{"id":5416,"date":"2018-04-10T09:00:52","date_gmt":"2018-04-10T07:00:52","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=5416"},"modified":"2021-06-17T23:03:39","modified_gmt":"2021-06-17T21:03:39","slug":"attention-with-linux-rdp-connections-and-credssp-updates","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/04\/10\/attention-with-linux-rdp-connections-and-credssp-updates\/","title":{"rendered":"Attention with Linux RDP connections and CredSSP updates"},"content":{"rendered":"

[German<\/a>]In advance to the today's patch day a small hint about CredSSP updates for Windows. Microsoft's CredSSP updates can kill remote desktop connections between Linux and Windows. <\/p>\n

<\/p>\n

Some background information about CredSSP<\/h2>\n

\"\"All versions of Windows have a critical vulnerability in the Credential Security Support Provider (CredSSP). The CVE-2018-0886<\/a> vulnerability now allows remote attackers to use RDP and WinRM connections to steal data or run malware. I recently mentioned this topic in the German blog post CredSSP-Sicherheitsl\u00fccke in RDP unter Windows<\/a>.<\/p>\n

Microsoft therefore intends to exclude unpatched systems from RDP connections in future for security reasons. I had mentioned that within the blog post Microsoft will block RDP connections from clients soon<\/a>. The next RDP update is scheduled for April 17. Microsoft has summarized what you need to know in KB4093492<\/a> (CredSSP updates for CVE-2018-0886) for Windows clients and Windows servers.  <\/p>\n

Attention: CredSSP collides with rdesktop<\/h2>\n

According to Wikipedia<\/a>, rdesktop is an open source program that can establish an RDP connection from Unix-like operating systems to Microsoft Windows. Now there is probably a problem in the interaction of rdesktop and the CredSSP changes planned by Microsoft. I came across a warning from an administrator at German site administrator.de. The user wrote (translated): <\/p>\n

\n

KB4093492<\/a> describes necessary patches and policies to secure CredSSP, which is used for RDP connections with Single Sign on.<\/p>\n

If you have patched and secured this in your network, make sure that remote connections from Linux clients (e.g. via rdesktop) are still working. <\/p>\n

Here, on SUSE Leap, no RDP connection to Windows computers can be established unless NLA is disabled on the Windows side.<\/p>\n

Otherwise the error \"CredSSP required by server\" occurs on Linux.
So: for compatibility with rdesktop (if needed) disable NLA, or set the patch to \"mitigated\", not \"Force updated clients\"!<\/p>\n

If you have set the GPO to \"Force updated clients\" and still have compatible Linux RDP clients, I would be very interested to know which ones.<\/p>\n<\/blockquote>\n

Network Level Authentication has been introduced with RDP 6.0 (supported from Windows Vista onward). NLA requires user authentication before a remote desktop session with the server is established (Microsoft describes the advantages here<\/a> – e.g. protection against denial of service attacks). <\/p>\n

NLA uses CredSSP to present the user's credentials to the server for authentication before creating a session. If Microsoft is now patching around with CredSSP, this may affect the RDP connections.  <\/p>\n

\n

During writing this blog post I stumbled uppon this Technet forum thread<\/a>, discussing sporadic issues with Windows 7 RDP connections to Windows Server 2012 R2. There it was a RDS certificate causing issues. It's a different case, but I find the explanations interesting. <\/p>\n<\/blockquote>\n

The error \"CredSSP required by server\" <\/h2>\n

The error \"CredSSP required by server\" is probably a permanent trouble maker between Linux and Windows (according to this article<\/a>). I found the article interesting, because it describes the background and some workarounds. The author of this article suggested freerdp as RDP client, because it works. <\/p>\n

Final words<\/h2>\n

It may be that it's an individual observation (I cannot test anything at the moment for various reasons). So the blog post should be a 'mention' and give you a hint, it things went wrong. You can left a feedback here if necessary whether you are affected and if you have solved it differently. <\/p>\n

Similar articles:<\/strong>
CredSSP-Sicherheitsl\u00fccke in RDP unter Windows<\/a> (German)
Microsoft will block RDP connections from clients soon<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]In advance to the today's patch day a small hint about CredSSP updates for Windows. Microsoft's CredSSP updates can kill remote desktop connections between Linux and Windows.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,921,580,2],"tags":[1358,1361,1360,1359,195],"class_list":["post-5416","post","type-post","status-publish","format-standard","hentry","category-issue","category-linux","category-security","category-windows","tag-credssp","tag-nla","tag-rdesktop","tag-rdp","tag-update"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5416","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=5416"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/5416\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=5416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=5416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=5416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}