Hello,

We've been asked to disable RC4 for certain severs and desktops. I tried this on a Windows 8.1 machine (fully patched) and lost the ability to remote desktop.

How can I switch the cipher used by RD away from RC4?

Hi,

the NARTAC tools - https://www.nartac.com/Products/IISCrypto - should help you to find the right settings.

Even it is saying IISCrypto those settings are for the entire crypto stack in Windows and so it will also change the settings for RDP. Depending on the size of you environment you can than later make those settings also over GPO or use the NARTAC command line tool.

Hth,

Lutz

Lutz,

Thanks for the info. In fact, the tool actually that removing RC4 may impact RDP and instructs you to make the RDP changes yourself.

Thanks

Hi GreaterLogic,

Thanks for LutzMH to share the tool.
In addition, we could configure the following group policy to control the RDP security method.
 Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security \Require use of specific security layer for remote (RDP) connections

Best regards

MeipoXu,

That's exactly what I was looking for. This key seems to be present across all currently supported windows platforms and I think it will do the trick.

One followup question - from my research it RDP only support TLS 1.0. Yet PCI guidance is to use TLS 1.1/1.2 only. http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html

Is there an update to RDP for TLS 1.1/1.2 support?