Windows – How to change encryption from RC4 to AES in order to allow RDP to the remote servers

encryptionrdpwindows

I have multiple physical and virtual servers on a company domain. The physical and virtual servers are all still Windows 2008 R2. The clients have all been updated to Windows 10 from Windows 7 in the past couple of weeks.

In order to satisfy STIG requirements, the Active Directory owners pushed a GPO to all of the Windows 10 boxes which disabled RC4 encryption and are now only allowing AES 128/256. They did not push similar GPO's to my Server 2008 R2 machines.

Now our employees cannot RDP into the server to perform routine tasks.

When I asked our IT department how to resolve this, they said that I need to disable RC4 and enable AES 128/256 or any "Future Encryption Types". However, this is not something I've ever handled before. Where and how do I disable RC4 and enable AES in order to restore RDP functionality?

Best Answer

There is a patch for it from Microsoft: https://support.microsoft.com/en-us/kb/3080079

Related Solutions

Remote Desktop – Preventing Unwanted Automatic Log Off

The first thing to check would be the timeout settings in Terminal Services Configuration. It's in the Sessions tab in the TSC.

Why don’t Active Directory user accounts automatically support Kerberos AES authentication

Checking the Kerberos AES checkboxes for the users would cause authentication failures on pre-Vista clients. This is probably the reason that it's not set by default.

The Kerberos AES support checkboxes correspond to the value set in an attribute called msDS-SupportedEncryptionTypes

To change this for more than one user, you can utilize PowerShell and the ActiveDirectory module:

# The numerical values for Kerberos AES encryption types to support
$AES128 = 0x8
$AES256 = 0x10

# Fetch all users from an OU with their current support encryption types attribute
$Users = Get-ADUser -Filter * -SearchBase "OU=SecureUsers,OU=Users,DC=domain,DC=tld" -Properties "msDS-SupportedEncryptionTypes"
foreach($User in $Users)
{
    # If none are currently supported, enable AES256
    $encTypes = $User."msDS-SupportedEncryptionType"
    if(($encTypes -band $AES128) -ne $AES128 -and ($encTypes -band $AES256) -ne $AES256)
    {
        Set-ADUser $User -Replace @{"msDS-SupportedEncryptionTypes"=($encTypes -bor $AES256)}
    }
}

Best Answer

Related Solutions

Remote Desktop – Preventing Unwanted Automatic Log Off

Why don’t Active Directory user accounts automatically support Kerberos AES authentication

Related Topic