Will Remote Desktop (RDP) continue to work after using IIS Crypto? Yes. The default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. However, if you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 in IIS Crypto you may be unable to connect to RDP if you are using Windows Server 2008. To check your settings, open Remote Desktop Session Host Configuration in Administrative Tools and double click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0) and you are running Windows Server 2008 make sure that you have installed TLS 1.1 and 1.2 support. Network Level Authentication only supports the SSL (TLS 1.0 and above) security layer. What if you need to disable TLS 1.0 on a Windows Server 2012 R2 machine but you have Remote Desktop Services configured? You might find out when you disable TLS 1.0 that RDP will stop working and the Remote Desktop Connection Broker service will fail to start. After googling around for an hour I found that the reason RDP stops working and the Remote Desktop Connection Broker service fails to start is because when RDS is configured without HA it uses Windows Internal Database (WID) as a back-end which does not support TLS 1.1/TLS1.2. This is a known issue as described by Microsoft here: https://support.microsoft.com/en-us/help/4036954/disabling-tls1-0-can-cause-rds-connection-broker-or-rdms-to-fail I can promise you that anything else you find online about fixing this issue is unrelated to TLS 1.0 and enabling the Local Security Policy GPO for FIPS and setting the RDP protocol from SSL to RDP does nothing. The solution I chose to implement was to configure RDS with HA using SQL Server 2017 Express as the database on the same server. I didn’t actually need HA, I just needed to be rid of WID so I could disable TLS 1.0 on the server. If you don’t use a connection broker you will be limited in RDS features as described here: https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service 3. Install SQL Server Management Studio (SSMS-Setup-ENU.exe) 4. Open SQL Management Studio and connect. Expand Security > Logins, and right click on NETWORK SERVICE and select Properties. Then go to Server Roles and check the dbcreator role. 5. Make the folder C:\RCDB, then right click on it and go to Properties > Security, Edit Permissions and add the NETWORK SERVICE user with Full Control 6. Launch SQL Server Configuration Manager and navigate to SQL Server Network Configuration > Protocols for SQLEXPRESS. Right click on TCP/IP and on switch to the IP Addresses Tab. At the bottom under IPALL set TCP Port to 1433. Hit OK, then right click on TCP/IP and click Enable. Restart SQL Server 7. Open Server Manager and navigate to Remote Desktop Services > Overview. Right click on RD Connection Broker and select Configure High Availability. Enter the following information when prompted: Database Connection String: DRIVER=SQL Server Native Client 11.0;SERVER=localhost;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;Database=RCDB Folder to store database files: C:\RCDB DNS round robin name: yourservername.yourdomain 8. If everything is successful you should be all done! 9. Run IISCrypto and select the PCI 3.2 template. Then re-check TLS 1.1 for Client and Server. 10. Reboot, make sure RDP still works and check that TLS 1.0 is disabled with testssl.sh (.\testssl.sh — fast myserver.mydomain:3389) These are some common errors you may see in Event Viewer when troubleshooting the initial issue of RDS not starting if you disabled TLS 1.0 before following the above steps The Remote Desktop Management Service fails to start with Error code: 0x88250003. Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker. A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
|