Securing RDP Connections with Trusted SSL/TLS Certificates is a healthy practice. We use them to secure RDP connections to Windows computers or servers in an Active Directory domain.

This is how to ensure traffic sent over RDP is protected by SSL/TLS. We will use trusted SSL certs instead of default self-signed RDP certificates.

What happens if we use Self-Signed SSL?

By default, to secure an RDP session Windows generates a self-signed certificate. During the first connection to an RDP/RDS host using the mstsc.exe client, a user sees the following warning:

The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Certificate error: The certificate is not from a trusted certifying authority.

To proceed and establish the connection, we have to click Yes.

To prevent the repetition of this warning, we can check the “Don’t ask me again for connections to this computer” option.

In this case, the RDP certificate thumbprint is saved in the CertHash parameter of the registry key. It has the RDP connection history on a client.

Let’s see how to configure the RDP connection

In this example, we will configure a custom RDP certificates template in the Certificate Authority and a Group Policy to automatically issue and bind an SSL/TLS certificate to the Remote Desktop Services.

Create an RDP Certificate Template in a Certificate Authority (CA)

Let’s try to use a trusted SSL/TLS certificate issued by a corporate certificate authority to secure RDP connections. Using this certificate, a user can authenticate an RDP server when connecting. Suppose, that a corporate Microsoft Certificate Authority is already deployed in your domain. In this case, you can configure automatic issues and the connection of certificates to all Windows computers and servers in the domain.

You must create a new type of certificate template for RDP/RDS hosts in your CA:

  1. Run the Certificate Authority console and go to the Certificate Templates section;
  2. Duplicate the Computer certificate template (Certificate Templates -> Manage -> Computer -> Duplicate);Duplicate computer certificate template
  3. In the General tab, specify the name of the new certificate template – RDPTemplate. Make sure that the value in the Template Name field matches the Template display name;
    Create CA template to issue RDP Certificate
  4. In the Compatibility tab, specify the minimum client version used in your domain (for example, Windows Server 2008 R2 for the CA and Windows 7 for your clients). Thus, stronger encryption algorithms will be used;
  5. Then, in the Application Policy section of the Extensions tab, restrict the use scope of the certificate to Remote Desktop Authentication only (enter the following object identifier — Click Add -> New, create a new policy and select it;
    CA template for remote desktop auth 1-3
  6. In the certificate template settings (Application Policies Extension), remove all policies except Remote Desktop Authentication;
    Create remote desktop auth certificate
  7. To use this RDP certificate template on your domain controllers, open the Security tab, add the Domain Controllers group and enable the Enroll and Autoenroll options for it;
    Allow enroll and auto-enroll
  8. Save the certificate template;
  9. Then in the Certificate Authority mmc snap-in, click Certificate Templates folder and select New -> Certificate Template to Issue -> choose the template you have created (RDPTemplate);
    New RDP certificate template in cert auth

How to Deploy RDP SSL/TLS Certificates using Group Policy?

Now you need to configure a domain GPO to automatically assign RDP certificates to computers/servers according to the configured template.

It is supposed that all domain computers trust the corporate Certificate Authority, i.e. the root certificate has been added to the Trusted Root Certificate Authorities using GPO.
  1. Open the Domain Group Policy Management console (gpmc.msc), create a new GPO object and link it to the OU containing RDP/RDS servers or computers to automatically issue TLS certificates to secure RDP connections;
  2. Go to the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> SecurityEnable the Server Authentication Certificate Template policy. Specify the name of the CA template you have created earlier (RDPTemplate);
    Configuring server auth cert temp
  3. Then in the same GPO section, enable the Require use of a specific security layer for remote (RDP) connections policy and set the value SSL for it;
    Group policy parameter require use of ssl sec
  4. To automatically renew an RDP certificate, go to the Computer configuration -> Windows settings -> Security Settings -> Public Key Policies section of the GPO and enable the Certificate Services Client – Auto-Enrollment Properties policy. Check the “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” options;
    RDP certificate auto enrollment group policy setting
  5. If you want your clients to always verify the RDP server certificate, you must configure the Configure Authentication for Client = Warn me if authentication fails policy (Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client);
  6. If needed, open the incoming RDP Port TCP/UDP 3389 using firewall policies;
  7. Then update group policy settings on the client computer, and launch the computer certificate console (Certlm.msc) and make sure that the Remote Desktop Authentication certificate issued by your CA has appeared in the Personal -> Certificates section.
If the new Group Policy settings have not been applied, use the gpresult tool and this article to diagnose.

Issued RDP certificates

To apply for the new RDP certificate, restart Remote Desktop Services:

Get-Service TermService -ComputerName mun-dc01| Restart-Service –force –verbose

After that, when connecting to a server using RDP, you won’t see a request to confirm that the certificate is trusted (to see the request, connect to the server the certificate is issued for using its IP address instead of the FQDN). Click View certificate, go to the Details tab and copy the value in the Thumbprint field.
Get RDP Certificate thumbprint

In the Issued Certificates section of the Certification Authority console, you can make sure that an RDPTemplate certificate has been issued for the specific Windows server/computer. Also check the certificate Thumbprint value:

Get cert thumbprint via the certsrv-mmc-co

Then compare this thumbprint with the certificate thumbprint used by the Remote Desktop Service. You can view the value of the RDS certificate thumbprint in the registry (HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations, the TemplateCertificate parameter) or using the following PowerShell command:

Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash
Get RDP cert thumbprint using powershell

Then, when connecting to the remote desktop of any Windows host, you won’t see a warning of an untrusted RDP certificate.

Signing an RDP File with a Trusted TLS Certificate Thumbprint

If you don’t have a CA, but you do not want your users to see warnings when they connect to an RDP/RDS host, you can add the certificate to the trusted ones on user computers.

Get the value of the RDP certificate thumbprint as described above:

Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

Use this fingerprint to sign the .RDP file with the RDPSign.exe tool:

rdpsign.exe /sha256 25A27B2947022CC11BAFF261234567DEB2ABC21 "C:\ps\mun-dc01.rdp"

Then add this thumbprint to the trusted certificates on user computers using GPO. Specify the thumbprints (separated by a semicolon) in the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy in Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.

Remote desktop conn client policy adding tr

To configure the transparent RDP login without entering a password (RDP Single Sign On), configure the Allow delegation defaults credential policy and specify RDP/RDS host names in it (see this article on how to do it).





Securing RDP Connections with Trusted SSL/TLS Certificates

Leave a Reply

Your email address will not be published. Required fields are marked *