Wednesday, June 24, 2015

How to use Remote Desktop to access Windows Server 2012 from Windows 7 with TLS 1.0 Disabled

After securing a Windows Server 2012 box with TLS 1.0 disabled per PCI-DSS 3.1 requirements, I found that I could only connect to it through Remote Desktop (RDP) from a Windows 8.1 or Windows 10 client.

The problem was this: all attempts to connect through the LAN via Remote Desktop from Windows 7 were met with "This computer can't connect to the remote computer. Try connecting again...etc."

The Server 2012 Standard (not R2) computer is running the most simple Remote Desktop mode accessed through Computer/Remote Settings as shown below.


I went through rabbit trails with firewall settings, Remote Desktop Services (which I did not install) turning on and off the 'Allow connections only from computers running Remote Desktop with Network Level Authentication', using Select Users - none of them worked.

During extensive searching I ran across a some discussions of TLS and RDP on Windows 7. I found that we had RDP 7.1 on the Windows 7 sp1 computer and RDP 8.0 was an optional download through Windows update. RDP 8 apparently has support for later TLS versions beyond the disabled  TLS 1.0. RDP 8 for Windows 7 is discussed here: https://support.microsoft.com/en-us/kb/2592687.

Solution: After installing the KB2592687 update (an optional update in Windows update), rebooting and installing even more updates triggered by that update, RDP 8.0 client was installed and connected normally to the Windows 2012 server.

There is also an RDP 8.1 client only update KB2830477 that I may install later but for now I can Remote Desktop in to the Server 2012 box from Windows 7 without any apparent problems.

More info on RDP 8.1 for Windows 7 including prerequisites: http://blogs.msdn.com/b/rds/archive/2013/11/12/remote-desktop-protocol-8-1-update-for-windows-7-sp1-released-to-web.aspx

11 comments:

Michael Barber said...

How do you turn off TLS 1.0 on Windows 2012 RDP? Thanks.

Kirk Thomas said...

You can make the client or server not use TLS 1.0 by going to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.0

Add a Client or Server key depending on which system you are on. Your 2012 box would have the Server key and your RDP client box would have the Client key. In that key add a DWORD value DisabledByDefault with a value of 1. Also add another DWORD key Enabled with a value of 0. You have to reboot for these changes to take effect.

Michael Barber said...

Well, I use IISCrypto that makes all those registry changes for me automatially. However, those are setting the security protocols for the whole server, not specifically RDP. I am warned that RDP ONLY supports TLS 1.0 and if I turn TLS 1.0 off, RDP will stop working. ;) Everything I read says Microsoft RDP ONLY support TLS 1.0.

Michael Barber said...

Yep, they were right. I turned off TLS 1.0 and I can no longer get to the win-server 2012 machine using RDP.

Kirk Thomas said...

That's the whole point of the article. Older RDP only maxes out at TLS 1.0. You have to get RDP 8 or newer if you want to use TLS 1.1 and 1.2. TLS 1.0 is off on our 2012 box that I used as an example.

Yes, those are settings for the whole server. There is only one place to make those changes and they effect the whole system.

Follow the link in the article to get a newer RDP client and it will work fine with 1.1 and 1.2.

Michael Barber said...

uh, duhh. {Hammer to the head} lol
Sorry about that. Running around chasing my tail over this.

Michael Barber said...

It didn't work. Even with the KB installed on the client, once TLS 1.0 is turned off on the server, I can no longer access it with RDP. I immediately get "This computer cannot be connected to remote computer" Very aggravating trying to solve this. However, thanks for your help.

Kirk Thomas said...

Well, I don't know why it didn't work. Are sure TLS 1.1 and 1.2 are enabled on the server? Did you reboot your win 7 box after installing the later RDP? Our Win 7 RDP client is v6.2.9200 and it says Remote Desktop Protocol 8.0 supported at the bottom. You get to the about window by clicking on the upper left icon on the RDP window. If you have win 8.x or win 10, none of this matters because they support RDP 8.1 now.

Michael Barber said...

Ok, found the about and despite installing the KB and rebooting, the RDP client does say it is still RDP 7.1 supported.

Kirk Thomas said...

I would go back to the KB 2592687 article. There was a prerequisite hotfix you have to apply before downloading and installing the new RDP. You also had to Enable the Update on the Client afterwards in the registry. Not a simple process. I assume you have Win7 sp1 because that is also required.

Michael Barber said...

Ok, the problem might have been I was download the update and thought I was installing it but it wasn't doing anything. In Windows updates, it was an "optional" update and it wasn't unflagging it optional by going outside of Windows updates. I had to go to windows updates, click on settings, find the optional update and install it via windows updates. It says 8.1 now. I haven't tested it but I would presume it is going to work now. Thanks for you help. I let you otherwise, but I'm 90% sure I'm set now. Why Microsoft makes "security" so difficult and "optional" is very confusing to me.