Shulou(Shulou.com)06/01 Report--

1. Preface

In order to improve the security level of remote desktop and ensure that data is not stolen by ×××, a remote desktop function of security authentication mode is added to the latest patch package SP1 of Windows2003. This feature allows us to use SSL encryption to transmit data that controls remote servers, thus making up for the security flaws inherent in remote desktop functionality.

2. Description of problem

In Windows Server 2003 and Windows Server 2008, Remote Desktop Services SSL encryption is turned off by default and needs to be configured to be used, but Windows Server 2012 is turned on by default and has a default CA certificate. Because SSL/ TLS itself has vulnerabilities, when Windows server 2012 starts remote desktop service, using vulnerability scanning tools to scan, SSL/TSL vulnerabilities are found, as shown in Figure 1:

Figure 1: SSL/TLS vulnerability in Remote Desktop Services (RDP)

3. Solution

Method 1: Use Windows native FIPS instead of SSL encryption

1) Enable FIPS

Operation steps: Management tools-> Local security policy-> Security settings-> Local policy-> Security options-> Find "System encryption: use FIPS compatible algorithms for encryption, hashing and signature" options-> Right click "Properties"-> Under "Local security settings", select "Enabled (E)", click "Apply" and "OK". As shown in Figure 2:

Figure 2 Enabling FIPS

2) Disable SSL cipher suite

Operation steps: press 'Win + R', enter "Run", type "gpedit.msc", open "Local Group Policy Editor"-> Computer Configuration-> Network->SSL Configuration Settings-> in "SSL Cipher Suite Order" option, right click "Edit"-> in "SSL Cipher Suite Order" select "Disabled (D)", click "Apply","OK", you can. As shown in Figure 3:

Figure 3 Disabling SSL cipher suites

3) Delete default CA certificate

Operation steps: Press 'Win + R', go to' RUN ', type' mmc', open 'Admin Console'->' Files'->'Add/Remove Snap-in (M)'-> under 'Available Snap-ins' select 'Certificates'-> click' Add'-> in 'Certificates Snap-in' select 'Computer User (C)' click 'Next'-> in' Select Computer', select 'Local Computer'(Computer running this console)(L), click Finish-> Go back to Add/Remove Snap-ins, click OK-> Go back to Console-> Certificates (Local Computer)-> Remote Desktop-> Certificates-> Right-click Delete on the default certificate.

Figure 4 Delete Default CA Certificate

4) Restart the server and scan the port with nmap. The result is shown in Figure 5, indicating that the modification is successful.

Method 2: Upgrade SSL Encryption CA Certificate

1) Modify SSL cipher suite

Operation steps: Press 'Win + R', enter' Run', type 'gpedit.msc', open 'Local Group Policy Editor'-> Computer Configuration-> Network->SSL Configuration Settings-> on' SSL Cipher Suite Order', right click 'Edit'-> on' SSL Cipher Suite Order', select 'Enabled (E)' under 'SSL Cipher Suite', modify SSL Cipher Suite algorithm, keep only TLS 1.2 SHA256 and SHA384 cipher suites, TLS 1.2 ECC GCM cipher suite (Delete and replace with "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA256")-> Click Apply and OK. As shown in Figure 6:

Figure 6. Modifying SSL cipher suites

2) Delete the default CA certificate

Delete the default CA certificate reference method I "Delete default CA certificate" section.

3) Add a new CA certificate

Please refer to https://www.example.com to add a new CA certificate blog.csdn.net/a549569635/article/details/48831105

4) Verification

Use vulnerability scanning tools such as Openvas to detect successful upgrades.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.