AnsweredAssumed Answered

TLSv1.0 and TLSv1.1 vulnerability

Question asked by Joe Diallo on Jun 3, 2016
Latest reply on Nov 15, 2016 by Kyle Weeks


Hello,

I have two Windows server 2012 R2 servers that currently have the TLS 1.0 and 1.1 vulnerability on port 3389. I have used the following registry edit to disable TLSv1.0 and TLSv1.1:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.0\Client]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.0\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.1\Client]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ Protocols\TLS 1.1\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

 

Even after adding the above registry entries, the servers are still showing up as vulnerable. I believe these registry hacks are for port 443 not 3389 which is the RDP port. We can't close port 3389 because we need it to RDP to the servers.

Below is the proof from Rapid7:

"Successfully connected to x.x.x.x:3389 over TLSv1.0"

"Successfully connected to x.x.x.x:3389 over TLSv1.1"

Any assistance to remediate these findings without shutting down port 3389 will be appreciated.

Outcomes