Symptom:
Remote desktop connections fail with authentication or "CredSSP encryption oracle remediation" error after installing May’s updates as below:
Version 1903 and 1909, May 12, 2020—KB4556799 (OS Builds 18362.836 and 18363.836):
https://support.microsoft.com/en-us/help/4556799
Version 1809, May 12, 2020—KB4551853 (OS Build 17763.1217):
https://support.microsoft.com/en-us/help/4551853
Workaround:
1.Ensure that Windows Updates containing protections forCVE-2018-0886 (check below link) are installed on both RDP clients and servers:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886
2.Enable the Encryption Oracle Remediation policy setting and changeProtection Level on both the clients and servers to gain RDP access.
Group policy path:
Computer Configuration> Administrative Templates > System > Credentials Delegation
Setting name:
Encryption Oracle Remediation
Interoperability Matrix:
3.If you cannot use group policy, you can make the same change by using the registry.
Registry Path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
Value:
AllowEncryptionOracle
Date Type:
DWORD
Registry value:
0– force update clients
1– Mitigated
2– Vulnerable
Note: please remember to backup registry before any change and to re-start system for change to take effect.
FAQ
1. Customers are reporting that the file version of CREDSSP.DLL is reverting back to 10.0.14393.0 after installing monthly cumulative updates and whether the new updates contain the CredSSP hardening change introduced in 3B kB 4088787. Why is this occurring?
A1: The updated binary for CredSSP hardening occurs in tspkg.dll, NOT credssp.dll, The table below lists the version of credssip.dll installed by fixes released between March and June.
KB # | KB Article title | CredSSP file version information |
KB 4088787 | March 13, 2018—KB4088787 (OS Build 14393.2125 and 14393.2126) | 10.0.14393.2125 (March 29, 2018) |
KB 4088889 | March 22, 2018—KB4088889 (OS Build 14393.2155) | 10.0.14393.0 (March 22, 2018) |
KB 4096309 | March 29, 2018—KB4096309 (OS Build 14393.2156) | 10.0.14393.0 (March 13, 2018) |
KB 4103723 | May 8, 2018—KB4103723 (OS Build 14393.2248) | 10.0.14393.2248 |
KB 4284880 | June 12, 2018—KB4284880 (OS Build 14393.2312) | 10.0.14393.0 |
All packages contain the same binary contents cressp.dll file as March 2018 "3B" KB 4088787 but the file version for CREDSSP is reverting back to the RTM version in some monthly updates. This is a minor annoyance. Specifically, the file version
inconsistency may trigger some security vulnerability scanners that check for binary versions and flag systems as vulnerable if the binary is not updated, even though the contents of the credssp.dll file are the same.
For this reason, the "File changes" section of KB 4093492 was updated with the following text:
The following system files have been changed in this update.
The credssp.dll file remains unchanged. For more information please review the relevant articles for file version information. |
Note that KB
4093492 was and will likely remain the only KB to get this updated text even though the CredSSP file version issue may exists in other monthly updates.