Saturday, July 8, 2017

Enabling TLS 1.1/1.2 for RDP in Microsoft Server 2008R2/Windows 7 SP1

I updated the nmap3.py Python script to include RDP on option 1 "ssl-cert,ssl-enum-ciphers". You can find nmap3.py on my Github if you don't have it already.

I ran the script against my Windows 7/Server 2008R2 VMs and found that they were offering up RC4 and MD5 for RDP!

Example with defaults

nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995,3389 192.168.10.135

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995,3389 192.168.10.135

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-08 10:28 PDT
Nmap scan report for 192.168.10.135
Host is up (0.0052s latency).

PORT     STATE  SERVICE
443/tcp  closed https
465/tcp  closed smtps
993/tcp  closed imaps
995/tcp  closed pop3s
3389/tcp open   ms-wbt-server
| ssl-cert: Subject: commonName=WIN-L6HBT78G89G.pu.pri
| Issuer: commonName=WIN-L6HBT78G89G.pu.pri
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-05-27T19:55:04
| Not valid after:  2017-11-26T19:55:04
| MD5:   6429 05ea b708 ffa1 fb56 cd62 8a7e 8acb
|_SHA-1: c160 c6b5 8d2c 0702 b86b fa8b c717 d25c 44a1 89df
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key
|       Weak certificate signature: SHA1
|_  least strength: C


Nmap done: 1 IP address (1 host up) scanned in 5.74 seconds

Enabling FIPS


Then I enabled FIPS level security per this MS document Tip: Secure RDS (Remote Desktop Services) Connections with SSL. This is worse, as you lose the ECDHE and AES suites and get 3DES and SHA1! 

Example after enabling FIPS


mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995,3389 192.168.97.135

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-08 13:50 PDT
Nmap scan report for 192.168.97.135
Host is up (0.00058s latency).

PORT     STATE  SERVICE
443/tcp  closed https
465/tcp  closed smtps
993/tcp  closed imaps
995/tcp  closed pop3s
3389/tcp open   ms-wbt-server
| ssl-cert: Subject: commonName=FFKN25S
| Issuer: commonName=FFKN25S
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-07-07T19:43:57
| Not valid after:  2018-01-06T19:43:57
| MD5:   835d ab76 7752 5d8a 4a3e d5d9 5fc3 4248
|_SHA-1: ac32 dc26 ae9d 2308 405e 595f 0e9f 4102 f661 8341
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Weak certificate signature: SHA1
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Manually Disable RC4/3DES


Then I found this tool [IIS Crypto] and disabled RC4/Triple DES in the ciphers column. It's still using TLS1.0 but at least it's not offering up RC/3DES.



Example After Running IISCryto


mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995,3389 192.168.97.135

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-08 14:35 PDT
Nmap scan report for 192.168.97.135
Host is up (0.00031s latency).

PORT     STATE  SERVICE
443/tcp  closed https
465/tcp  closed smtps
993/tcp  closed imaps
995/tcp  closed pop3s
3389/tcp open   ms-wbt-server

| ssl-cert: Subject: commonName=FFKN25S
| Issuer: commonName=FFKN25S
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-07-07T19:43:57
| Not valid after:  2018-01-06T19:43:57
| MD5:   835d ab76 7752 5d8a 4a3e d5d9 5fc3 4248
|_SHA-1: ac32 dc26 ae9d 2308 405e 595f 0e9f 4102 f661 8341
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds

Enabling TLS 1.1/1.2


Finally, I found this article How do I disable TLS 1.0 without breaking RDP? which pointed me to this MS KB - KB3080079. That update enabled TLS1.1/1.2. It's really hard to believe that MS thinks a patch to drop RC4 and 3DES is "optional".

mhubbard@1S1K-SYS76:~/Dropbox/Python/Scripts$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995,3389 192.168.97.135

Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-08 15:00 PDT
Nmap scan report for 192.168.97.135
Host is up (0.0021s latency).

PORT     STATE  SERVICE
443/tcp  closed https
465/tcp  closed smtps
993/tcp  closed imaps
995/tcp  closed pop3s
3389/tcp open   ms-wbt-server
| ssl-cert: Subject: commonName=FFKN25S
| Issuer: commonName=FFKN25S
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2017-07-07T19:43:57
| Not valid after:  2018-01-06T19:43:57
| MD5:   835d ab76 7752 5d8a 4a3e d5d9 5fc3 4248
|_SHA-1: ac32 dc26 ae9d 2308 405e 595f 0e9f 4102 f661 8341
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp521r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp521r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       Weak certificate signature: SHA1
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds

Setting the RDP server to use TLS


Now that the RDP server is offering up TLS1.2 we need to make a couple changes to the server so that the client will connect using TLS instead of the RDP protocol.

Open gpedit.msc and navigate to "ComputerConfigurationn, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Security"

Then double click on "Set Client Encryption level"

Require use of specific security layer for remote (RDP) Connections. Set it to Negotiate or SSL(TLS 1.0). This will negotiate the highest level that the client supports.


No comments:

Post a Comment