Solved

Windows 2008r2 RDP Self Signed Certificate Replacement

Posted on 2015-01-21
5
1,006 Views
Last Modified: 2015-03-10
Background:
I work as a Army DoD contractor server administrator.  I received an Assured Compliance Assessment Solution  (ACAS) hit for Plugin: SSL Self-Signed Certificate (57582).  ACAS tool automatically identifies configuration vulnerabilities that could threaten the security of the DoD's computer systems.  The server is a physical Window 2008r2 server.  It is just running Backup Exec on it.  The only place where I found a self signed cert is under:
mmc/certificate/computer/remote desktops/certificate

It's the certificate that is created when you first join the server to the domain.  When you first RDP into the server, it always ask if you want to accept the cert.

I tried to remediate it by RDP into a different server that has IIS on it.
IIS 7:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Create Certificate Request

This request will generate a file named certreq.txt

I then send that to DoD and they generate a key for me.

I then take that key and:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Complete Certificate Request

Then I exported the cert so I could install it on the server I needed to remediate.
I installed the certificate on the server with the ACAS hit. I put it in mmc/certificate/computer/remote desktops/certificate and placed the self-signed certificate in untrusted certificates.  I then logged out of the server to verify the new certificate worked.  When I first tried to RDP back into the server, it would not let me because it could not find the cert.  I tried again after 30 seconds and it allowed me to log in but It was using the self signed cert again.  I looked back in mmc/certificate/computer/remote desktops/certificate and it regenerate the same self signed cert.  I verified this because the original cert that I placed in untrusted certificates was still there.  

I even tried to go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
1.      Right click the Connection
2.      Select Properties
3.      Click the General tab
4.      Clicked Select right under Certificate, ( I got a popup that said, There are no certificates Remote Desktop Session Host Server.

So, the question is how do I get rid of the self signed cert and use the new cert I created for it.  Do I need to install IIS on that server even though it is not a web server?
0
Comment
Question by:Skygod68
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Andy M
ID: 40562302
Just copying the certificate to a file location won't actually install it to the server and therefore the rdp server will continue to use the self-signed certificate.

The following link describes how to install the certificate for use by RDP sessions: http://www.msdonkey.com/server/install-and-configure-a-remote-desktop-certificate-on-rd-session-host-servers/
0
 

Author Comment

by:Skygod68
ID: 40564948
There is something wrong with that site.  It keeps locking up my computer every time I go to it.
0
 
LVL 13

Expert Comment

by:Andy M
ID: 40565992
Strange, seems to work fine on the systems I've tried it on. Here's the general information provided:

It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.

    Open the MMC and open the      Certificates snapin
    Add the Local Computer
    Import the certificate into      Computer\Personal
    Open the certificate and find      the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
    Open up an elevated PowerShell      prompt and write:
    wmic      /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set      SSLCertificateSHA1Hash=”‎PASTE_THUMBPRINT_STRING”
    You can check the certificate      by running:
    Get-WmiObject -class      “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter      “TerminalName=’RDP-tcp'”
0
 

Accepted Solution

by:
Skygod68 earned 0 total points
ID: 40647050
Here is what I had to do to fix the ACAS hit.
1. I install IIS on each server
2. Double click on Server Certificates
3. From the Actions menu: click on Complete Certificate Request
4. Saved the hash that IIS gave me.
5. I submitted that hash to DoD and they provided me with another hash that has a root CA cert as well as the server cert
6. I changed the text file the hash was on to a .cer file.
7. I went back into IIS and From the Actions menu: click on Complete Certificate Request
8. I imported the cer file into IIS
9. It will say it errorred out but it didn't, just close out IIS and reopen it.
10. Double click on Server Certificates and the new server certificate will be there.
11. Go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
12. Right click the Connection
13. Select Properties
14. Click the General tab
15. Click Select right under Certificate and the new certificate will appear there.
16. Verify by closing out your RDP session and RDP back in the same server, your new cert should come up asking you to accept it.

Then you can uninstall IIS.  I have accomplished this method for 10 servers and they all cleared off our ACAS report.
0
 

Author Closing Comment

by:Skygod68
ID: 40655762
After researching for countless days, I found the best way to fix my issue is what I stated.  There might be an easer way but I have not found it and my solution did remediate the servers I implemented this on.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question