How do I change encryption from RC4 to AES in order to allow RDP to my remote servers?

Server Fault Asked by Hourglass on October 4, 2020

I have multiple physical and virtual servers on a company domain. The physical and virtual servers are all still Windows 2008 R2. The clients have all been updated to Windows 10 from Windows 7 in the past couple of weeks.

In order to satisfy STIG requirements, the Active Directory owners pushed a GPO to all of the Windows 10 boxes which disabled RC4 encryption and are now only allowing AES 128/256. They did not push similar GPO’s to my Server 2008 R2 machines.

Now our employees cannot RDP into the server to perform routine tasks.

When I asked our IT department how to resolve this, they said that I need to disable RC4 and enable AES 128/256 or any “Future Encryption Types”. However, this is not something I’ve ever handled before. Where and how do I disable RC4 and enable AES in order to restore RDP functionality?

2 Answers

Try setting in the Active Directory object of every user/computer involved the LDAP attribute msDS-SupportedEncryptionType to 8 (= 128-bit AES only) or 24 (= 8+16 = 128 and 256-bit AES). In the Active Directory Users and Computers GUI, this corresponds to ticking in the Account tab the boxes “This Account supports Kerberos 128/256 encryption.”, although you can't easily disable RC4 there as well.

Two notes on choice of encryption types:

  • Nobody actually needs 256-bit AES encryption (16) until quantum computers become available, so in the interest of performance, best enable only 128-bit AES and not 256-bit AES.
  • Disabling RC4 (4) is desirable, because Microsoft's Kerberos RC4 encryption type uses the same password hashes as NTLMv2, so if you had a pass-the-hash/mimikatz attack stealing one of these, Kerberos with RC4 enabled is also vulnerable. The Windows 2000 developers designed the Kerberos RC4 encryption type specifically to be compatible with NTLMv2 hashes, therefore I sleep much better with RC4 switched off everywhere.

See also:

Answered by Markus Kuhn on October 4, 2020

There is a patch for it from Microsoft:

Answered by duenni on October 4, 2020

Add your own answers!

Related Questions

Enabling jumbo frame on tg3

0  Asked on December 15, 2020 by gli-illuminati


Postfix does not retry after 451 error / greylisting

2  Asked on December 14, 2020 by assylias


OpenVPN over dynamic IPv6

1  Asked on December 14, 2020 by hellstorm


autossh does not kill ssh when link down

1  Asked on December 13, 2020


Is it safe to write batch files with Unix line endings?

4  Asked on December 13, 2020 by cmcginty


On demand new IPv6 using privacy extension?

1  Asked on December 12, 2020 by wannabecoder


nginx, gitlab, subdomain

1  Asked on December 10, 2020 by emidee


Move Access 2016 Database to Azure?

0  Asked on December 9, 2020 by user601108


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP