RDP Issue in W7?

SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIHMember Posts: 337 ■■■□□□□□□□
So I have a box running Windows 7, and a server running WS2k8R2. I've always been able to jump into it using RDP. The server isn't really open to the internet so I'm not worried about a security angle, but if something is indicative of it, let me know.

Today (and once before) I am unable to RDP into the server. I can connect to it through the mapped drive I have on the laptop, but can't RDP from that system to the server. I saw the server was pulling down an IPv6 address so I tried disabling that on both sides, I tried turning off the firewall on both sides, power cycles, and moving to wired only connection. I did a PACP and all I can tell is that the system is sending a reset, I can say that the error is thrown while it is attempting to secure the connection. I wonder if maybe a recent windows update messed with the authentication of RDP, not sure. I also checked and the server is configured to allow RDP connections.

Thoughts?
OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.

Comments

  • john_mirandajohn_miranda Member Posts: 20 ■□□□□□□□□□
    Hmmm....I would check DNS, RDP/account permissions, IPs.
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Member Posts: 337 ■■■□□□□□□□
    Well I don't think any of that is it, the PC can resolve web names as well as the name of the server itself, its pulling an IP and the IP can be pinged from the box. Also I can reach the server through a drive mapping. As far as RDP and account permissions, there are only 2 accounts, and the one im using is the Admin account which I can login with locally.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • Nightflier101BLNightflier101BL Member Posts: 134 ■■■□□□□□□□
    What is the exact error you're receiving? Check the Windows logs? It sounds like it might be account/permissions related. Also, you said "once before" you were unable to RDP - what was done to fix it/what was the issue then or what has changed between then and now?
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Member Posts: 337 ■■■□□□□□□□
    So the exact error is the standard This computer can't connect to the remote computer. I cleared out the event logs and saw that when I attempt to connect I get schannel TLS errors. it appears that there is an issue with TLS or schannel. The issue occurs with any client that attempts to RDP into the box. And I can see there is a successful authentication. I downloaded KB308007 as I thought that would allow me to use TLS 1.2 (as the server claims it is 1.0, but I think its just legacy terminology).

    Specific errors from event log 36874, 36888, and, 36888

    EDIT: I think I know the problem and a workaround. The problem is that when I did a nessus scan of the server it warned me about vulnerable cipher suites. I took the weak ones out of the list.

    Undoubtedly W7 is still attempting some of these, causing the issue.

    Work-around, if I set the GPO to RDP encryption rather than SSL/TLS, then it allows me to connect. I think i'm going to try to get them to negotiate and settle on higher encryption, we'll see.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Chances are its actually server side... The machine cert issued for RDP negotiation gets very finicky when you start messing with ciphers, especially if the cert is from when the OS was installed (as most of them are).

    I'd try launching the Certificate management snap-in and deleting the machine cert on the server, then disable RDP access and apply it, enable RDP access and apply it and reboot. The machine should generate a new cert and the new cert will likely work.

    It's worked for me in the past, will probably work for you...
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
  • Mike7Mike7 Member Posts: 1,096 ■■■■□□□□□□
    SaSkiller wrote: »
    I cleared out the event logs and saw that when I attempt to connect I get schannel TLS errors. it appears that there is an issue with TLS or schannel. The issue occurs with any client that attempts to RDP into the box. And I can see there is a successful authentication. I downloaded KB308007 as I thought that would allow me to use TLS 1.2 (as the server claims it is 1.0, but I think its just legacy terminology).

    EDIT: I think I know the problem and a workaround. The problem is that when I did a nessus scan of the server it warned me about vulnerable cipher suites. I took the weak ones out of the list.

    Work-around, if I set the GPO to RDP encryption rather than SSL/TLS, then it allows me to connect. I think i'm going to try to get them to negotiate and settle on higher encryption, we'll see.

    The problem is RDP SSL/TLS encryption or NLA authentication in Windows Server 2008 R2 only support TLS 1.0. Nessus requires you to disable TLS 1.0 in support new PCI DSS.

    You can install KB3080079 (Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2) to allow RDP to support TLS 1.1/1.2 on the server.

    On Windows 7 client, you need to install RDC 8.0 update (KB 2592687 Remote Desktop Protocol (RDP) 8.0 update for Windows 7 and Windows Server 2008 R2) for RDP client TLS 1.2 support. Without the update, your Windows 7 client can only use TLS 1.0.


    You missed the client update. Do try it and let us know the result.
  • SaSkillerSaSkiller OSWP, GPEN, GWAPT, GCIH Member Posts: 337 ■■■□□□□□□□
    I'll try both of these tonight.
    OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio.
  • Mike7Mike7 Member Posts: 1,096 ■■■■□□□□□□
    SaSkiller, hope you resolved it.

    Anyway, I just tried the same thing on a Windows Server 2008 R2 and it works.
    Steps below for your reference
    1. Apply KB3080079 update and reboot
    2. Disable TLS1.0 and below. I used IIS Crypto to modify and reboot
    3. Use updated RDP client. Run, MSTSC. Click top left, About. You should get Remote Desktop Protocol 8.1 supported.
    4. Use SSLScan to verify that TLS1.0 is disabled. (i.e. sslscan -rdp <IP>:3389)
Sign In or Register to comment.