3.11.36.4.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'

Information

This policy setting specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

The recommended state for this setting is: Enabled: High Level

If Remote Desktop client connections that use low level encryption are allowed, it is more likely that an attacker will be able to decrypt any captured Remote Desktop Services network traffic.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Enabled: High Level

Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/16853

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|9.2

Plugin: Windows

Control ID: 2234a3f56afc7e82e955d385bd3beed4e99739019810daea993ef5d161db3c95