RDP SSL/Hybrid Mode Supported but Not Enforced

0

0

Our web server is Windows 2008 R2. A PCI scan by Trustwave is failing our PCI compliance because of this:

RDP SSL/Hybrid Mode Supported but Not Enforced

Remote desktop protocol (RDP) supports 3 basic levels of protocol security (RDP, SSL, and Hybrid). This RDP service supports the most basic level of RDP, SSL, and Hybrid modes, but does not require connections use only the stronger levels of RDP security such as SSL or Hybrid mode.

Remediation: Configure RDP services to require connections use SSL or Hybrid mode only; or disable basic insecure connection options.

It's very unclear exactly what I need to change inside Remote Desktop Session Host Configuration to resolve this. I already set RD on the server to "Negotiate". Any ideas?

HerrimanCoder

Posted 2015-08-01T21:20:11.763

Reputation: 397

Perhaps Negotiate isn't secure enough, so try SSL (TLS 1.0). See this article on hardening RDP.

– harrymc – 2015-08-06T06:22:15.133

You're right, this solved it. Such a simple thing, for some reason I was looking for something more complex. – HerrimanCoder – 2015-08-10T17:16:30.580

Answers

2

If Negotiate isn't secure enough, try SSL (TLS 1.0) :

  • Open the Remote Desktop Session Host Configuration tool
  • Right-click on RDP TCP
  • Choose Properties
  • Select the SSL certificate (see bottom red circle in the following screenshot).
  • After selecting the SSL certificate, set the Security Layer to SSL (TLS 1.0).

See this article for hardening RDP :
Remote Desktop Protocol Security: Creating a Successful Implementation.

image

harrymc

Posted 2015-08-01T21:20:11.763

Reputation: 306 093

Asked: 2015-08-01T21:20:11.763

Viewed: 2 621 times

Active: 2015-08-10T18:24:02.740