Encryption Oracle Remediation

Encryption Oracle Remediation

This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).

Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.

If you enable this policy setting, CredSSP version support will be selected based on the following options:

Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version.

Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.

Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.

For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660

Supported on: At least Windows Vista

Protection Level:


  1. Force Updated Clients
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value0
  2. Mitigated
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value1
  3. Vulnerable
    Registry HiveHKEY_LOCAL_MACHINE
    Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
    Value NameAllowEncryptionOracle
    Value TypeREG_DWORD
    Value2


credssp.admx

Administrative Templates (Computers)

Administrative Templates (Users)