Securing RDP Connections with Trusted SSL/TLS Certificates

In this article we’ll show how to use trusted SSL/TLS certificates to secure RDP connections to Windows computers or servers in an Active Directory domain. We will use trusted SSL certs instead of default self-signed RDP certificates (then using a self-signed RDP certificate, the user receives a warning that the certificate is not trusted when connecting to the host). In this example, we will configure a custom RDP certificates template in the Certificate Authority and a Group Policy to automatically issue and bind an SSL/TLS certificate to the Remote Desktop Services.

Remote Desktop Connection (RDP) Self-Signed Certificate Warning

By default, to secure an RDP session Windows generates a self-signed certificate. During the first connection to an RDP/RDS host using the mstsc.exe client, a user sees the following warning:

The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Certificate error: The certificate is not from a trusted certifying authority.

To proceed and establish an RDP connection, a user has to click Yes. To prevent the RDP cert warning from appearing every time, you can check the “Don’t ask me again for connections to this computer” option.

In this case the RDP certificate thumbprint is saved in the CertHash parameter of the registry key with the RDP connection history on a client (HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\). If you have hidden the warning that the RDP server could not be verified, remove the certificate thumbprint from the registry to reset the settings.

Create an RDP Certificate Template in a Certificate Authority (CA)

Let’s try to use a trusted SSL/TLS certificate issued by a corporate certificate authority to secure RDP connections. Using this certificate, a user can authenticate an RDP server when connecting. Suppose, that a corporate Microsoft Certificate Authority is already deployed in your domain. In this case, you can configure automatic issue and connection of certificates to all Windows computers and servers in the domain.

You must create a new type of certificate template for RDP/RDS hosts in your CA:

1. Run the Certificate Authority console and go to the Certificate Templates section;
2. Duplicate the Computer certificate template (Certificate Templates -> Manage -> Computer -> Duplicate);
   
3. In the General tab, specify the name of new certificate template – RDPTemplate. Make sure that the value in the Template Name field matches the Template display name;
   
4. In the Compatibility tab, specify the minimum client version used in your domain (for example, Windows Server 2008 R2 for the CA and Windows 7 for your clients). Thus, stronger encryption algorithms will be used;
5. Then, in the Application Policy section of the Extensions tab, restrict the use scope of the certificate to Remote Desktop Authentication only (enter the following object identifier — 1.3.6.1.4.1.311.54.1.2). Click Add -> New, create a new policy and select it;
   
6. In the certificate template settings (Application Policies Extension), remove all policies except Remote Desktop Authentication;
7. To use this RDP certificate template on your domain controllers, open the Security tab, add the Domain Controllers group and enable the Enroll and Autoenroll options for it;
   
8. Save the certificate template;
9. Then in the Certificate Authority mmc snap-in, click Certificate Templates folder and select New -> Certificate Template to Issue -> choose the template you have created (RDPTemplate);
   

How to Deploy RDP SSL/TLS Certificates using Group Policy?

Now you need to configure a domain GPO to automatically assign RDP certificates to computers/servers according to the configured template.

1. Open the Domain Group Policy Management console (gpmc.msc), create a new GPO object and link it to the OU containing RDP/RDS servers or computers to automatically issue TLS certificates to secure RDP connections;
2. Go to the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security. Enable the Server Authentication Certificate Template policy. Specify the name of the CA template you have created earlier (RDPTemplate);
   
3. Then in the same GPO section, enable the Require use of specific security layer for remote (RDP) connections policy and set the value SSL for it;
4. To automatically renew an RDP certificate, go to the Computer configuration -> Windows settings -> Security Settings -> Public Key Policies section of the GPO and enable the Certificate Services Client – Auto-Enrollment Properties policy. Check the “Renew expired certificates, update pending certificates and remove revoked certificates” and “Update certificates that use certificate templates” options;
5. If you want your clients to always verify the RDP server certificate, you must configure the Configure Authentication for Client = Warn me if authentication fails policy (Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client);
6. If needed, open the incoming RDP Port TCP/UDP 3389 using firewall policies;
7. Then update group policy settings on the client computer, launch the computer certificate console (Certlm.msc) and make sure that the Remote Desktop Authentication certificate issued by your CA has appeared in the Personal -> Certificates section.

To apply the new RDP certificate, restart Remote Desktop Services:

Get-Service TermService -ComputerName mun-dc01| Restart-Service –force –verbose

After that, when connecting to a server using RDP, you won’t see a request to confirm that the certificate is trusted (to see the request, connect to the server the certificate is issued for using its IP address instead of the FQDN). Click View certificate, go to the Details tab and copy the value in the Thumbprint field.

In the Issued Certificates section of the Certification Authority console, you can make sure that an RDPTemplate certificate has been issued for the specific Windows server/computer. Also check the certificate Thumbprint value:

Then compare this thumbprint with the certificate thumbprint used by the Remote Desktop Service. You can view the value of the RDS certificate thumbprint in the registry (HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations, the TemplateCertificate parameter) or using the following PowerShell command:

Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

Then, when connecting to the remote desktop of any Windows host, you won’t see a warning of an untrusted RDP certificate.

Signing an RDP File with a Trusted TLS Certificate Thumbprint

If you don’t have a CA, but you do not want your users to see warnings when they connect to an RDP/RDS host, you can add the certificate to the trusted ones on user computers.

Get the value of the RDP certificate thumbprint as described above:

Get-WmiObject -Class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices|select SSLCertificateSHA1Hash

Use this fingerprint to sign the .RDP file with the RDPSign.exe tool:

rdpsign.exe /sha256 25A27B2947022CC11BAFF261234567DEB2ABC21 "C:\ps\mun-dc01.rdp"

Then add this thumbprint to the trusted certificates on user computers using GPO. Specify the thumbprints (separated by a semicolon) in the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers policy in Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client.

To configure the transparent RDP logon without entering a password (RDP Single Sign On), configure the Allow delegation defaults credential policy and specify RDP/RDS host names in it (see this article on how to do it).