問(wèn)題描述

有一個(gè)用戶在使用RDP連接自己的機(jī)器時(shí)，怎么也連不上。不論時(shí)調(diào)整導(dǎo)NLA還是調(diào)整到TLS，都不行。

解決過(guò)程

1. 遠(yuǎn)程協(xié)助了一次，沒(méi)有什么頭緒
2. 唯一的線索就是在協(xié)商加密算法的失敗了。因?yàn)榍岸说姆N種限制，在選擇RDP_PROTOCOL這個(gè)加密方式時(shí)，沒(méi)法支持FIPS
3. 建議用戶更改自己的加密方式，來(lái)回好幾次也不行，用戶堅(jiān)稱自己已經(jīng)關(guān)閉FIPS了

FIPS is definitely off.

• "Local Computer Policy \ Computer Configuration \ Windows Setting \ Security Setting \ Local Policies \ Security Options \ System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms" is disabled
• KLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled is set to zero.

解決方案

最終的最終，還是找到了另一個(gè)相關(guān)的選項(xiàng)，參考連接 Increase the security of your Windows Server 2012 Remote Desktop
為了防止網(wǎng)頁(yè)失效，把關(guān)鍵信息記下來(lái)

To change the encryption level, navigate to the following registry key:
\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel

• Security Layer 1 – With a low security level, communications sent from the client to the server are encrypted using 56-bit encryption. Data sent from the server to the client is not encrypted. This setting is not recommended as you can be exposed to various attacks.
• Security Layer 2 – Having a client compatible security level, communications between the server and the client are encrypted at the maximum key strength supported by the client. Use this level when the Terminal Server is running in an environment containing mixed or legacy clients as this is the default setting on your OS.
• Security Layer 3 – With a high security level, communications between server and client are encrypted using 128-bit encryption. Use this level when the clients that access the Terminal Server also support 128-bit encryption. If this option is set, clients that do not support 128-bit encryption will not be able to connect.
• Security Layer 4 – This security level is FIPS-Compliant, meaning that all communication between the server and client are encrypted and decrypted with the Federal Information Processing Standard (FIPS) encryption algorithms. We recommend using this setting for maximum efficiency but only if both machines support this type of encryption.

后記

想開(kāi)發(fā)RDP，不熟悉Windows Server的配置，的確會(huì)遇到許多問(wèn)題。所以，如果有志于開(kāi)發(fā)RDP應(yīng)用的人，我的建議是，熟練掌握Windows Server RDS和Security的配置很重要。