“Patch Lady” Susan Bradley has some helpful explanations on AskWoody about Microsoft KB4093942, “CredSSP updates for CVE-2018-0886.” She mentions that you can prepare for the updates by setting group policy before they are installed. However, I found that the group policy settings is not available on a domain controller if the update is not installed.
Update May 10, 2018 Please see updates at the end of the post before applying any group policy!
The problem is that you need the new admx (policy) and adml (resource) files that are delivered with the patch. For group policy wonks, this is no doubt old hat, but for the rest of us:
1. Find a machine with the latest security update installed. If you’re like me, you’re deferring updates, so this may take some hunting. This issue affects all versions of Windows; check CVE-2018-0886 for a list of KB numbers by Windows version. I finally found the update applied to a Windows 7 virtual machine that I allow to update automatically.
2. Copy these two files from that machine to a temporary location:
C:\Windows\PolicyDefinitions\CredSsp.admx (dated 2/9/2018)
C:\Windows\PolicyDefinitions\en-US\CredSsp.adml (dated 2/10/2018; adjust language folder to your local language)
3. On a domain controller, in Windows Explorer, navigate to
a. Rename the current CredSsp.admx to CredSsp.admx.old, or move it to another location.
b. Copy the CredSsp.admx file from the updated machine to this folder.
Note If you try to open the group policy at this point, you’ll get this error:
You need the resource file too.
4. On a domain controller, in Windows Explorer, navigate to
C:\Windows\SYSVOL\sysvol\<your domain>\Policies\PolicyDefinitions\en-US (or your local language)
a. Rename the current CredSsp.adml to CredSsp.adml.old, or move it to another location.
b. Copy the CredSsp.adml file from the updated machine to this folder.
You should now be able to edit the new group policy:
Computer Configuration > Policies > Administrative Templates > System > Credentials Delegation > Encryption Oracle Remediation
Update March 17, 2018
Do not set Encryption Oracle Remediation to Mitigated on unpatched servers or you will lose the ability to RDP from patched clients. See the matrix at the bottom of KB4093492. if the connection fails, Remote Desktop will show this message:
This is accompanied by the following error in the client’s event log:
Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
Event ID: 226
Task Category: RDP State Transition
RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).
Set Encryption Oracle Remediation to Vulnerable until the server is patched.
Update May 10, 2018: PATCH YOUR SERVERS
There has been surprise and alarm in some quarters this week when RDP suddenly stopped working. Most likely this is because your clients got patched but your servers did not, and now in May, as promised, connections will be blocked by default unless both ends are patched. Applying group policy to make the connection Vulnerable is not the best solution. Uninstalling the May client patch is not the best solution. The best solution is to patch your servers at least through the April cumulative updates.
In the end, I wonder whether this group policy setting has caused more grief than it saved. If you do not set any group policy but patch your servers and clients within a few weeks of the patch release, you should not have any issues with RDP.