4elta
commented
2 weeks ago encryption levels
- "none": enhanced RDP security
- "low"
- "client compatible"
- "high"
- "FIPS"
enhanced RDP security
RDP also supports external security protocols:
- "SSL" (i.e. SSL 3, TLS 1.0, TLS 1.1, TLS 1.2 TLS 1.3)
- "HYBRID" (i.e "CredSSP")
- "RDSTLS"
- "HYBRID_EX" (i.e. "CredSSP with Early User Authorization")
- "RDSAAD" (i.e. "RDS AAD Auth")
When Enhanced RDP Security is used, RDP traffic is no longer protected by using the techniques described in section 5.3. Instead, all security operations (such as encryption and decryption, data integrity checks, and server authentication) are implemented by the External Security Protocol.
...
The benefit of using an External Security Protocol is that RDP developers no longer need to manually implement protocol security mechanisms, but can instead rely on well-known and proven security protocol packages (such as the Schannel Security Package which implements SSL) to provide end-to-end security.
Another key benefit of Enhanced RDP Security is that it enables the use of Network Level Authentication (NLA) when using CredSSP as the External Security Protocol.
When a client connects to a server configured for Enhanced RDP Security, the selected encryption level returned to the client is
ENCRYPTION_LEVEL_NONE
BSI recommendation
according to the spreadsheet you have linked in your comment:
Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'.
BSI, SN 135
hence, "enhanced RDP security" must be configured, which in turn recuires "encryption level: none" to be configured.
When processing RDP nmap scans, the corresponding analyzer will report an encryption level of High as an issue. The default configuration is set to accept Encryption Level None only, if I understand it correctly. I could only find a BSi document (xlsx) which says High is fine for Clients and some Microsoft Documentation explaining the different levels. Most automated scanners will report only Low and Medium, recon is more restrict.
Could you elaborate on which basis the rating is based please?