Security review of RDP MSTSC
Published: Tuesday, April 14, 2020 written by Andy Flagg
View Count: 169
Keywords: RDP, MSTSC, Security Level Review
This is a good review of what we know to be true in most cases, yet for some reason, a few windows updates reduce the security level. We can't prove it other than we set things to FIPS and TLS 1.2 and somehow they drop back down to compatibility level and TLS 1.0.
We are investigating. Until further notice, review this:
Set TLS and encryption level using registry
- Write "regedit” in a command line shell to open the Registry Editor.
- Navigate to the following registry keys to modify the Remote Desktop security settings:
- Security Layer 0 – With a low security level, the remote desktop protocol is used by the client for authentication prior to a remote desktop connection being established. Use this setting if you are working in an isolated environment.
- Security Layer 1 – With a medium security level, the server and client negotiate the method for authentication prior to a Remote Desktop connection being established. As this is the default value, use this setting only if all your machines are running Windows.
- Security Layer 2- With a high security level, Transport Layer Security, better knows as TLS is used by the server and client for authentication prior to a remote desktop connection being established. We recommend using this setting for maximum security.
To change the encryption level, navigate to the following registry key:
- Security Layer 1 – With a low security level, communications sent from the client to the server are encrypted using 56-bit encryption. Data sent from the server to the client is not encrypted. This setting is not recommended as you can be exposed to various attacks.
- Security Layer 2 – Having a client compatible security level, communications between the server and the client are encrypted at the maximum key strength supported by the client. Use this level when the Terminal Server is running in an environment containing mixed or legacy clients as this is the default setting on your OS.
- Security Layer 3 – With a high security level, communications between server and client are encrypted using 128-bit encryption. Use this level when the clients that access the Terminal Server also support 128-bit encryption. If this option is set, clients that do not support 128-bit encryption will not be able to connect.
- Security Layer 4 – This security level is FIPS-Compliant, meaning that all communication between the server and client are encrypted and decrypted with the Federal Information Processing Standard (FIPS) encryption algorithms. We recommend using this setting for maximum efficiency but only if both machines support this type of encryption.
more to come...
if you found this article helpful, consider contributing $10, 20 an Andrew Jackson or so..to the author. more authors coming soon
FYI we use paypal or patreon, patreon has 3x the transaction fees, so we don't, not yet.
© 2020 myBlog™ v1.1 All rights reserved. We count views as reads, so let's not over think it.