RDP CredSSP Error

06-12-2018 10:43

Ensure both client & server side have latest patch installed so that RDP can be established in a secure way.

You can find the list of the corresponding KB number for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886


 Alternative Work-arounds

Mitigation 1

If you cannot RDP to  VMs from your patched client, we can consider changing the policy settings on the client to temporarily gain RDP access to the servers. You can change the settings in Local Group Policy Editor. Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:


 Mitigation 2

If it is not possible to access to Local Group Policy Editor on the client (i.e. Windows Home versions), same change can be done through the registry:

REG  ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

After that, whether the established RDP session is secure or not depends on whether server is patched. Remember to un-do this when all the servers are patched.

Tags: credssp, rdp, windows home
Average rating: 0 (0 Votes)

You cannot comment on this entry