[Windows] [오류] 윈도우 원격 데스크톱 연결 인증 오류 CredSSP 암호화 Oracle 수정 때문일 수 있습니다.

원인

최근 마이크로소프트에서 배포한 보안 업데이트 적용으로 Windows Server에 원격접근 이슈가 발생
보안 업데이트의 내용은 CredSSP버전에서 원격 코드 실행 취약성이 발견되어 배포되는 부분으로 클라이언트와 서버간의 인증 프로토콜이 강화되는 내용

오류화면

[Window Title]
원격 데스크톱 연결

[Content]
인증 오류가 발생했습니다.
요청한 함수가 지원되지 않습니다.

원격 컴퓨터:
CredSSP 암호화 오라클 수정 때문일 수 있습니다.
자세한 내용은 https://go.microsoft.com/fwlink/?linkid=866660를 참조하세요.

원격 CredSSP 인증 오류 해결 방법 1

접속하는 Client PC 의 그룹정책 수정으로 강제 적용 방법

Wins + R 단축키를 사용하여 실행 창을 열고 "gpedit.msc"을 입력 후 확인

컴퓨터 구성 -> 관리 템플릿 -> 시스템 -> 자격 증명 위임 -> Oracle 수정 암호화 편집 클릭



사용 - 보호 수준: "취약" 선택후 확인 클릭

로컬 그룹 정책 편집기 창 종료
윈도우 키 + R 키를 이용하여 실행 창 활성화 => "cmd" 입력 후 엔터

gpupdate /force 입력 후 엔터

원격 데스크톱 연결 접속 확인

원격 CredSSP 인증 오류 해결 방법 2

Client: 사용하는 PC 및 노트북 최신 Windows Update 적용
Server: 최신 Windows Update 적용
원격 데스크톱 연결 접속 확인

[Windows] Windows 랜섬웨어 & SMB 취약점 포트 차단

SMB


네트워크에 연결된 컴퓨터끼리 파일, 프린터, 포트 또는 기타 메시지를 전달하는데 사용된다. 
SMB 프로토콜 원격코드 실행 취약점은 랜섬웨어 공격으로 많이 사용되고 있다.

OS 최신 보안 패치

MS에서 SMB 관련 취약점에 대한 패치는 보안 업데이트로 제공된다.
업데이트가 어려운 서버는 아래 SMB 포트 차단으로 조치 가능하다.

SMB 포트 차단

Powershell ISE에서 아래 내용 복사 후 실행
# updated by Hostway System Team

$Language = Get-WinUserLanguageList
$Lang = $Language.LanguageTag

Switch($Lang)
{
‘ko’
{
Write ‘OS Version’
[Environment]::OSVersion
Write-Verbose -Message “취약점 포트 제거 UDP 137, UDP 138, TCP 139, TCP 445″ -Verbose

netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Name-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Name-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=private dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=public,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=private,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=private,public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Datagram-In)” profile=any dir=in localport=138 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=public,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=private,public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”네트워크 검색(NB-Datagram-In)” profile=any dir=in localport=138 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=private dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=public,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=private,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=private,public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”가상 컴퓨터 모니터링(NB-Session-In)” profile=any dir=in localport=139 protocol=tcp new enable=no

netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=private dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=public,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=private,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=private,public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(NB-Session-In)” profile=any dir=in localport=139 protocol=tcp new enable=no

netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=public dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=private dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=public,domain dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=private,domain dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=private,public dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”파일 및 프린터 공유(SMB-In)” profile=any dir=in localport=445 protocol=tcp new enable=no
}
‘en-US’
{
Write ‘OS Version’
[Environment]::OSVersion
Write-Verbose -Message “Vulnerability Port Removal UDP 137, UDP 138, TCP 139, TCP 445″ -Verbose

netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Name-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Name-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=public,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private,domain dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private,public dir=in localport=137 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=any dir=in localport=137 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=private dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=public,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=private,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=private,public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Datagram-In)” profile=any dir=in localport=138 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=public,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private,domain dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=private,public dir=in localport=138 protocol=udp new enable=no
netsh advfirewall firewall set rule name=”Network Discovery (NB-Datagram-In)” profile=any dir=in localport=138 protocol=udp new enable=no

netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=private dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=public,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=private,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=private,public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”Virtual Machine Monitoring (NB-Session-In)” profile=any dir=in localport=139 protocol=tcp new enable=no

netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=private dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=public,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=private,domain dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=private,public dir=in localport=139 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File and Printer Sharing (NB-Session-In)” profile=any dir=in localport=139 protocol=tcp new enable=no

netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=public dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=private dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=public,domain dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=private,domain dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=private,public dir=in localport=445 protocol=tcp new enable=no
netsh advfirewall firewall set rule name=”File Server Remote Management (SMB-In)” profile=any dir=in localport=445 protocol=tcp new enable=no
}
}