:52.490
Any idea how serious the vulnerability is if both, client and server are in the same local network and only exposed to the internet behind a router without any open ports? – Kevkong – 2018-05-16T20:05:24.033
@Kevkong: this is a wiki answer I posted for the question author. You can ping them under the question if you wish. – halfer – 2018-05-17T06:50:16.213
Hi @Peter: thanks for your edits. Mostly agree with them, but the meta-introduction is necessary IMO to stay within attribution license rules. I have several hundred of these on Stack Overflow, and the view from Meta is that not only does this need to remain, but some folks think it is insufficient, and the OP should be named. That altter view did not win much traction, but shows the breadth of opinion on how attribution is best achieved. But, basically, we can't erase authorship. Can this be restored please? – halfer – 2018-05-19T18:11:49.077
@PeterMortensen: the Meta post about maintaining visible authorship information is here. Comments are generally thought of as ephemeral, and so are not to be used for important material that ought to be preserved.
– halfer – 2018-05-23T09:54:03.72092
Alternate method to gpedit using cmd:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
4Lifesaver. For those using Windows 10 Home, this should work perfect. Just remember to run cmd as Administrator. – None – 2018-05-09T15:00:55.197
Could not find this key on Win10 pro. – pghcpa – 2018-05-10T20:43:48.530
1This command is working on windows 8. Thank you – Naveen – 2018-05-11T06:40:40.937
What is the reg_dword to reset it to the default value (the value post May 2018 update). I was in a catch 22 (couldn't access the cloud server because of updated client). So I used the command and it worked, however after updating the sever it stopped working. No error message, just stops loading the session past the "configuring connection" stage (how can we the meaning of these REG_DWORD values ? – tobiak777 – 2018-05-12T07:42:29.233
1
Actually the problem was that updates were still being installed on the server thus no connection was possible. Just waited and it worked. https://serverfault.com/questions/387593/rdp-fakeout-when-connectiong-does-nothing-no-error
– tobiak777 – 2018-05-12T07:57:54.9201@pghcpa Ignore that, the command creates the missing registry nodes and inserts the parameter for you. This is really life saver if you can't update the server with the security patch that caused this problem. – Gergely Lukacsy – 2018-05-15T08:08:58.047
1i dont know why, but its working Thank you – dian – 2018-05-19T09:53:51.243
It's better to restore default to ensure security by running reg DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP". – Will Huang – 2018-06-09T14:17:08.137
39
I found one solution. As described in the help link, I tried roll back from update 2018/05/08 by changing the value of this group policy:
Run gpedit.msc
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation
Change it to Enable and in Protection level, change back to Vulnerable.
I am not sure if it may rollback any risk of an attacker exploiting my connection. I hope Microsoft will fix this soon so I could restore the setting to the recommend setting Mitigated.
Pham X. Bach
Posted 2018-05-09T03:54:35.757
Reputation: 1 193
My system doesn't have that option for "Encryption Oracle Remediation" in there, it's a windows 2012 server. Looks like it applied the 5/8 security update. – None – 2018-05-09T17:04:49.910
4What I found was that for us the client was the "issue". The servers didn't have the latest updates. The clients did have the latest update so they wouldn't work. Once the server was updated, everything worked. – None – 2018-05-09T18:04:05.503
For those not sure where to start, run "gpedit.msc" then follow the instructions above. – Glen Little – 2018-05-11T19:09:13.597
This does not work on my Windows 10 system. Manually updating the CredSSP registry key does allow me to connect - which I only intend to do for long enough to patch the machine up to the current standard. – Tom W – 2019-04-05T11:14:41.590
12
Another way is install Microsoft Remote Desktop client from MS Store - https://www.microsoft.com/en-us/store/p/microsoft-remote-desktop/9wzdncrfj3ps
Pavel
Posted 2018-05-09T03:54:35.757
Reputation: 139
2Thank you, hope that it will have copy/paste file instead of share folder one day. Only have sharing clipboard to copy/paste text – Pham X. Bach – 2018-05-09T08:17:49.800
The Windows App Store RDP client lacks so many of the customization and integration features of the built-in mstsc.exe it's hard to take seriously. From a security standpoint, it won't even let you view the certificate used for secure connections (last time I checked), it also lacks smart-card support, multiple-monitor spanning, drive redirection, and others. Microsoft's own comparison table reveals how anaemic it is: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare
6
This problem only happens in my Hyper-V VM, and remoting to physical machines is OK.
Go to This PC → System Settings → Advanced System Settings on the server and then I solved it by unchecking target VM "allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".
Steven Chou
Posted 2018-05-09T03:54:35.757
Reputation: 161
God damn it. I enabled that option, forgot about, and 2 hours later I realized it was the issue. – Shafiq al-Shaar – 2018-08-04T12:22:40.537
3
Following ac19501's answer I have created two registry files to make this easier:
rdp_insecure_on.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
@=""
"AllowEncryptionOracle"=dword:00000002
rdp_insecure_off.reg
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
yann.kmm
Posted 2018-05-09T03:54:35.757
Reputation: 131
2
I came across the same issues. The better solution would be to update the machine you are connecting to instead of using Pham X Bach answer to lower security level.
However, if you cannot update the machine for some reason his workaround works.
Sorry for misunderstanding your answer. Yes the best solution should be update server and all clients to version >= the 2018/05/08 update from MS – Pham X. Bach – 2018-05-10T02:24:35.663
2
Update on GPO example on print screen.
Based on the answer "reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2"
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
Value Name: AllowEncryptionOracle
Value data: 2
Ramon Lucas
Posted 2018-05-09T03:54:35.757
Reputation: 21
1
You need to install a Windows Update for the server and all clients. To look for the update, go to https://portal.msrc.microsoft.com/en-us/security-guidance, then search for the 2018-0886 CVE and choose the Security Update for the version of Windows installed.
1
Another option if you have access to the command-line (we have an SSH server running on the box) is to run "sconfig.cmd" from the command line. You get a menu like below:
Choose option 7, and turn it on for all clients, not just secure.
Once that's done, you can remote desktop in. It looks like for us the problem was our client systems got updated for the new security, but our server boxes were behind on updates. I'd suggest getting the updates and then turning this security setting back on.
Brent
Posted 2018-05-09T03:54:35.757
Reputation: 11
1
You need to update your Windows Server using Windows Update. All required patches will be installed. Then you can connect to your server via Remote Desktop again.
You need to install kb4103725
Read more at: https://support.microsoft.com/en-us/help/4103725/windows-81-update-kb4103725
For those guys who have lost access to their remote server, I can still access to my servers with Remote Desktop for Android. Then you can install patches and solve the issue with Remote Desktop connections from Windows clients. – None – 2018-05-10T07:44:44.720
1
For servers, we can also change the setting via Remote PowerShell (assuming WinRM is enabled, etc...)
$Server = remoteHostName
Invoke-Command -ComputerName $Server -ScriptBlock {(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)} -Credential (Get-Credential)
Now, if this setting is managed by a domain GPO, it's possible that it'll revert, so you need to check the GPOs. But for a quick fix, this works.
Reference: https://www.petri.com/disable-remote-desktop-network-level-authentication-using-powershell
Francisco Xavier
Posted 2018-05-09T03:54:35.757
Reputation: 11
1
Uninstall:
This update contains a patch for vulnerability CVE-2018-0886. On a non-patched server it lets them in without them.
EXPY
Posted 2018-05-09T03:54:35.757
Reputation: 11
2Welcome to Super User! Can you explain why uninstalling these KBs will help? – bertieb – 2018-05-10T14:41:46.753
coz this update contain patch for vulnerability CVE-2018-0886, on non patch server lets them in without them – EXPY – 2018-05-11T18:37:08.867
1(Meta: updates go at the end of posts, to ensure they are still understandable for new readers, and answers go in the answer space, not merged into questions. Thanks). – halfer – 2018-05-10T09:46:24.917