Solved

Windows 2008r2 RDP Self Signed Certificate Replacement

Posted on 2015-01-21
5
860 Views
Last Modified: 2015-03-10
Background:
I work as a Army DoD contractor server administrator.  I received an Assured Compliance Assessment Solution  (ACAS) hit for Plugin: SSL Self-Signed Certificate (57582).  ACAS tool automatically identifies configuration vulnerabilities that could threaten the security of the DoD's computer systems.  The server is a physical Window 2008r2 server.  It is just running Backup Exec on it.  The only place where I found a self signed cert is under:
mmc/certificate/computer/remote desktops/certificate

It's the certificate that is created when you first join the server to the domain.  When you first RDP into the server, it always ask if you want to accept the cert.

I tried to remediate it by RDP into a different server that has IIS on it.
IIS 7:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Create Certificate Request

This request will generate a file named certreq.txt

I then send that to DoD and they generate a key for me.

I then take that key and:
1. Run inetmgr
2. Click on the Server
3. Double click on Server Certificates
4. From the Actions menu: click on Complete Certificate Request

Then I exported the cert so I could install it on the server I needed to remediate.
I installed the certificate on the server with the ACAS hit. I put it in mmc/certificate/computer/remote desktops/certificate and placed the self-signed certificate in untrusted certificates.  I then logged out of the server to verify the new certificate worked.  When I first tried to RDP back into the server, it would not let me because it could not find the cert.  I tried again after 30 seconds and it allowed me to log in but It was using the self signed cert again.  I looked back in mmc/certificate/computer/remote desktops/certificate and it regenerate the same self signed cert.  I verified this because the original cert that I placed in untrusted certificates was still there.  

I even tried to go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
1.      Right click the Connection
2.      Select Properties
3.      Click the General tab
4.      Clicked Select right under Certificate, ( I got a popup that said, There are no certificates Remote Desktop Session Host Server.

So, the question is how do I get rid of the self signed cert and use the new cert I created for it.  Do I need to install IIS on that server even though it is not a web server?
0
Comment
Question by:Skygod68
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Andy M
Comment Utility
Just copying the certificate to a file location won't actually install it to the server and therefore the rdp server will continue to use the self-signed certificate.

The following link describes how to install the certificate for use by RDP sessions: http://www.msdonkey.com/server/install-and-configure-a-remote-desktop-certificate-on-rd-session-host-servers/
0
 

Author Comment

by:Skygod68
Comment Utility
There is something wrong with that site.  It keeps locking up my computer every time I go to it.
0
 
LVL 13

Expert Comment

by:Andy M
Comment Utility
Strange, seems to work fine on the systems I've tried it on. Here's the general information provided:

It is necessary to install the certificate on all of the RD Session Host servers manually. This is because there is no way to do this using the Server Manager GUI, and the certificate is not applied to session host servers automatically when configuring the certificates on the other roles.

    Open the MMC and open the      Certificates snapin
    Add the Local Computer
    Import the certificate into      Computer\Personal
    Open the certificate and find      the thumbprint on the details tab. Copy the thumbprint to notepad and delete all the spaces.
    Open up an elevated PowerShell      prompt and write:
    wmic      /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set      SSLCertificateSHA1Hash=”‎PASTE_THUMBPRINT_STRING”
    You can check the certificate      by running:
    Get-WmiObject -class      “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter      “TerminalName=’RDP-tcp'”
0
 

Accepted Solution

by:
Skygod68 earned 0 total points
Comment Utility
Here is what I had to do to fix the ACAS hit.
1. I install IIS on each server
2. Double click on Server Certificates
3. From the Actions menu: click on Complete Certificate Request
4. Saved the hash that IIS gave me.
5. I submitted that hash to DoD and they provided me with another hash that has a root CA cert as well as the server cert
6. I changed the text file the hash was on to a .cer file.
7. I went back into IIS and From the Actions menu: click on Complete Certificate Request
8. I imported the cer file into IIS
9. It will say it errorred out but it didn't, just close out IIS and reopen it.
10. Double click on Server Certificates and the new server certificate will be there.
11. Go to Administrative Tools | Remote Desktop Services | Desktop Session Host Configuration
12. Right click the Connection
13. Select Properties
14. Click the General tab
15. Click Select right under Certificate and the new certificate will appear there.
16. Verify by closing out your RDP session and RDP back in the same server, your new cert should come up asking you to accept it.

Then you can uninstall IIS.  I have accomplished this method for 10 servers and they all cleared off our ACAS report.
0
 

Author Closing Comment

by:Skygod68
Comment Utility
After researching for countless days, I found the best way to fix my issue is what I stated.  There might be an easer way but I have not found it and my solution did remediate the servers I implemented this on.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now