I have multiple physical and virtual servers on a company domain. The physical and virtual servers are all still Windows 2008 R2. The clients have all been updated to Windows 10 from Windows 7 in the past couple of weeks.
In order to satisfy STIG requirements, the Active Directory owners pushed a GPO to all of the Windows 10 boxes which disabled RC4 encryption and are now only allowing AES 128/256. They did not push similar GPO’s to my Server 2008 R2 machines.
Now our employees cannot RDP into the server to perform routine tasks.
When I asked our IT department how to resolve this, they said that I need to disable RC4 and enable AES 128/256 or any “Future Encryption Types”. However, this is not something I’ve ever handled before. Where and how do I disable RC4 and enable AES in order to restore RDP functionality?
Try setting in the Active Directory object of every user/computer involved the LDAP attribute msDS-SupportedEncryptionType to 8 (= 128-bit AES only) or 24 (= 8+16 = 128 and 256-bit AES). In the Active Directory Users and Computers GUI, this corresponds to ticking in the Account tab the boxes “This Account supports Kerberos 128/256 encryption.”, although you can't easily disable RC4 there as well.
Two notes on choice of encryption types:
Answered by Markus Kuhn on October 4, 2020
There is a patch for it from Microsoft: https://support.microsoft.com/en-us/kb/3080079
Answered by duenni on October 4, 2020
1 Asked on December 15, 2020 by ceiling-gecko
0 Asked on December 14, 2020 by someoneelse
2 Asked on December 14, 2020 by assylias
4 Asked on December 13, 2020 by cmcginty
1 Asked on December 13, 2020 by pizza
2 Asked on December 13, 2020 by reece
1 Asked on December 12, 2020 by utcruibvdjrtijiiue
1 Asked on December 12, 2020 by wannabecoder
3 Asked on December 12, 2020
1 Asked on December 11, 2020 by dr-ing
0 Asked on December 11, 2020 by guille_sl
5 Asked on December 11, 2020 by npe
1 Asked on December 10, 2020 by semantic_c0d3r
2 Asked on December 9, 2020 by biren
Get help from others!