CredSSP encryption oracle remediation

If you’re like me, you have encountered this error remoting into one of your servers.

An Authentication error has occurred. The function requested is not supported.
Remote computer: <servername> This could be due to CredSSP encryption oracle remediation

The quick solution is to patch your host from one of the patches here

If you are unable to patch and then issue the mandatory reboot of the remote server then you can apply the following registry fix

Windows Registry Editor Version 5.00


Workaround Warning

After you change the following setting, an unsecured connection is allowed that will expose the remote server to attacks. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case of problems occurring.


Scenario 1: Updated clients cannot communicate with non-updated servers

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediationpolicy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.

To work around this issue, follow these steps:

  1. On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:

  1. Open a Command Prompt window as Administrator.
  2. Run the following command to add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Scenario 2: Non-updated clients cannot communicate with patched servers

If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:

  1. On any Windows computer that has PowerShell installed, add the IP of the VM to the “trusted” list in the host file:
    Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
  2. Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
  3. On the Windows computer, connect to the VM by using PowerShell:
    For HTTP:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5985" -Credential (Get-Credential) -SessionOption $SkipFor HTTPS:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
  4. Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord


CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability


A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Download patches here

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

I have noticed that this patch has been disruptive to system owners who use remote desktop to access and manage servers.  Installing the patch on a client host w/o having it installed on the remote endpoint will end in an error preventing you from accessing them.


Its best to upgrade endpoints (servers) before client systems



Happy #NationalPasswordDay!

Today is NationalPasswordDay 2018 – May 3, 2018

The following is a list of good practices designed to keep individuals and their data safe online.

Email Security

  • Avoid opening emails, downloading attachments, or clicking on suspicious links sent from unknown or untrusted sources.
  • Verify unexpected attachments or links from known senders by contacting them via another method of communication.
  • Avoid providing your email address, phone number, or other personal information to unknown sources.
  • Avoid providing sensitive information to anyone via email. If you must, be sure to encrypt it before sending.
  • Be skeptical of emails written with a sense of urgency and requesting an immediate response, such as those stating your account will be closed if you do not click on an embedded link or provide the sender with sensitive information.
  • Beware of emails with poor design, grammar, or spelling.
  • Ensure an email’s “sender name” corresponds to the correct email address to identify common email spoofing tactics.
  • Never open spam emails; report them as spam, and/or delete them. Do not respond to spam emails or use included “Unsubscribe” links as this only confirms to the spammer that your email address is active and may exacerbate the problem

Passwords and Multi-Factor Authentication

Use strong passwords on all of your accounts.

  • Long, complex passwords make you less susceptible to brute-force attacks.
  • Use a combination of upper and lowercase letters, numbers, and special characters.
  • Avoid easy-to-guess elements like pets’ names, children’s names, birthdays, etc.

To reduce the risk of account compromise, account holders should:

  • Avoid using the same password across multiple accounts or platforms.
  • Never share their password with anyone, leave passwords out in the open for others to read, or store them in an unsecured, plaintext file on computers or mobile devices.
  • Consider using long acronyms or passphrases to increase the length of your password.
  • Enable two-factor authentication (2FA) or multi-factor authentication (MFA) on all accounts that offer it. This will help prevent unauthorized access in the event of a credential compromise.

On the Web

  • Ensure any websites requesting the insertion of account credentials and those used to conduct transactions online are encrypted with a valid digital certificate to ensure your data is secure. These website addresses will have a green padlock displayed in the URL field and will begin with https.
  • Avoid saving account information, such as passwords or credit card information, in web browsers or browser extensions.
  • Avoid using public computers and public Wi-Fi connections to log into accounts and access sensitive information.
  • Consider using ad-blocking, script-blocking, and coin-blocking browser extensions, to protect systems against malicious advertising attacks and scripts designed to launch malware or mine cryptocurrency. Example: PiHole
  • Sign out of accounts and shut down computers and mobile devices when not in use. Program systems and devices to automatically lock the active session after a set period of inactivity.

Device Security

  • Keep all hardware and software updated with the latest, patched version.
  • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version.
  • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files if needed.

For more info:


vSphere Integrated Containers

vSphere Integrated Containers provides critical enterprise container infrastructure to help IT Operating teams run both traditional and containerized applications providing a number of benefits:

  • security
  • isolation
  • management
  • speed
  • agility

I am looking forward to getting my hands on this and expanding my knowledge on how vSphere Integrated Containers (VIC) works in the real world. vSphere Integrated Containers includes the following three major components:

  • vSphere Integrated Container EngineDocker Remote API-compatible engine deeply integrated into vSphere for instantiating container images that are run as VMs
  • Container Management PortalPortal for apps teams to manage the container repositories, images, hosts, and running container instances
  • Container RegistrySecurely stores container images with built-in RBAC and image replication.

For now its research time; later I get to have some hands-on fun. Here are some interesting links:

Data Breach: Recommendations on how to protect yourself

This has become an all too common event these days.  I am glad my home state has taken the time to inform citizens via recommendations protect ourselves. Here is the latest information from New Jersey Cybersecurity & Communications Office.


Under Armour/MyFitnessPal

Under Armour announced that, in February 2018, an unauthorized party obtained access to data associated with MyFitnessPal user accounts. Information exposed in the breach includes usernames, email addresses, and hashed passwords. The NJCCIC recommends that MyFitnessPal users immediately change the passwords to their accounts and be on alert for phishing campaigns associated with, and resulting from, this breach.


Saks Fifth Avenue and Lord & Taylor

Saks Fifth Avenue and Lord & Taylor department stores released a statement regarding a data breach that resulted in the theft of customer payment card data. According to Gemini Advisory, a cybersecurity firm that specializes in tracking stolen financial data, the compromise likely occurred beginning May 2017 and the majority of stolen payment card information was obtained from the companies’ New York and New Jersey locations. Saks Fifth Avenue and Lord & Taylor will offer impacted customers free credit and web monitoring services, as well as free identity protection services. The NJCCIC recommends affected customers take advantage of the free credit and web monitoring services, as well as the identity protection services offered, monitor their financial accounts for suspicious activity, and notify their card issuers immediately if they notice unauthorized charges made to their accounts.


Panera Bread

On April 2, security researcher Brian Krebs reported that, for at least eight months, Panerabread[.]com had been leaking millions of customer records that included names, email addresses, home addresses, dates of birth, customer loyalty card numbers, and the last four digits of their payment card numbers. In August 2017, another security researcher, Dylan Houlihan, had reportedly notified the company about the data exposure but the company did not address the issue until April 2, 2018. Cybersecurity firm Hold Security suggests that the number of exposed records likely exceeds 37 million and that the data leak may also impact Panera’s commercial division. The NJCCIC recommends all Panera Bread customers monitor their financial accounts and loyalty accounts for suspicious activity and report any unauthorized charges immediately. Additionally, we recommend Panera Bread customers be on alert for phishing campaigns associated with, and resulting from, this data leak.



CareFirst BlueCross BlueShield reported that, on March 12, 2018, an employee within the company took action on a phishing email and, as a result, may have exposed the personal information of 6,800 of the insurer’s members. The employee’s account was used to send spam emails to recipients who are not associated with CareFirst. The unauthorized access to the employee’s email account could have potentially exposed CareFirst member names, identification numbers, and dates of birth. Eight members’ Social Security numbers may have also been exposed. CareFirst is offering two years of free credit monitoring and identity theft protection services to affected members. The NJCCIC recommends affected members take advantage of the free credit monitoring and identity theft protection services offered.


The above and more can be found here on the NJCCIC site for April Alerts