Weak/Outdated Encryption Mechanism in RDP

Question

The server is supporting deprecated 3DES cipher suites with RSA key exchange, which are insecure due to lack of Perfect Forward Secrecy and outdated CBC mode.. 3DES should be disabled and only strong modern cipher suites (AES-GCM with ECDHE on TLS 1.2+) should be enforced.

Answer 1

To address the issue of weak and outdated encryption mechanisms in RDP, it is essential to disable deprecated cipher suites such as 3DES and enforce the use of stronger, modern cipher suites. Specifically, you should implement AES-GCM with ECDHE on TLS 1.2 or higher. This approach ensures better security through Perfect Forward Secrecy and avoids vulnerabilities associated with outdated encryption methods.

For Windows Server environments, you can configure the TLS settings to disable legacy protocols and enforce stronger cipher suites. This includes disabling 3DES and ensuring that only secure ciphers are allowed for RDP connections.

It's also advisable to regularly review and update your server's security protocols to align with the latest security standards and recommendations.

---

References:

• Server cipher suites and TLS requirements
• TLS version enforcement capabilities now available per certificate binding on Windows Server 2019
• TLS support in Azure IoT Hub Device Provisioning Service (DPS)
• Supported cipher suites
• TLS encryption with Azure Front Door
• TLS version enforcement capabilities now available per certificate binding on Windows Server 2019
• TLS support in Azure IoT Hub Device Provisioning Service (DPS)

Answer 2

Hello @priti kaur

I understand your concerns about the security risks associated with using deprecated 3DES cipher suites with RSA keys in your RDP setup. You are correct that these ciphers are outdated and lack essential security features such as Perfect Forward Secrecy.

To strengthen your security, I recommend disabling the 3DES cipher suite and adopting more robust options, like AES-GCM with ECDHE on TLS 1.2 or higher. Below are some steps you can follow to facilitate this transition:

1. Disable 3DES: You should disable the 3DES cipher suites on your server. You can configure this by modifying the Group Policy settings or using command line tools to restrict cipher suites. This will help migrate to stronger encryption standards.
2. Enforce Strong Cipher Suites: Make sure your RDP is configured to use modern encryption standards like AES-GCM with ECDHE on TLS 1.2 or higher. You may need to adjust the Local Security Policy or Registry settings to ensure only strong ciphers are permitted.
3. Check Settings: Specifically, you’ll want to check the security settings for Remote Desktop connections. Ensure that both Network Level Authentication (NLA) is enabled and the allowed cipher suites are appropriate for your security needs.
4. Monitoring and Compliance: Consider using Azure Security Center to monitor the compliance status of your VM against security best practices and recommendations.

References
https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/credssp-encryption-oracle-remediation
https://learn.microsoft.com/en-us/previous-versions/azure/cloud-services/cloud-services-role-enable-remote-desktop-new-portal
https://learn.microsoft.com/en-us/azure/virtual-desktop/network-connectivity?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#connection-security

Hope this helps! If issue persists further, I would appreciate it if you could provide more details on:

• Could you specify which version of the operating system you are using?
• Have you already attempted to modify any Group Policy settings related to the cipher suites?
• Are you utilizing any specific Azure services or tools that might impact your RDP settings?

Thanks,
Manish Deshpande