The Remote Desktop Servers on hosting are running Windows Server 2016 and it is very important for the end user's PCs to be up to date with Windows Updates, and on at least Windows 8. If the latest updates are not installed, the RDP session could appear to freeze regularly (due to message dialogs appearing behind the main form) or remote desktop connections could be refused altogether.
Regarding authentication, Microsoft removed support for NTLMv1 in Remote Desktop Services 2012 because it is a significant security risk so it is important to check your network security settings (see LAN Manager Authentication NTLMv2 below)
For Skills Hosting our IP range is: 31.28.78.32/28
For DWP Hosting our IP range is: 146.101.18.32/28
All external communications are via HTTPS TCP 443 and the endpoints have a wildcard SSL certificate with URL *.pellcomp.net
We recommend excluding Pellcomp’s IP addresses or *.pellcomp.net from any deep packet inspection on your corporate Firewalls / Web Proxy network appliances.
Starting with Windows Server 2012 clients must use NTLMv2 authentication because NTLMv1 is a significant security risk:
https://blogs.technet.microsoft.com/miriamxyra/2017/11/07/stop-using-lan-manager-and-ntlmv1/
To display the version being used run secpol.msc or from a command prompt run "RSOP" and under the Computer Configuration → Windows Settings:
Security Settings → Local Policies → Security Options → Network Security: LAN Manager authentication level Properties
PICS Requires this setting to be at least as secure as: Send NTLMv2 response only (which is the default value so blank or "not defined" is also acceptable)
But the most secure and recommended setting is Send NTLMv2 response only. Refuse LM & NTLM.
There are a few updates which are required to connect to hosting. As they are security related it is highly likely they are already installed on your device.
https://support.microsoft.com/en-gb/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
Remote Desktop Servers which have security update KB4103723 installed will refuse connections from client PCs which are missing the CredSSP security patch.
To determine if the client PC has the CredSSP security patch installed look for the following Windows update:
This can be done either graphically or via the command line:
Control Panel > System and Security
Get-HotFix -Id KB2592687 |
wmic qfe | find "2592687" |