RDP - CredSSP Encryption Oracle Remediation error

Question

After I installed the Hyper-V Role onto my server I've receiving this error when trying to login with RDP, I have already tried changing Encryption Oracle Remediation to Vulnerable, it didn't fix the issue and I reverted it after discovering the security risks of it.

The only things I did before this issue became apparent was removing IIS & Installing Hyper-V.

]1

Answer 1

I went 1 by 1 through the Security Options (Policies) that I changed to improve security and found that one of the policies I was told to change to "Deny All" which was "Network security: Restrict NTLM: Incoming NTLM traffic" I changed it to "Allow all" and updated the group policies and I can now connect through RDP.
Hopefully this won't be a risk to my DC.

Answer 2

This can be mitigated with a registry entry. I've found the primary reason for this is systems that are not up2date with Windows updates.

There are known workarounds: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/credssp-encryption-oracle-remediation

Answer 3

Since you are on Server 2019, I don't think the updates posted by GettnBetter will help

If you are on a domain, use the FQDN, IP or just the server name won't work , even if it resolves fine.
i.e. servername.domain.local

I believe this is Kerberos related, Kerberos needs FQDN to connect.
NTLM has a few security risks associated with it, take caution.

If your server is not on your domain, or you cant use Kerberos

Note: NTLM can be restricted in a domain via GPO preventing fallback option if Kerberos didn't work.
This will give you the CredSSP error.

Try Enable-WSManCredSSP : https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7.3

The old registry and settings fixes for Server 2012 R2 & 2016 might still work in GettnBetter's post