Policy

Encryption Oracle Remediation

Microsoft Windows

Back to Credentials DelegationBack to main
Encryption Oracle Remediation
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
System > Credentials Delegation
Supported on
At least Windows Vista

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista

Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. If you enable this policy setting, CredSSP version support will be selected based on the following options: Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest version. Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients. Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients. For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660

Internal name
AllowEncryptionOracle
Policy ID
75fafadc74d8
Elements
1

Registry values

How enabled and disabled states update the registry.

No explicit registry values are set for enabled or disabled states.

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Protection Level:
ID AllowEncryptionOracleDrop
enum
Path
Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
Value name
AllowEncryptionOracle
Type
REG_DWORD
Options: Force Updated Clients (0), Mitigated (1), Vulnerable (2)
Protection Level:
Computer · Type enum
Registry mapping
Path
Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
Value name
AllowEncryptionOracle
Type
REG_DWORD
Details
Options: Force Updated Clients (0), Mitigated (1), Vulnerable (2)