1. Preface
In order to improve the security level of Remote Desktop, ensure that data is not stolen by xxx, in Windows2003 's latest patch package SP1 added a secure authentication method of Remote Desktop features. With this feature we can use SSL encryption information to transfer control of remote server data, so as to compensate for the remote Desktop functionality of the original security flaws.
2, problem description
In Windows Server 2003 and Windows Server 2008, Remote Desktop Services SSL encryption is turned off by default and requires configuration to be available, but Windows Server 2012 is turned on by default and has a default CA certificate. Due to the vulnerability of SSL/TLS itself, when Windows Server 2012 opens Remote Desktop services, scanning with the vulnerability scanning tool, it is found that there is a SSL/TSL vulnerability, as shown in 1:
Figure 1 Remote Desktop Services (RDP) has an SSL/TLS vulnerability
3. Solutions
Method One: Use Windows-brought FIPS instead of SSL encryption
1) Enable FIPS
Action steps: Security options, local policy, security settings, Local policies, administrative tools----"System cryptography: Using FIPS compliant algorithms for encryption, hashing, and signing" options, right-click Properties, under Local security settings, Select "Enabled (E)" and click "Apply", "OK". 2 is shown below:
Figure 2 Enabling FIPS
2) Disable SSL cipher Suite
Operation steps: Press 'Win + R', go to "run", type "gpedit.msc", open "local Group Policy Editor", Computer Configuration, network->ssl configuration settings, " SSL cipher Suite Order option, right-click on "Edit", "SSL cipher Suite Order" selected in "Disabled (D)", click "Apply", "OK". 3 is shown below:
Figure 3 Disabling the SSL cipher suite
3) Delete the default CA certification book
Operation steps: Press ' Win + R ', go to "run", type "mmc", open "Administrative Console", "File", "Add/Remove Snap-in", under "Available snap-ins", select "Certificates", click "Add", " Certificates snap-in, select Computer User (C), click Next, select Local computer (computer running this console) in Select Computer, click Finish, and then go back to Add/Remove Snap-in, click OK, and go back to the console Certificate (local computer), Remote Desktop, certificates, right-click Delete on the default certificate.
Figure 4 Deleting the default CA certification book
4) Restart the server, using the NMAP scan port, as shown in the result 5, indicates a successful modification.
Method Two: Upgrade the SSL encryption CA certificate
1) Modify the SSL cipher suite
Procedure: Press 'Win + R', go to ' run ', type ' Gpedit.msc , open the Local Group Policy Editor, Computer Configuration, network->ssl configuration settings, and on the SSL cipher Suite Order option, right-click on "Edit", "SSL cipher Suite Order" selected in "Enabled (E)" In "SSL cipher Suite" Under Modify the SSL cipher suite algorithm, only keep the TLS 1.2 SHA256 and SHA384 cipher suites, TLS 1.2 ECC GCM cipher Suites (remove the original content replaced by "tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_ P256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p384,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256_p521,tls_ecdhe_ecdsa , With_aes_256_gcm_sha384_p384,tls_ecdhe_ecdsa_with_aes_256_gcm_sha384_p521,tls_rsa_with_aes_128_cbc_sha256,tls _rsa_with_aes_256_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha256_p256,tls_ecdhe_rsa_with_aes_128_cbc_sha256_ P384,tls_ecdhe_rsa_with_aes_128_cbc_sha256_p521,tls_ecdhe_rsa_with_aes_256_cbc_sha384_p256,tls_ecdhe_rsa_with_ Aes_256_cbc_sha384_p384,tls_ecdhe_rsa_with_aes_256_cbc_sha384_p521,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_ P256,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p384,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256_p521,tls_ecdhe_ecdsa _with_aes_256_cbc_sha384_p384,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384_p521,tls_dhe_dss_with_aes_128_cbc_sha256 , Tls_dhe_dss_with_aes_256_cbc_sha256,tls_rsa_with_null_sha256 "), click" Apply "," OK ", you can. 6 is shown below:
Figure 6 Modifying the SSL cipher Suite
2) Delete the default CA certificate
Remove the default CA certificate reference method, section "Remove the default CA certification book."
3) Add a new CA certificate
To add a new CA certificate, refer to: 48831105
4) Verification
Use the OpenVAS and other vulnerability scanning tools to detect if the upgrade was successful.
Solution for SSL/TLS vulnerability exists with Windows Server 2012 Remote Desktop Services (RDP)