1. On your Microsoft certificate authority server open the Certificate Templates console.<\/p>\n

2. Duplicate the Computer template and use the Windows Server 2003 Enterprise format (Server 2008 v3 templates will NOT work).<\/p>\n

3. Change the template display name to RemoteDesktopComputer (no spaces). Verify the Template Name is exactly the same (no spaces). You can use a different name if you want, but both fields must match exactly.<\/p>\n

$\"\"$ <\/a><\/div>\n

4. Now we need to create an application policy to limit the usage to RDS authentication, then remove the other application uses for the certificate. On the extensions tab click on\u00a0Application Policies<\/strong>\u00a0then click on\u00a0Edit<\/strong>.<\/p>\n

5. Click on\u00a0Add<\/strong>, then click on\u00a0New<\/strong>.\u00a0\u00a0Set the value of Name to\u00a0Remote Desktop Authentication<\/strong>. Change the object identifier to 1.3.6.1.4.1.311.54.1.2.<\/p>\n

$\"\"$ <\/a><\/div>\n
<\/div>\n
6. From the Application Policies list, select\u00a0Remote Desktop Authentication<\/strong>.<\/div>\n
<\/div>\n
7. Back on the certificate template properties, remove all other entries. Only\u00a0Remote Desktop Authentication<\/strong>\u00a0should be present.<\/div>\n
<\/div>\n
$\"\"$ <\/a><\/div>\n
<\/div>\n
8. If you wish, you can modify the validity period of the certificate, making it say two years instead of the default of one.<\/div>\n
<\/div>\n
9. You probably want to secure your domain controllers as well, so for that we need to modify the security setting on the template. Open the Security tab and add the group\u00a0Domain Controllers<\/strong>and give the group\u00a0Read<\/strong>\u00a0and\u00a0Enroll<\/strong>\u00a0(not Autoenroll).<\/div>\n
<\/div>\n
$\"\"$ <\/a><\/div>\n
<\/div>\n
<\/div>\n
10. Open the MMC snap-in for managing your Certificate Authority and locate the\u00a0Certificate Templates<\/strong>\u00a0node. Right click, select\u00a0New<\/strong>, then\u00a0Certificate Template to Issue<\/strong>. Choose theRemoteDesktopComputer<\/strong>\u00a0template.<\/div>\n
<\/div>\n
$\"\"$ <\/a><\/div>\n
<\/div>\n
11. Next up is configuring the GPO to utilize the new template. You can modify any GPO you wish, or create a new one. Obviously the scope of the GPO should cover any servers that you want to secure with TLS. This could be a server baseline GPO, domain GPO, or whatever you want.<\/div>\n
<\/div>\n
<\/div>\n
12. In the GPO editor locate the node\u00a0Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session HostSecurity<\/strong>. Modify the\u00a0Server Authentication Certificate Template<\/strong>\u00a0setting. Enable the policy and enter the certificate template name that exactly matches what you created in your CA.<\/div>\n
<\/div>\n
$\"\"$ <\/a><\/div>\n
<\/div>\n
<\/div>\n
13. In the same GPO node, configure the\u00a0Require use of specific security layer for remote (RDP) connections\u00a0<\/strong>to use SSL (TLS 1.0).<\/p>\n
$\"\"$ <\/a><\/div>\n
14. Wait for the GPO to replicate, then refresh the GPO on a test server. Wait a minute, then open the Certificates MMC snap-in for the computer account. Look in the\u00a0PersonalCertificates<\/strong>\u00a0store for a certificate that has the\u00a0Intended Purposes<\/strong>\u00a0of\u00a0Remote Desktop Authentication<\/strong>. If it\u2019s not there, wait a minute, and refresh. If it never appears, something is wrong. Look at the gpresult to make sure your GPO is being applied to the server.<\/p>\n
$\"\"$ <\/a><\/div>\n
15. Once the certificate appears, double click on the certificate to open it. On the\u00a0Details<\/strong>\u00a0tab look at the first few characters of the thumbprint value and remember them.<\/p>\n
16. To make sure the RDP service is aware of the new certificate, I restart the\u00a0Remote Desktop Services<\/strong>\u00a0service.<\/p>\n
17. Open an elevated PowerShell prompt and run this command:<\/p>\n
Get-WmiObject -class \u201cWin32_TSGeneralSetting\u201d -Namespace root\\cimv2\\terminalservices -Filter \u201cTerminalName=\u2019RDP-tcp\u2019\u201d<\/p>\n
Validate that the\u00a0Security Layer<\/strong>\u00a0value is\u00a02<\/strong>\u00a0and that the thumbprint matches the certificate. If both of those settings are correct, then you are good to go!<\/p>\n
$\"\"$ <\/a><\/div>\n
As a quick test I attempted to connect to this server from a non-domain joined computer that did not have the root certificate for my CA. I configured the RDP client to warn on any security issues. As expected, the client threw errors about the CRL not being available, and that it didn\u2019t trust the chain. I also viewed the certificate and verified it was the correct one.<\/p>\n
It seems Windows 8 has much more stringent certificate checking than Windows 7. The screenshots below are from Windows 7, in case you didn\u2019t recognize the chrome. When using a Windows 7 non-domain joined computer to access the same TLS protected server, I got NO certificate warnings. That was even with the RDP 8 add-on hotfix. I\u2019m glad to see Win8 does thorough certificate validation.<\/p>\n
$\"\"$ <\/a><\/div>\n
$\"\"$ <\/a><\/div>\n
Connecting to the same server from a domain-joined computer that trusted the root CA resulted in no security warnings and a successful connection. If you look at a Wireshark capture you can also validate that CRL information is being exchanged between the computers, which means TLS is being used.<\/p>\n
$\"\"$
\n<\/a><\/div>\n
Cr\u00e9ditos:\u00a0 http:\/\/www.derekseaman.com\/2013\/01\/creating-custom-remote-desktop-services.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Installing a RDP SSL Certificate 1. On your Microsoft certificate authority server open the Certificate Templates console. 2. Duplicate the Computer template and use the Windows Server 2003 Enterprise format<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-445","post","type-post","status-publish","format-standard","hentry","category-windows-server"],"_links":{"self":[{"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/posts\/445"}],"collection":[{"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=445"}],"version-history":[{"count":2,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/posts\/445\/revisions"}],"predecessor-version":[{"id":459,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=\/wp\/v2\/posts\/445\/revisions\/459"}],"wp:attachment":[{"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=445"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/binsfeld.com.br\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}