Computer and IT knowledge - things to know

how to check the CredSSP (Credential Security Support Provider) encryption oracle setting

CredSSP is used within remote desktop (rdp) connections ...

how to check the CredSSP (Credential Security Support Provider) encryption oracle setting?


(1)
command prompt - with administrative privileges:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle

(2)
powershell:
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -Name AllowEncryptionOracle

(INFO)
Here is what the different values for AllowEncryptionOracle mean:
0 (Force Updated Clients): Only updated clients (with the CredSSP update) can connect.
1 (Mitigated): Clients without the update can connect, but without CredSSP encryption (less secure).
2 (Vulnerable): No protection, allowing any client to connect (least secure).

In this example, the AllowEncryptionOracle value is 0x2, which corresponds to 2 (Vulnerable).

If the setting is not present, it means the default configuration is being used, which typically corresponds to the most secure setting (i.e., only updated clients are allowed).

computer2know :: thank you for your visit :: have a nice day :: © 2024