Solved

need some advice on using ssl for rdp connections

Posted on 2011-03-01
7
455 Views
Last Modified: 2012-05-11
I need to configure RDP connections on the domain to use SSL. I know how to apply a GPO that will set that up. My question is; How will clients trying to use RDP on our network have to connect?
Do I have to buy a SSL cert?
0
Comment
Question by:bankadmin
  • 4
  • 3
7 Comments
 
LVL 5

Accepted Solution

by:
jlanderson1 earned 500 total points
ID: 35007490


First you will need to download this:  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

This tool as a command utility called SELFSSL.EXE for creating self-signed certificates.

On the start menu, find the IIS kit you installed, and run the command prompt window in the program group.

When that opens, type" "SelfSSL.exe /CN=domain.com /V:365" into the command prompt and press "Enter." Replace "domain.com" with your network domain name.

Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol.

Right-click "RDP-Tcp" and select "Properties." This opens a new configuration window. Click the "General" tab. Select "Negotiate" in the "Security" drop-down box. This enables TLS. Choose your encryption level in the next drop-down. For most users, choose "High" as the encryption level for maximum security.

Click the "Edit" button next to the "Certificate" text box. Select your certificate and click "OK." Select "SSL" from the "Security Layer" text box and click "OK." Click "OK" in the main properties window to close it. This sets your RDP protocol for SSL encryption.
0
 

Author Comment

by:bankadmin
ID: 35007676
THanks for the info.
"Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol."
Shouldnt I use a GPO for configuring this domain wide instead of doing this step?

Should these steps be preformed on the DC?
Will these steps need to be preformed on all servers RDP is used to access?
Will these steps have to be preformed on all PC's that need to use RDP to access servers or workstations?
0
 
LVL 5

Expert Comment

by:jlanderson1
ID: 35007805
"Click the Windows "Start" button and click "Programs." Click "Administrative Tools" then click "Terminal Server Configuration." This opens the manager where you can configure the SSL protocol for the remote protocol." -- Applies to the Server you want to RDP to.  You can do this via GPO, I would imagine.

The SELFSSL certificate process should be run on one of the servers you want to RDP to.  Then the certificate needs to be installed on each server to which you will RDP following the process used above.

The PCs only need to set the authentication option, which is shown in the link below:

http://www.kreslavsky.com/2006/10/configure-rdp-over-ssl-with-selfssl.html

0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:bankadmin
ID: 35008027
I do use RDP to connect to users workstations sometimes also. So the PC's would also need the selfssl installed correct?

0
 
LVL 5

Expert Comment

by:jlanderson1
ID: 35009145
You cannot do the same procedure on an XP computer....It is not supported.  Only to server 2003 SP1 and later.

 You can do some of the following to secure RDP to an XP computer.

http://www.mobydisk.com/techres/securing_remote_desktop.html
0
 

Author Comment

by:bankadmin
ID: 35018831

Thanks for all the advice.
0
 

Author Comment

by:bankadmin
ID: 35019180
Oops I should have tested before I closed the question. I ran the CMD as specified in your first post it didnt create the cert, I have attached a screenshot of what I got.. I blacked out my domain name but it is correct, I tried it with and without .com
cmd-resultsSSl.bmp
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Remote Desktop Shadowing often has a lot of benefits. When helping end users determine problems, it is much easier to see what is going on, what is being slecected and what is being clicked on. While the industry has many products to help with this,…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now