I am currently struggeling to get the RDP Connections working with TLS1.2 on Server 2008R2 SP1
Initially my RDP Service (out of the box), allowed Connections no better than TLS1.0
I am verifying this with an "openssl s_client" Connection
For example, a Server 2012R2 offers TLS1.2, if I check against its RDP port. Its RDP Version is 6.3
So I started with installing the Remote Desktop Packages Version 6.2+6.3 on my Server 2008R2
openssl s_client still connects with TLS1.0 at its best.
Next i tried to configure the Schannel Registry to support TLS 1.0, 1.1 and 1.2 via
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault "=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault "=dword:00000000
and so on for TLS1.1, but still only offers TLS1.0 on RDP port
I restricted the ciphers via GPO "Computer../Administrative.../Network/SSL Configuration.../SSL Cipher Suite Order" to be
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_RSA_WITH_NULL_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256
Which IMO should only allow TLS 1.2 implicitly.
But afterwards the RDP session totally refuses ANY connections. I had to log on to the console and Switch off that GPO again.
I read many articles on the net where others hat similar Problems getting this configuration to work.
Some of them have pretty current postings (2015-AUG)
Whats the trick with activating this? It seems to work perfect on the same RDP Version in 2012R2 Servers.
Initially my RDP Service (out of the box), allowed Connections no better than TLS1.0
I am verifying this with an "openssl s_client" Connection
For example, a Server 2012R2 offers TLS1.2, if I check against its RDP port. Its RDP Version is 6.3
So I started with installing the Remote Desktop Packages Version 6.2+6.3 on my Server 2008R2
openssl s_client still connects with TLS1.0 at its best.
Next i tried to configure the Schannel Registry to support TLS 1.0, 1.1 and 1.2 via
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:00000001
"DisabledByDefault "=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault "=dword:00000000
and so on for TLS1.1, but still only offers TLS1.0 on RDP port
I restricted the ciphers via GPO "Computer../Administrative.../Network/SSL Configuration.../SSL Cipher Suite Order" to be
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_RSA_WITH_NULL_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256
Which IMO should only allow TLS 1.2 implicitly.
But afterwards the RDP session totally refuses ANY connections. I had to log on to the console and Switch off that GPO again.
I read many articles on the net where others hat similar Problems getting this configuration to work.
Some of them have pretty current postings (2015-AUG)
Whats the trick with activating this? It seems to work perfect on the same RDP Version in 2012R2 Servers.