For those of you who may have recently installed security updates on Windows 10 workstations in the past few days, you may notice that you receive a weird error when you try to connect to your remote desktop server: Microsoft released an update at March 13, 2018, which patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms. This is because of the CVE-2018-0886.
Just a couple of days ago, the cumulative updates were released below for Windows 10 and Server 2016, etc. These cumulative updates include the fix for the CredSSP encryption vulnerability.
8. may, 2018 – KB4103721 (OS Build 1803)
8. may, 2018 – KB4103727 (OS Build 1709)
8. may, 2018 – KB4103731 (OS Build 1703)
8. may, 2018 – KB4103723 (OS Build 1609 & Server 2016)
Once you have installed the patch on a workstation and attempt to connect to an unpatched server, you will see the following error message:
This is because the workstationen is patched, but the remote desktop server is not!
When you have a patched workstation, you will get this new GPO setting available:
You can find this at Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> Encryption Oracle Remediation.
You can chosse between:
Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version.
Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
For this to work, you need to select “Vulnerable”, no reboot required and all will be working, but remember to patch the server and set the GPO back to “Not configured” 🙂