Securing RDP Connections with Trusted SSL/TLS Certificates

Windows

Securing RDP Connections with Trusted SSL/TLS Certificates is a healthy practice.

We use them to secure RDP connections to Windows computers or servers in an Active Directory domain.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related RDP queries.

In this context, we shall look into how to use trusted SSL/TLS certificates to secure RDP connections.

Securing RDP Connections with Trusted SSL/TLS Certificates

Here, we will look into how to secure RDP connections.

1. Remote Desktop Connection (RDP) Self-Signed Certificate Warning

By default, Windows generates a self-signed certificate to secure an RDP session.

During the first connection to an RDP/RDS host using the mstsc.exe client, we see the following warning:

The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Certificate error: The certificate is not from a trusted certifying authority.

To proceed and establish the connection, we have to click Yes.

To prevent the repetition of this warning, we can check the "Don't ask me again for connections to this computer" option.

In this case, the RDP certificate thumbprint is saved in the CertHash parameter of the registry key. It has the RDP connection history on a client.

In case of a hidden warning, we remove the certificate thumbprint from the registry to reset the settings.

2. Create an RDP Certificate Template in a Certificate Authority (CA)

We use a trusted SSL/TLS certificate issued by a corporate certificate authority. With it, we can authenticate an RDP server when connecting.

Suppose, a corporate Microsoft Certificate Authority deploys in our domain. Then, we can configure automatic issues and connection of certificates to all Windows computers and servers in the domain.

To do so, we must create a new type of certificate template for RDP/RDS hosts in our CA:

Initially, we run the Certificate Authority console.
Then we go to, Certificate Templates >> Manage >> Computer >> Duplicate.
In the General tab, we specify the name of the new certificate template – RDPTemplate.
In the Compatibility tab, we specify the minimum client version we use in our domain.
Then, in the Application Policy section of the Extensions tab, we restrict the use scope of the certificate to Remote Desktop Authentication only
Eventually, we click Add >> New, create a new policy and select it.
In the certificate template settings, we remove all policies except Remote Desktop Authentication.
To use this on our domain controllers, we open the Security tab, add the Domain Controllers group and enable the Enroll and Autoenroll options..
We save the certificate template.
Then in the Certificate Authority mmc snap-in, we click Certificate Templates folder >> New >> Certificate Template to Issue >> choose the template we have created.

3. Deploy RDP SSL/TLS Certificates using Group Policy

Then we configure a domain GPO to automatically assign RDP certificates to computers/servers.

Generally, all domain computers trust the corporate Certificate Authority. This means the root certificate adds to the Trusted Root Certificate Authorities using GPO:

In the Domain Group Policy Management console (gpmc.msc), create a new GPO object, link it to the OU containing RDP/RDS servers or computers to automatically issue TLS certificates.
GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
Here, we enable the Server Authentication Certificate Template policy.
Then we specify the name of the CA template we made.
In the same GPO section, we enable the Require use of a specific security layer for remote connections policy and set the value SSL for it.
To automatically renew an RDP certificate, we go to Computer configuration -> Windows settings -> Security Settings -> Public Key Policies section of the GPO and enable the Certificate Services Client – Auto-Enrollment Properties policy.
Check the “Renew expired certificates, update pending certificates, and remove revoked certificates” and “Update certificates that use certificate templates” options.
For our clients to always verify the RDP server certificate, we configure the Configure Authentication for Client = Warn me if authentication fails policy
It is in, Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.
In addition, if necessary we open the incoming RDP Port TCP/UDP 3389 using firewall policies.
Then we update group policy settings on the client computer, launch the computer certificate console (Certlm.msc).
We also ensure that the certificate issued by our CA is in the Personal -> Certificates section.

To apply the new RDP certificate, restart Remote Desktop Services:

Get-Service TermService -ComputerName bob-dc01| Restart-Service –force –verbose

Now, we will not see a request to confirm that the certificate is trusted. Click View certificate >> Details tab, copy the value in the Thumbprint field.

In the Issued Certificates section of the Certification Authority console, we can ensure that the certificate has been issued.

In addition, we check the certificate Thumbprint value.

Then we compare it with the certificate thumbprint by the Remote Desktop Service.

To view the value of the RDS certificate thumbprint, we use the registry or run:

Get-WmiObject -Class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

How to Sign an RDP File with a Trusted TLS Certificate Thumbprint ?

Suppose, we do not have a CA. However, we do not want our users to see warnings when they connect to an RDP/RDS host. Then we can add the certificate to the trusted ones on user computers.

We get the value of the RDP certificate thumbprint:

Get-WmiObject -Class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

Then we use this fingerprint to sign the .RDP file with the RDPSign.exe tool:

rdpsign.exe /sha256 25A27B2947022CC11BAFF261234567DEB2ABC21 “C:\ps\bob-dc01.rdp”

We add this thumbprint to the trusted certificates on user computers using GPO.

We then specify the thumbprints in the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy.

To do so, we g to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.

We can also configure the transparent RDP logon without entering a password. For that, we configure the Allow delegation defaults credential policy and specify RDP/RDS hostnames in it.