Server Fault Asked by Hourglass on October 4, 2020
I have multiple physical and virtual servers on a company domain. The physical and virtual servers are all still Windows 2008 R2. The clients have all been updated to Windows 10 from Windows 7 in the past couple of weeks.
In order to satisfy STIG requirements, the Active Directory owners pushed a GPO to all of the Windows 10 boxes which disabled RC4 encryption and are now only allowing AES 128/256. They did not push similar GPO’s to my Server 2008 R2 machines.
Now our employees cannot RDP into the server to perform routine tasks.
When I asked our IT department how to resolve this, they said that I need to disable RC4 and enable AES 128/256 or any “Future Encryption Types”. However, this is not something I’ve ever handled before. Where and how do I disable RC4 and enable AES in order to restore RDP functionality?
Try setting in the Active Directory object of every user/computer involved the LDAP attribute msDS-SupportedEncryptionType to 8 (= 128-bit AES only) or 24 (= 8+16 = 128 and 256-bit AES). In the Active Directory Users and Computers GUI, this corresponds to ticking in the Account tab the boxes “This Account supports Kerberos 128/256 encryption.”, although you can't easily disable RC4 there as well.
Two notes on choice of encryption types:
Answered by Markus Kuhn on October 4, 2020
There is a patch for it from Microsoft: https://support.microsoft.com/en-us/kb/3080079
Answered by duenni on October 4, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP