Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Securing RDP Connections with Trusted SSL/TLS Certificates

by | Jan 24, 2022

Securing RDP Connections with Trusted SSL/TLS Certificates is a healthy practice.

We use them to secure RDP connections to Windows computers or servers in an Active Directory domain.

As part of our Server Management Services, we assist our customers with several RDP queries.

Today, let us see how to use trusted SSL/TLS certificates to secure RDP connections.

 

Securing RDP Connections with Trusted SSL/TLS Certificates

Moving ahead, let us see how our Support Techs go about securing RDP connections.

 

Remote Desktop Connection (RDP) Self-Signed Certificate Warning

By default, Windows generates a self-signed certificate to secure an RDP session.

During the first connection to an RDP/RDS host using the mstsc.exe client, we see the following warning:

The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Certificate error: The certificate is not from a trusted certifying authority.

 

To proceed and establish the connection, we have to click Yes.

To prevent the repetition of this warning, we can check the “Don’t ask me again for connections to this computer” option.

In this case, the RDP certificate thumbprint is saved in the CertHash parameter of the registry key. It has the RDP connection history on a client.

In case of a hidden warning, we remove the certificate thumbprint from the registry to reset the settings.

 

Create an RDP Certificate Template in a Certificate Authority (CA)

We use a trusted SSL/TLS certificate issued by a corporate certificate authority. With it, we can authenticate an RDP server when connecting.

Suppose, a corporate Microsoft Certificate Authority deploys in our domain. Then, we can configure automatic issues and the connection of certificates to all Windows computers and servers in the domain.

 

To do so, we must create a new type of certificate template for RDP/RDS hosts in our CA:

  1. Initially, we run the Certificate Authority console.
  2. Then we go to, Certificate Templates >> Manage >> Computer >> Duplicate.
  3. In the General tab, we specify the name of the new certificate template – RDPTemplate.
  4. In the Compatibility tab, we specify the minimum client version we use in our domain.
  5. Then, in the Application Policy section of the Extensions tab, we restrict the use scope of the certificate to Remote Desktop Authentication only
  6. Eventually, we click Add >> New, create a new policy and select it.
  7. In the certificate template settings, we remove all policies except Remote Desktop Authentication.
  8. To use this on our domain controllers, we open the Security tab, add the Domain Controllers group and enable the Enroll and Autoenroll options.
  9. We save the certificate template.
  10. Then in the Certificate Authority mmc snap-in, we click Certificate Templates folder >> New >> Certificate Template to Issue and then choose the template we have created.

 

Deploy RDP SSL/TLS Certificates using Group Policy

Then we configure a domain GPO to automatically assign RDP certificates to computers/servers.

Generally, all domain computers trust the corporate Certificate Authority. This means the root certificate adds to the Trusted Root Certificate Authorities using GPO.

  1. In the Domain Group Policy Management console (gpmc.msc), create a new GPO object, link it to the OU containing RDP/RDS servers or computers to automatically issue TLS certificates.
  2. Then, navigate to GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
  3. Here, we enable the Server Authentication Certificate Template policy.
  4. Then we specify the name of the CA template we made.
  5. In the same GPO section, we enable the Require use of a specific security layer for remote connections policy and set the value SSL for it.
  6. To automatically renew an RDP certificate, we go to Computer configuration -> Windows settings -> Security Settings -> Public Key Policies section of the GPO and enable the Certificate Services Client – Auto-Enrollment Properties policy.
  7. Check the “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” options.
  8. For our clients to always verify the RDP server certificate, we configure the Configure Authentication for Client = Warn me if authentication fails policy. It is found at Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.
  9. In addition, if necessary we open the incoming RDP Port TCP/UDP 3389 using firewall policies.
  10. Then we update group policy settings on the client computer, launch the computer certificate console (Certlm.msc).
  11. We also ensure that the certificate issued by our CA is in the Personal -> Certificates section.

 

To apply the new RDP certificate, restart Remote Desktop Services:

Get-Service TermService -ComputerName bob-dc01| Restart-Service –force –verbose

 

Now, we will not see a request to confirm that the certificate is trusted. Click View certificate >>  Details tab, copy the value in the Thumbprint field.

In the Issued Certificates section of the Certification Authority console, we can ensure that the certificate has been issued.

In addition, we check the certificate Thumbprint value.

Then we compare it with the certificate thumbprint by the Remote Desktop Service.

To view the value of the RDS certificate thumbprint, we use the registry or run:

Get-WmiObject -Class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

 

Signing an RDP File with a Trusted TLS Certificate Thumbprint

Suppose, we do not have a CA. However, we do not want our users to see warnings when they connect to an RDP/RDS host. Then we can add the certificate to the trusted ones on user computers.

We get the value of the RDP certificate thumbprint:

Get-WmiObject -Class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

 

Then we use this fingerprint to sign the .RDP file with the RDPSign.exe tool:

rdpsign.exe /sha256 25A27B2947022CC11BAFF261234567DEB2ABC21 “C:\ps\bob-dc01.rdp”

 

We add this thumbprint to the trusted certificates on user computers using GPO.

We then specify the thumbprints in the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy.

To do so, we g to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.

We can also configure the transparent RDP logon without entering a password. For that, we configure the Allow delegation defaults credential policy and specify RDP/RDS hostnames in it.

[Need help with the procedures? We are here for you]

 

Conclusion

In short, we saw how our Support Techs secure RDP Connections with Trusted SSL/TLS Certificates.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF