Deploy RDP TLS Certificate with GPO

Hi there !

This blog post will drive you through an example of how to deploy RDP TLS Certificate with GPO in order to secure Remote Desktop in your environment.

Certificate Part

Open Certificate Authority management console, right click on Certificate Template and select Manage

Select Computer template and right click on Duplicate Template


 

 

Choose, as a minimum, Windows 2008 and Windows Vista in compatibility settings to make sure that connections will use stronger encryption algorithms and ciphers. These settings will vary depending on your infrastructure.


 

 

 

 

 

 

 

In tab General set a Display Name & Template Name. Don’t use spaces and use the Same Name


 

 

 

 

 

 

 

RDP Require a proper extension in order to work on both Windows and other platforms for TLS. Click Edit on Extension tab.


 

 

 

 

 

 

 

Client Authentication have to be removed. Server Authentication remains to not break compatibility on Non-Windows platforms using the Microsoft Remote Desktop Client 


 

 

 

 

 

 

 

Once Client Authentication is removed, add a new policy setting for use of RDP TLS. Click Add… and then click New…

 

 

 

 

 

 

 

 

Insert Remote Desktop Authentication as Name & 1.3.6.1.4.1.311.54.1.2 as Object Identifier


 

 

 

 

Configure the Security tab by adding groups you want to allow to either read / write / enroll or autoenroll depending on the needs. This configuration may vary a lot depending on the company.

Next step is about issuing the certificate template that has just been created.

Go back to the Certification Authority, right click on Certificate Template –> New –> Certificate Template to Issue & select the certificate that has just been created.

Once these configuration are done, we enroll the certificate where it’s needed and pass to the second part of the configuration which is more GPO related.

GPO Part

It depends on the actual organisation structure and they way you manage GPO but I strongly advise to create a new GPO for these settings, it’ll ease management and change in case of problems and so on.

Open Group Policy Management Editor, navigate to the OU you want to link the GPO, right click and Create a GPOin this domain, and Link it here...

In the Group Policy Object Select Computer Configuration -> Policies -> Administrative Template -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security and select  Server authentication certificate template.

Once the policy settings is open, type in the Certificate Template Name field the name of the template created in the previous actions.

In order to use SSL to connect to servers, configure the policy setting Require use of specific layer for remote (RDP) connection to SSL

To enable NLA, this will help to break most of public RDP brute force tools. Select Require user authentication for remote connections by using Network Level Authentication and select Enable.

Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Settings -> Remote Desktop Connection Client

Configure policy setting Configure Authentication for Client. Select Enable and set the Option to Warn me if authentication fails

If Remote Desktop is not enabled on another GPO you will need to go in to Connections under Remote Desktop Session Host and enable Allow users to connect remotely by using Remote Desktop Service.

Navigate to  Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security -> Windows Firewall with Advanced Security -> Inbound Rules and right click on it and select New Rule

Select Predefined and from the dropdown menu select Remote Desktop and finish the wizard.

You’re now ready to deploy the GPO on computers that are getting the certificate in order to enforce them to user RDP.

Talk to y’all later !

David Gaillard

Leave a Reply