This is a very unique scenario where you need to disable this particular security feature, this particular situation came about because I needed to rebuild an older server that was not patched when it comes out of the box.
CredSPP - what’s that ?
You can get the full rundown here however this is the overview from Microsoft:
Credential Security Support Provider protocol (CredSSP) is an authentication provider that processes authentication requests for other applications.
A remote code execution vulnerability exists in unpatched versions of CredSSP. An attacker who successfully exploits this vulnerability could relay user credentials to execute code on the target system. Any application that depends on CredSSP for authentication may be vulnerable to this type of attack.
This security update addresses the vulnerability by correcting how CredSSP validates requests during the authentication process.
Security (CVE) vulnerability CredSSP
This is the security issue : CVE-2018-0866 - this was patched back in March 2018, which means if all your infrastructure is kept up with patches, you should not get the problem caused with unsupported operating systems not being attached.
When you attempt to RDP to a server check it will check the validity of this patch and if you have a new server with no patching and a client that is patched you will get this error:
This particular error is telling you that the client you’re trying to connect to has detected that the server is not patched, this means your client will decline the connection, if you are using an older version of RDP, and older, I mean server 2012 R2 and before the connection will simply fail, you will not get the error above.
CredSSP : Unable to patch due to denied connection
I have literally just built an old server that failed, the operating system of choice was Server 2016, however, out of the box that product is RTM (release to manufacturer) which means that server has never seen a Windows update in its life.
This is inherently bad because you now have a unpatched server in your network, at this stage, it is not part of our domain it is still in a workgroup.
However, this is still not a great position to be in and we need to get it patched, However, now we have the complication of not been able to remotely control it via RDP.
CredSSP bypass : temporarily
All the other devices inside your network should be fully patched so the only way you can manage this server to get it patched is to temporarily turn off this protection.
The script needs to be run on the client that’s trying to connect to this newly built server, Make sure you run this power shower with an elevator command prompt and this is the code:
Script : DisableCredSSP.ps1
# Define the registry key path and value name
$credsspRegistryPath = "HKLM:\SOFTWARE\Policies\Oracle\CredSSP"
$credsspValueName = "AllowCredentials"
$vulnerableValue = 1
# Create the registry key if it doesn't exist
if (-not (Test-Path $credsspRegistryPath)) {
New-Item -Path $credsspRegistryPath -Force | Out-Null
}
# Set the registry value to enable vulnerable mode
Set-ItemProperty -Path $credsspRegistryPath -Name $credsspValueName -Value $vulnerableValue
Write-Host "CredSSP has been set to vulnerable mode (value set to 1)."
Get-Hotfix -Computer CredSSP.bear.local
I got 2 x additional updates as you can see in bold below:
Check Windows Updates in Settings
Write-Host "CredSSP has been set to secure mode (value set to 0)."