πΌ Management Samenvatting
Encryption Oracle Remediation = force patched CredSSP clients - fixes CVE-2018-0886 (RDP/WinRM credential relay attack).
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
8u (tech: 3u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
CVE-2018-0886 = CredSSP vulnerability (2018): CredSSP: Protocol used by RDP, WinRM, PowerShell Remoting (credential delegation), Vulnerability: Encryption oracle attack β attacker relays credentials β MITM gains access, Exploitation: Attacker intercepts RDP connection β relays credentials to different server β authenticated as victim. Patch: Microsoft released CredSSP updates (2018), maar requires BOTH client + server patched. Remediation policy: 'Force updated clients': Only allow RDP to servers with patched CredSSP (blocks connections to vulnerable servers), 'Vulnerable': Allow connections to unpatched servers (INSECURE - NOT recommended).
PowerShell Modules Vereist
Primary API: Microsoft Graph API
Connection:
Required Modules: Microsoft.Graph.DeviceManagement
Connection:
Connect-MgGraphRequired Modules: Microsoft.Graph.DeviceManagement
Implementatie
Force updated clients: Policy: Encryption Oracle Remediation: Force Updated Clients, Effect: RDP client ONLY connects to patched CredSSP servers (vulnerable servers = connection refused), Security: Prevents credential relay attacks, Compatibility: Legacy servers without patch = connection fails (UPDATE SERVERS!).
Vereisten
- Windows 10/11
- Intune subscription
- RDP servers: MUST be patched (CVE-2018-0886 updates)
- Testing: Verify all RDP destinations patched
Implementatie
Intune Settings Catalog: System β Credentials Delegation β Encryption Oracle Remediation: Force Updated Clients. Test: RDP to all servers β verify connections succeed (servers patched).
Compliance
Microsoft Security Advisory (CVE-2018-0886), CIS Windows Benchmark, BIO 12.06, NIST SI-2.
Monitoring
Gebruik PowerShell-script encryption-oracle-remediation-is-set-to-enabled-force-updated-clients.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script encryption-oracle-remediation-is-set-to-enabled-force-updated-clients.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - CredSSP (L1) -
- BIO: 12.06.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Intune Update Management: Encryption Oracle Remediation
.DESCRIPTION
CIS - Encryption Oracle moet forceren op updated clients (mitigate CVE-2018-0886).
.NOTES
Filename: encryption-oracle-remediation.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle|Expected: 0 (Force Updated)
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters"; $RegName = "AllowEncryptionOracle"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
$r = [PSCustomObject]@{ScriptName = "encryption-oracle.ps1"; PolicyName = "Encryption Oracle"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Force Updated (0)"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v) { $r.CurrentValue = $v.$RegName; if ($r.CurrentValue -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Force updated clients" }else { $r.Details += "Value: $($v.$RegName) (0=Force,1=Mitigate,2=Vulnerable)" } }else { $r.Details += "Niet geconfigureerd" } }else { $r.Details += "Niet geconfigureerd" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Encryption Oracle: Force Updated Clients" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
High: Hoog: CVE-2018-0886 = RDP credential relay attacks (MITM).
Management Samenvatting
Encryption Oracle Remediation: Force updated clients. CVE-2018-0886 fix. Patch all RDP servers. Test connectivity. Implementatie: 3-8 uur.
- Implementatietijd: 8 uur
- FTE required: 0.03 FTE