question

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 asked VladimirGomez-6672 commented

Disable TLS 1.0 for RDP Protocol using GPO

Hi all,
Inside company we have completed a vulnerability assessment.
I have this vulnerability:

"TLS Version 1.0 Protocol Detection"

All physical servers and virtual machine inside company are Windows Server 2016 DataCenter and they has got the last Windows Updates.

How can I solve it about RDP?
Is it possible disable TLS 1.0 for RDP using GPO?

I would improve security on company servers.

Thanks so much

Best regards
Federico

remote-desktop-serviceswindows-server-2016windows-server-security
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

7 Answers

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered Thameur-BOURBITA edited

Hi,

You can use Group policy preference to disable or enable TLS 1.0 by setting this registry key mentioned on this link :

tls-registry-settings




Please don't forget to mark this reply as answer if it help you to fix your issue

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered VickyWang-MFST rolled back

Disabling TLS is a system-wide registry setting:

https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10

Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Value: Enabled
Value type: REG_DWORD
Value Data: 0
Also, the PCI requirement for disabling early TLS does not go into effect until June 30, 2016.

Internet Explorer is one product I know of that has a separate configuration option for the TLS/SSL encryption settings. There may be others.

I have a Windows 2012 R2 server with TLS 1.0 disabled and I can remote desktop to it.

If you are wondering, below is a screenshot of tsconfig.msc on a Windows 2008 R2 server that has KB3080079 installed. There's nothing to configure because the only thing the update did was add support for the other two TLS encryption levels so that when TLS 1.0 is disabled it continues to work.
43118-capture3.png



Hope this information can help you
Best wishes
Vicky


capture3.png (62.9 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

Hi,
thanks for you reply.

@Thameur-BOURBITA Ok, so I will disable TLS 1.0 for all system and not just for RDP.

@VickyWang-MFST Sorry but I did not understood which is the right option about "Remote Desktop Session Host Configuration"


I would generally disable TLS 1.0 to improve security in my LAN where there are differente Windows Server 2016 VM (Domain Controllers, File Server, Print server...)

Can I create a group policy to disable it on different machines?

Thanks so much
Federico

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered

Can anyone suggest me properly GPO to set to disable TLS 1.0 on different servers?
Not servers are Terminal Server (just one at the moment).


Thanks
Federico

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VickyWang-MFST avatar image
0 Votes"
VickyWang-MFST answered

Hi,
According to my knowledge, there is no GPO that can disable the terminal server
Best wishes
Vicky

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FedericoCoppola-2205 avatar image
0 Votes"
FedericoCoppola-2205 answered VladimirGomez-6672 commented

Dear @VickyWang-MFST,
Thanks for your answare.

Sorry but I did not found tsconfig.msc on my Windows Server 2016 Terminal Server.
Is it normal?

Best regards

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VladimirGomez-6672 avatar image VladimirGomez-6672 ·

This is normal, this console is demote in new versions.
Greetings.

0 Votes 0 ·
FedericoCoppola-2569 avatar image
0 Votes"
FedericoCoppola-2569 answered FedericoCoppola-2569 edited

Any suggestions?

I have followed this video to increase security of terminal server:
https://www.youtube.com/watch?v=nyBOJwvUaKQ

Thanks

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.