The Remote Desktop Protocol (RDP) is arguably the most widely used protocol for Windows remote server administration. RDP uses Transport Layer Security (TLS) for server authentication, data encryption, and integrity. However, the default configuration of TLS for RDP in Windows is less than ideal.

RDP Self-Signed Certificate

By default, RDP uses a self-signed certificate for TLS operations. TLS with self-signed certificates is a bad security practice because they are not validated by a trusted certificate authority (CA), making it impossible for clients to verify the authenticity of the server they are connecting to, which can lead to interception attacks.

Certificate Warning

Most administrators have encountered a warning error when connecting to a remote host via RDP using a self-signed RDP certificate.

“The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.”

Nmap

You can view the default self-signed certificate with the Nmap utility by running the following command.

nmap.exe -n -p 3389 <hostname> –script ssl-cert

Managed Certificates

A better solution for RDP TLS is to use managed certificates issued by an enterprise Public Key Infrastructure (PKI) such as Microsoft Active Directory Certificate Services (AD CS). AD CS is widely deployed in AD domain environments and can be configured to issue certificates for RDP TLS.

AD CS

To configure AD CS to issue RDP certificates, perform the following steps.

Certificate Template

On an issuing CA or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

*My apologies for the list numbering format issues below. Microsoft Word and WordPress can’t seem to agree on the list format. Hopefully, you can figure it out, though. 🙂

1. Right-click the Workstation Authentication template and choose Duplicate Template.
2. Select the Compatibility tab.
   1. Select the operating system (OS) version corresponding to the oldest OS hosting the issuing CA role in your environment from the Certification Authority drop-down list.
   1. Select the OS version corresponding to your environment’s oldest supported server or client OS from the Certificate recipient drop-down list.
3. Select the General tab.
   1. Enter a descriptive name in the Template display name field.
   1. Select an appropriate validity period for your environment. The best practice is to limit the validity period to one year or less.
4. Select the Cryptography tab.
   1. From the Provider Category drop-down list, choose Key Storage Provider.
   1. From the Algorithm name drop-down list, choose RSA.
   1. In the Minimum key size field, enter 2048.
   1. From the Request hash drop-down list, choose SHA256.
5. Select the Subject Name tab.
   1. From the Subject name format drop-down list, select DNS name.
   1. Ensure that DNS name is also checked in the subject alternate name section.
6. Select the Extensions tab.
   1. Click on Application Policies.
   1. Click Edit.
   1. Select Client Authentication.
   1. Click Remove.
   1. Click Add.
   1. Click New.
   1. Enter Remote Desktop Authentication in the Name field.
   1. Enter 1.3.6.1.4.1.311.54.1.2 in the Object identifier field.
   1. Click Ok.
   1. Select Remote Desktop Authentication.
   1. Click Ok.
7. Select the Security tab.
   1. Click Domain Computers.
   1. Grant the Read and Enroll permissions.
8. Click Ok.

Next, open the Certification Authority management console (certsrv.msc) and follow the steps below to publish the certificate.

1. Expand the CA.
2. Right-click Certificate Templates and choose New > Certificate Template to Issue.
3. Select the Remote Desktop Authentication certificate template.
4. Click Ok.

Group Policy

Next, on a domain controller or a workstation with the RSAT tools installed, open the Group Policy Management console (gmpc.msc) and perform the following steps to create a new GPO to enroll domain computers for the Remote Desktop Authentication certificate

1. Right-click Group Policy Objects and choose New.
2. Enter a descriptive name for the GPO in the Name field.
3. Click Ok.
4. Right-click the GPO and choose Edit.
5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
6. Double-click Server authentication certificate template.
7. Select Enabled.
8. Enter the name of the Remote Desktop Authentication certificate template in the Certificate Template Name field. Note: Be sure to enter the template name, not the template display name!
9. Click Ok.

Once complete, link the GPO to the domain or OU to target the servers and workstations to which you wish to deploy the RDP certificate.

Validate Certificate

After updating group policy on a target resource, you’ll find that Nmap now shows the enterprise PKI-issued certificate used for RDP connections.

Additional Information

Understanding the Remote Desktop Protocol (RDP)