Solved

need some advice on using ssl for rdp connections

Posted on 2011-03-01
7
437 Views
Last Modified: 2012-05-11
I need to configure RDP connections on the domain to use SSL. I know how to apply a GPO that will set that up. My question is; How will clients trying to use RDP on our network have to connect?
Do I have to buy a SSL cert?
0
Comment
Question by:bankadmin
  • 4
  • 3
7 Comments
 
LVL 5

Accepted Solution

by:
jlanderson1 earned 500 total points
Comment Utility


First you will need to download this:  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

This tool as a command utility called SELFSSL.EXE for creating self-signed certificates.

On the start menu, find the IIS kit you installed, and run the command prompt window in the program group.

When that opens, type" "SelfSSL.exe /CN=domain.com /V:365" into the command prompt and press "Enter." Replace "domain.com" with your network domain name.

Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol.

Right-click "RDP-Tcp" and select "Properties." This opens a new configuration window. Click the "General" tab. Select "Negotiate" in the "Security" drop-down box. This enables TLS. Choose your encryption level in the next drop-down. For most users, choose "High" as the encryption level for maximum security.

Click the "Edit" button next to the "Certificate" text box. Select your certificate and click "OK." Select "SSL" from the "Security Layer" text box and click "OK." Click "OK" in the main properties window to close it. This sets your RDP protocol for SSL encryption.
0
 

Author Comment

by:bankadmin
Comment Utility
THanks for the info.
"Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol."
Shouldnt I use a GPO for configuring this domain wide instead of doing this step?

Should these steps be preformed on the DC?
Will these steps need to be preformed on all servers RDP is used to access?
Will these steps have to be preformed on all PC's that need to use RDP to access servers or workstations?
0
 
LVL 5

Expert Comment

by:jlanderson1
Comment Utility
"Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol." -- Applies to the Server you want to RDP to.  You can do this via GPO, I would imagine.

The SELFSSL certificate process should be run on one of the servers you want to RDP to.  Then the certificate needs to be installed on each server to which you will RDP following the process used above.

The PCs only need to set the authentication option, which is shown in the link below:

http://www.kreslavsky.com/2006/10/configure-rdp-over-ssl-with-selfssl.html

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:bankadmin
Comment Utility
I do use RDP to connect to users workstations sometimes also. So the PC's would also need the selfssl installed correct?

0
 
LVL 5

Expert Comment

by:jlanderson1
Comment Utility
You cannot do the same procedure on an XP computer....It is not supported.  Only to server 2003 SP1 and later.

 You can do some of the following to secure RDP to an XP computer.

http://www.mobydisk.com/techres/securing_remote_desktop.html
0
 

Author Comment

by:bankadmin
Comment Utility

Thanks for all the advice.
0
 

Author Comment

by:bankadmin
Comment Utility
Oops I should have tested before I closed the question. I ran the CMD as specified in your first post it didnt create the cert, I have attached a screenshot of what I got.. I blacked out my domain name but it is correct, I tried it with and without .com
cmd-resultsSSl.bmp
0

Featured Post

ScreenConnect 6.0 Free Trial

Check out the updates in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI that improves session organization and overall user experience. See the enhancements for yourself!

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now