CredSSP encryption oracle remediation - error when connecting via RDP to a virtual server (VPS / VDS)
Starting from May 8, 2018, after installing updates on your personal computer, many users of virtual servers running Windows Server encountered the error " CredSSP encryption oracle remediation " when trying to connect to a remote desktop:
In fact, this is not a mistake, but a notification about the security problem of a long-time-not-updated server.
On March 13, 2018, the CredSSP vulnerability information and the first patches for its closure in server operating systems came out. This vulnerability allows to bypass various commands on the server itself on behalf of the transferred accounts, including installing and deleting arbitrary software, changing and deleting data on the server, creating accounts with arbitrary rights.
')
This problem was not encountered by those who timely installed cumulative updates on their server. In March, they were released for server operating systems, for desktop OS they were automatically installed with other updates in May.
To solve a problem, you first need to connect to it. The easiest way to do this is through the emergency mode of working with the server in your personal account - almost every provider of VPS / VDS servers has this. On VPS.house, this is done by simply clicking on the screenshot of the server screen in your account:
Or you can just temporarily disable the blocking notification of a security problem on the computer from which you are trying to connect:
Instructions for those who use the editors of Windows HOME:
Instructions for those who use Windows PRO editors:
After performing these steps on your PC, you will be able to connect to the server as before, but this is not a solution to the security problem .
As soon as you are connected to the server, install the updates as it is done in any desktop version of Windows.
If you get an error when trying to install, check if the Windows Update service is running ( Windows Update ). You can open the list of services along the following path:
If the service does not start, check whether its start is allowed: the status should not be “ Disabled ”.
If you are using Windows Server 2012 R2 or Windows Server 2008 R2 SP1 , then you can install not all updates, but only one that fixes this vulnerability and thereby solve the problem of connecting to the server much faster.
You can download it directly from the Microsoft website on the vulnerability description page :
• update for Windows Server 2012 R2
• update for Windows Server 2008 R2 SP1
If, having read everything described above, you still could not figure out what needs to be done or if nothing happened, you can always re-create the server in your personal account - any cloud service provider also has this function. It exists to get the server clean, as if you just ordered it, it will be empty, all your data will be lost ! You resort to it only when absolutely necessary and in case if nothing important or requiring a long follow-up configuration is stored and working on your server.
All images of Windows Server operating systems on VPS.house by default contain all the latest updates and after re-creating the server there will be no problems with the error "CredSSP encryption oracle remediation" when connecting to it.
In fact, this is not a mistake, but a notification about the security problem of a long-time-not-updated server.
On March 13, 2018, the CredSSP vulnerability information and the first patches for its closure in server operating systems came out. This vulnerability allows to bypass various commands on the server itself on behalf of the transferred accounts, including installing and deleting arbitrary software, changing and deleting data on the server, creating accounts with arbitrary rights.
')
This problem was not encountered by those who timely installed cumulative updates on their server. In March, they were released for server operating systems, for desktop OS they were automatically installed with other updates in May.
To solve a problem, you first need to connect to it. The easiest way to do this is through the emergency mode of working with the server in your personal account - almost every provider of VPS / VDS servers has this. On VPS.house, this is done by simply clicking on the screenshot of the server screen in your account:
Or you can just temporarily disable the blocking notification of a security problem on the computer from which you are trying to connect:
Instructions for those who use the editors of Windows HOME:
[expand]
1. Run on your computer (the volume from which you want to connect to the server) a command prompt as an administrator
2. Type the following text on the command line (can be copied and pasted):
If, as a result of the execution, you received the “Access Denied” error, then you started the command line NOT as administrator (see the screenshot above how the command line runs correctly).
2. Type the following text on the command line (can be copied and pasted):
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2If, as a result of the execution, you received the “Access Denied” error, then you started the command line NOT as administrator (see the screenshot above how the command line runs correctly).
Instructions for those who use Windows PRO editors:
[expand]
1. Open the group policy editor, to do this, type " gpedit.msc " in the command line or in PowerShell or search for it on your PC using the phrase " Edit group policy " or " Change group policy " if you work in the Russian-language interface.
If, after executing this command, you received an error stating that the command was not found or is not an internal or external command, then you have Windows not the PRO version, but most likely HOME and you need to look at the instructions above.
2. In the tree settings folders on the left you need to open:
3. In the Credentials Delegation folder, find the Encryption Oracle Remediation option, open it, enable it, select Enabled and set the value to parameter in the drop-down list on " Vulnerable " ("Leave a vulnerability")
If, after executing this command, you received an error stating that the command was not found or is not an internal or external command, then you have Windows not the PRO version, but most likely HOME and you need to look at the instructions above.
2. In the tree settings folders on the left you need to open:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation-> -> ->3. In the Credentials Delegation folder, find the Encryption Oracle Remediation option, open it, enable it, select Enabled and set the value to parameter in the drop-down list on " Vulnerable " ("Leave a vulnerability")
After performing these steps on your PC, you will be able to connect to the server as before, but this is not a solution to the security problem .
As soon as you are connected to the server, install the updates as it is done in any desktop version of Windows.
If you get an error when trying to install, check if the Windows Update service is running ( Windows Update ). You can open the list of services along the following path:
Start -> Windows Administrative Tools -> Services-> Windows ->If the service does not start, check whether its start is allowed: the status should not be “ Disabled ”.
If you are using Windows Server 2012 R2 or Windows Server 2008 R2 SP1 , then you can install not all updates, but only one that fixes this vulnerability and thereby solve the problem of connecting to the server much faster.
You can download it directly from the Microsoft website on the vulnerability description page :
• update for Windows Server 2012 R2
• update for Windows Server 2008 R2 SP1
If, having read everything described above, you still could not figure out what needs to be done or if nothing happened, you can always re-create the server in your personal account - any cloud service provider also has this function. It exists to get the server clean, as if you just ordered it, it will be empty, all your data will be lost ! You resort to it only when absolutely necessary and in case if nothing important or requiring a long follow-up configuration is stored and working on your server.
All images of Windows Server operating systems on VPS.house by default contain all the latest updates and after re-creating the server there will be no problems with the error "CredSSP encryption oracle remediation" when connecting to it.
Source: https://habr.com/ru/post/358190/
All Articles