Menu Categories Author

Nubis Novem

Consulting On Cloud Nine

How to protect Remote Desktop Service with valid SSL certificate in Windows 2008, 2012, 2016

It is typical for a Windows server to have a auto-generated self-signed certificate for its Remote Desktop service. Not a good practice. Especially when RDP service is exposed on the internet (via TCP port 3389 that would be open in firewall).

Here are a few simple steps to install a valid SSL certificate to be used with RDP to protect the host identity and encrypt your remote desktop sessions properly:

  1. Obtain a valid certificate for domain matching the server DNS name by either a) purchasing from an online certificate vendor (such as Namecheap.com), or, b) through other means (if you work for a bigger firm then the corporate IT or its security department may have a way to issue a certificate). In case your external server name is server9.bogushosting.net, then the certificate should be issued for that exact name, or, a wildcard certificate for *.bogushosting.net could be used. We skip the details here on how to generate a CSR and private key during certificate request process as that would be out of scope of this article.
  2. You would need a certificate bundle in a PKCS #12 or PKCS #7 formats, same as used for web services, IIS or Tomcat, with file extensions .p12, .pfx or .p7b, or from an existing key store. Once you have that file on the server, start MMC by running command line:
    mmc.exe
  3. In MMC you need to launch Certificates administration console by going via menu File – Add/Remove Snap-in, then choose Certificates snap-in and click on Add button to add that to MMC for a Computer account.
  4. In Certificates console you would right click on Personal and choose All tasks – Import, then select your certificate file and add it to the Personal certificate store. You may close MMC at this point.
  5. Launch Remote Desktop Session Host Configuration.
  6. Right click on RDP-Tcpconnection and click Select button to set your certificate.
  7. Check that there is no more warnings when you connect by RDP to your server.

A similar scenario would work for Windows 2012 and Windows 2016 server OS versions as well, but instead of RD Session Host configuration you would need to use Remote Desktop Gateway Manager: right click on the server, choose Properties and then, via SSL Certificate tab, select an existing certificate to import the certificate from Personal store. But if you do not have Remote Desktop Gateway installed, you may just employ this PowerShell script scenario. Below is a version of that script that we saved for later use. It locates the first certificate from Personal store and sets it for Remote Desktop services:

# get a reference to the config instance
$tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"

# grab the thumbprint of the first SSL cert in the computer store
$thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint

# set the new thumbprint value
swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").__path
Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="$thumb"}

In some cases it might be necessary to grant read permission for NETWORK SERVICE to access the key. That is done in MMC, Certificates snap-in (described in above recipe). You would just need to navigate to your installed certificate under Personal store, right click and choose Manage private keys and grant Read permission to user NETWORK SERVICE.

Comments

(4)
  • George Nussbaum
    #

    Thanks for this. Your script works fine except for one issue. It won’t work on Windows 10 machines.

    Would you happen to know what needs to be changed for it to work in Windows 10?

    • Andrei Spassibojko
      #

      Hello George. Thank you for your comment. For Windows 10 you may want to check this recipe below and please do let us know if it worked for you:

      Here are the basic steps I use:

      Get a valid certificate that for the host, (it doesn’t have to come from an external CA, but all your machines have to trust it). Make sure it has the correct hostname, I had problems with wildcard certs.

      Install the cert on the host, like:

      certutil.exe -p myPassword -importPFX c:\mycert.pfx noExport

      find the thumbprint for the cert, either in the UI or in PowerShell:

      $tp = (ls Cert:\LocalMachine\my | WHERE {$_.Subject -match “something unique in your certs subject field” } | Select -First 1).Thumbprint

      now tell Remote Desktop to use that certificate:

      & wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”$tp”

      no reboot required

      http://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection

    • Andrei Spassibojko
      #

      Hello Francisc. It was nice to read your comment here, thank you. Yes, this same recepe worked fine for us with Windows 2016 server, hence the title included 2016 as OS version where it applied.

Leave a Reply

Your email address will not be published. Required fields are marked *