Securing RDP Connections with Trusted SSL/TLS Certificates
This article covers how to secure RDP Connections with Trusted SSL/TLS Certificates.
To Check What Certificate RDP Is Using
You can check the thumbprint of the certificate the server is using. Windows Key+R > Regedit {Enter} > Navigate to:
HKEY_LOCAL_MACHINE
> SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > TemplateCertificate
You can check this with the actual Certificate> Windows Key+R > mmc {enter} > File > Add/Remove Snap-in > Certificates > Local Computer > Open Certificates > Personal > Certificates > Locate the certificate you ‘Think’ RDP is using and you can compare its thumbprint with the registry key.
Time Based Temporary Group Membership in Active Directory on Windows
Basically, Temporary Group Membership (Time Based) is the version of Active Directory in Windows Server 2016 introduces an interesting feature that allows you to temporarily add a user to an AD security group. In order to use the Temporary Group Membership, you need to enable the Privileged Access Management Feature in your Active Directory forest. Like with AD Recycle Bin (which allows you to recover deleted objects), you cannot disable PAM after it has been enabled.
Saved RDP Credentials Didn't Work in Windows - Fix it Now ?
This article covers how to resolve Saved RDP Credentials Didn't Work in Windows. Using a saved RDP credentials, the user doesn't need to enter the password each time to connect to the Remote Desktop. Basically, despite the fact that the RDP connection password is saved in the Credentials Manager, the system will not use it requiring the user to prompt the password.
To fix remote desktop credentials:
The credentials for the Windows Remote Desktop connection do not change automatically.
The Network Adapter Troubleshooter will help check the flaws with the network (if any) and correct the same.
- Go to Start > Settings > Updates & Security > Troubleshoot.
- Select the Network Adapter Troubleshooter from the list.
To fix your credentials could not be verified on Windows:
- Disable Microsoft Hello in Start->Settings->Accounts->Sign-in option or in local group policy.
- Then restart the machine.
- Log on with local admin account.
- Re-enable the Windows Hello feature.
- Configure the Pin as you need.
Use gMSA in Active Directory to launch services and tasks
This article covers how to use gMSA in Active Directory. When a gMSA is used as service principals, the Windows operating system manages the password for the account instead of relying on the administrator to manage the password. Group Managed Service Accounts (gMSAs) provide a higher security option for non-interactive applications/services/processes/tasks that run automatically but need a security credential.
The Install-ADServiceAccount cmdlet installs an existing Active Directory managed service account on the computer on which the cmdlet is run. The cmdlet also makes the required changes locally so that the managed service account password can be managed without requiring any user action.
Setting remote desktop drain mode on a Windows Server RDS host
This article covers how to set remote desktop drain mode on a Windows Server RDS host. Basically, setting remote desktop drain mode on a Windows Server RDS host can be easily performed with PowerShell. The Drain Mode is used when a server administrator needs to maintain a server (install Windows updates, configure or update apps) without affecting the availability of the entire RDS farm.
When you set the RDS host in drain mode state, the RDS host can no longer accept new connections but existing sessions continue working until users log out. You can monitor the status of the RDS host in Horizon Administrator.
To remove a Remote Desktop Session Host (Uninstall the RD Session Host Role Service) :
- Open Server Manager.
- In the left pane, expand Roles.
- Right-click Remote Desktop Services, and then click Remove Role Services.
- On the Select Role Services page, clear the Remote Desktop Session Host check box, and then click Next.
- On the Confirm Removal Selections page, click Remove.
IIS Manager: Could not connect to the specified computer - Fix it Now ?
This article covers methods to resolve the IIS Manager error "Could not connect to the specified computer".
To install and configure Microsoft Windows Internet Information Services:
- Select: Manage / Add Roles and Features.
- Select "Next" until you get to Server Roles. Scroll down and open Web Server (IIS) / Management Tools.
- Select "Management Service".
- Select "Next" and "Install".
- Once installation completes, open services. If you already had services open, use refresh to add it to your list. Scroll down to Web Management Service. You will notice it is installed, but not started. It is also set to manual, so it will not start on reboot either. You need to change both of these so the service will run now and will run anytime the server is rebooted. Open the properties.
- Change the Startup type to "Automatic". Do not start the service yet as you will not be able to configure the service while it is running.
- Launch IIS, open Management Service.
- Configure the Web Management Service, then apply your changes and start the service.
How to configure Microsoft IIS ?
- Enable remote management.
- Use windows credentials only.
- Deny access to all except your approved IP addresses. Use IP address ranges only when you control the entire range.
- Use your server’s certificate if you have one configured. (Optional).
- Change the port from the default to something else if the server is accessible from the Internet. (Optional).
- Now you will be able to remotely manage IIS from any IP address you granted access.
