PKI – Part 3 : RDP Certs

Pesky Warning Messages

If you’ve ever found yourself remoting into a machine, you’ve likely encountered that pesky and rather annoying message that the servers certificate can’t be trusted.

We know, you could, you could just select that little checkbox that says “Don’t ask me again for connections to this computer”, but that’s not what we’re going for.

Getting Rid of Self-Signed Certs

We want to use our enterprise PKI to get rid of self-signed SSL certs, and that’s reasonable. Self signed certificates are impossible to track effectively and many systems will refuse to connect to a system with an expired certificate, and that’s good.

While RDP doesn’t necessarily have that issue because it will generate a new certificate when the original expires, it’s something that we could also leverage our PKI to do.

Creating our Certificate Template

This one is a rather simple and easy one for us to do, let’s open the Certification Authority MMC snapin and get to managing our Certificate Templates.

With the Certificate Templates Console open, right click the “Web Server” template and click “Duplicate”.

Open the “Security Tab” and provide the following permissions to the following Active Directory Objects:

  • Domain Controllers: Read, Enroll
  • Domain Computers : Read, Enroll

We set these permissions so that our Workstations, Servers, and Domain Controllers all have the required permissions to request these certificates and have them automatically issued to them.

Like any template, it’s up for you to really specify the rest such as cryptography, extensions, name, etc. For my template I will be using the following:

Crypytography:

  • Provider Category: Key Storage Provider
  • Algorithm Name: ECDH_P384
  • Minimum Key Size: 384
  • Request Hash: SHA256

Request Handling:

  • Purpose: Signature and Encryption

General:

  • Name: RDP-Encr
  • Validity Period: 4 years

Something important you probably do need a little assistance with, make sure you modify the “Subject Name” to “Build from Active Directory Information”:

Setting up Our GPO

Unless you have Remote Desktop Gateway Services installed on everything, the only way to ensure that everything uses a specific template is through either the registry or group policy.

Obviously we already know that managing things through the registry isn’t a scalable option. For this we’ll be using Group Policy. To get started, open up the Group Policy Management Console and create a new Group Policy Object.

I’ll be naming my “RDP – Certificate Templates”, the name of this actually eludes the specific setting we are going to be modifying. I hope you remember the name of your certificate template, because you going to need that moving forward.

In the editor for the GPO, Navigate to the following:

Computer Configuration -> Administrative Templates -> Windows Components -> Remove Desktop Services -> Remote Desktop Session Host -> Security 

Once here, locate the settings “Server authentication certificate template”, open it and specify the name of the template we just created.

Once you’ve done this, you can close everything out and link that GPO to your desired location. Since I want everything in my lab domain to have a CA signed RDP certificate, I’m just going to apply it at the root and force a group policy update to demonstrate it real quick.

Before I demonstrate, I’m just going to validate the the server has receied the correct GPO settings via:

gpresult /h <path-to-html-report>

As you can see, the setting is applied as expected. The RDP Service will request a new cert next time I connect and if I use the proper DNS name to connect, I should not receive any errors.

Testing It Out

First, we’re going to test this out to make sure that when I connect, I don’t get a certificate not trusted error.

Other Thoughts

I thought about enabling TLS1.2 on these, but there’s a few issues with that:

  • Not supported in Group Policy, has to be done through registry.
  • There are known compatibility issues with forcing RDP to use TLS1.2, mainly because you have to disable all other version of SSL and TLS.
Posted in PKITagged , , ,