RDS (Terminal Services) – enabled TLS1.1/2 and TLS1.0 disabled
Cases when is TLS1.0 is (needs to be) disabled:
• Systems compliance with PCI-DSS 3.1 which requires TLS 1.0 to be disabled.
• replicating clients environment using TLS.1.1 and TLS 1.2 only
• demanded by the PCI compliance community
What is PCI:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
Solution: Microsoft released the patch for this problem on Sep 15, 2015
Verify TLS state : Use GUI tool IIS Crypto 3.0 at IIS Crypto Tool from Nartac Software: https://www.nartac.com/Products/IISCrypto/
1. “When Enhanced RDP Security is used, RDP traffic is no longer protected by using the techniques
described in section 5.3. Instead, all security operations (such as encryption and decryption, data
integrity checks, and Server Authentication) are implemented by one of the following External
TLS 1.0 (see [RFC2246])
TLS 1.1 (see [RFC4346])
TLS 1.2 (see [RFC5246])
CredSSP (see [MS-CSSP])”
2.” TLS 1.1 is not supported by Windows NT, Windows 2000 Server, Windows XP,
Windows Server 2003, Windows Vista and Windows Server 2008.
3. TLS 1.2 is not supported by Windows NT, Windows 2000 Server, Windows XP,
Windows Server 2003, Windows Vista, and Windows Server 2008″