After Windows Update, I get this error when trying to connect to a server using Remote Desktop Connection.
When read the link provided by error message, it seems because of an update at 2018/05/08:
May 8, 2018
An update to change the default setting from Vulnerable to Mitigated.
Related Microsoft Knowledge Base numbers are listed in CVE-2018-0886.
Is there a solution for this?
Alternate method to gpedit using cmd:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
I found one solution. As described in the help link, I tried roll back from update 2018/05/08 by changing the value of this group policy:
Run gpedit.msc
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Encryption Oracle Remediation
Change it to Enable and in Protection level, change back to Vulnerable.
I am not sure if it may rollback any risk of an attacker exploiting my connection. I hope Microsoft will fix this soon so I could restore the setting to the recommend setting Mitigated.
(Posted an answer on behalf of the question author).
As in some answers, the best solution for this error is to update both server and clients to version >= the 2018-05-08 update from Microsoft.
If you cannot update both of them (i.e. you can only update client or server) then you could apply one of the workarounds from the answers below, and change the configuration back ASAP so that you minimise the duration of the vulnerability introduced by the workaround.
Another way is install Microsoft Remote Desktop client from MS Store - https://www.microsoft.com/en-us/store/p/microsoft-remote-desktop/9wzdncrfj3ps
This problem only happens in my Hyper-V VM, and remoting to physical machines is OK.
Go to This PC → System Settings → Advanced System Settings on the server and then I solved it by unchecking target VM "allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)".
Following ac19501's answer I have created two registry files to make this easier:
rdp_insecure_on.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
@=""
"AllowEncryptionOracle"=dword:00000002
rdp_insecure_off.reg
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
I came across the same issues. The better solution would be to update the machine you are connecting to instead of using Pham X Bach answer to lower security level.
However, if you cannot update the machine for some reason his workaround works.
Another option if you have access to the command-line (we have an SSH server running on the box) is to run "sconfig.cmd" from the command line. You get a menu like below:
Choose option 7, and turn it on for all clients, not just secure.
Once that's done, you can remote desktop in. It looks like for us the problem was our client systems got updated for the new security, but our server boxes were behind on updates. I'd suggest getting the updates and then turning this security setting back on.
Update on GPO example on print screen.
Based on the answer "reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2"
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
Value Name: AllowEncryptionOracle
Value data: 2
You need to install a Windows Update for the server and all clients. To look for the update, go to https://portal.msrc.microsoft.com/en-us/security-guidance, then search for the 2018-0886 CVE and choose the Security Update for the version of Windows installed.
You need to update your Windows Server using Windows Update. All required patches will be installed. Then you can connect to your server via Remote Desktop again.
You need to install kb4103725
Read more at: https://support.microsoft.com/en-us/help/4103725/windows-81-update-kb4103725
For servers, we can also change the setting via Remote PowerShell (assuming WinRM is enabled, etc...)
$Server = remoteHostName
Invoke-Command -ComputerName $Server -ScriptBlock {(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)} -Credential (Get-Credential)
Now, if this setting is managed by a domain GPO, it's possible that it'll revert, so you need to check the GPOs. But for a quick fix, this works.
Reference: https://www.petri.com/disable-remote-desktop-network-level-authentication-using-powershell
Uninstall:
This update contains a patch for vulnerability CVE-2018-0886. On a non-patched server it lets them in without them.
We got this error at our company when the company installed Remote Credential Guard (3rd party software) on the server and we tried to connect to a computer outside the domain.
