This example utilises a Windows 2003 stand alone root CA to secure RDP traffic from server to client.
1) Install CA in preferred mode (i.e. Offline etc). Best practise is to use an offline root CA and then install subordinate CAs to issue certificates to designated departments/roles etc. See this link for more information.
2) From a management system navigate to https://servername.domainname/certsrv and select ‘Download a CA certificate, certificate chain or CRL’ and on the next screen select ‘install this CA certificate chain’.
*If the systems are part of a domain this process can be simplified by deploying the CA certificate chain via group policy.
3) Log onto the target server (i.e. server to have RDP secured) to request/install a certificate.
a. Open a web browser and navigate to https://servername.domainname/certsrv
b. Select Request a certificate > advanced certificate request > create and submit a request to this CA
c. Enter the details as requested, i.e. FQDN (or NETBIOS hostname if desired) and any other relevant information, i.e. location or owner details.
d. Change the type of certificate to ‘Server Authentication Certificate’
e. Check the option ‘store certificate in local computer certificate store’.
f. Certificate will be sent to the CA for authorisation.
g. Log onto the CA and open the Certificate Authority mmc. Select the ‘Pending requests’ container.
h. The certificate previously requested will be listed – right click on this and select issue.
i. Return to the server from where the request was made, and navigate to https://servername.domainname/certsrv – select ‘View the status of a pending certificate request’.
j. The type of certificate (i.e. Server Authentication) and date/time stamp should be matching to the request previously made. If so click on the link and select ‘Install this certificate’. A warning prompt will pop-up, select yes for the install to complete.
k. The certificate will be loaded into the local certificate store > computer > personal
4) To integrate this cert with RDP you’ll need to open Terminal Services Configuration on the server to which the certificate was previously installed, and perform the following:
a. Select Connections > Double click on the RDP-TCP option
b. Select the general tab. At the bottom of the window you’ll see the option to add a certificate – select edit.
c. A list of existing certificates will be displayed. Select the appropriate certificate (if more than 1 is displayed) and click OK.
d. Under the General tab change the security layer from ‘RDP Security Layer’ to SSL.
e. Under the General tab change the encryption level from ‘Client compatible’ to ‘High’ (128-bit) – make sure this is compatible with client RDP.
5) Open the RDP client on an administration system. Select the options tab and navigate to the advanced tab. Select the option ‘warn me’ for the most useable solution. This will display any alerts if a certificate isn’t recognised or is invalid.
6) If there is an error with the certificate (or NETBIOS name has been entered instead of the FQDN etc) you’ll see a warning pop-up. If the certificate is accepted and no errors/warnings are generated, the RDP session will begin as per usual without any notifications.