Versions Compared

Old Version 16

changes.mady.by.user Matthew Grubb

Saved on

compared with

New Version 17

changes.mady.by.user Matthew Grubb

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Div
stylefloat:right; margin: 0 0 50px 50px;


Panel
titleOn This Page

Table of Contents


Background information

The Remote Desktop Servers on hosting are running Windows Server 2016 and it is very important for the end user's PCs to be up to date with Windows Updates. If the latest updates are not installed, the RDP session could appear to freeze regularly (due to message dialog appearing behind the main form) or remote desktop connections could be refused altogether.

Regarding authentication, Microsoft removed support for NTLMv1 in Remote Desktop Services 2012 because it is a significant security risk so it is important to check your network security settings (see LAN Manager Authentication NTLMv2 below) 

Check your Firewall

For Skills Hosting our IP range is: 31.28.78.32/28

For DWP Hosting our IP range is: 146.101.18.32/28

All external communications are via HTTPS TCP 443 and the endpoints have a wildcard SSL certificate with URL *.pellcomp.net

We recommend excluding Pellcomp’s IP addresses or *.pellcomp.net from any deep packet inspection on your corporate Firewalls / Web Proxy network appliances.

LAN Manager Authentication NTLMv2

Starting with Windows Server 2012 clients must use NTLMv2 authentication because NTLMv1 is a significant security risk: 

...

But the most secure and recommended setting is Send NTLMv2 response only. Refuse LM & NTLM.


Installing Windows Updates

There are a few updates which are required to connect to hosting. As they are security related it is highly likely they are already installed on your device.

All Windows versions - Update CVE-2018-0886 security update to CredSSP 

https://support.microsoft.com/en-gb/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Remote Desktop Servers which have security update KB4103723 installed will refuse connections from client PCs which are missing the CredSSP security patch.

To determine if the client PC has the CredSSP security patch installed look for the following Windows update:

  • KB4088776 (Windows 10)
  • KB4088787 (Windows Server 2016)
  • KB4088876 (Windows 8.1 and Windows Server 2012 R2)
  • KB4088875 (Windows 7 SP1 and Windows Server 2008 R2 SP1 - no longer supported)

How to determine if the Updates have been installed previously

This can be done either graphically or via the command line:

Using the GUI

Control Panel > System and Security


Windows Update


View Update History


PowerShell

Rw ui textbox macro

Get-HotFix -Id KB2592687


Command Line

Rw ui textbox macro

wmic qfe | find "2592687"

...