RDP and SHA-1 Deprecated

Hi

we have currently a internal CA it currently can only issue SHA-1. How will RDP behave after SHA-1 is Deprecated if we say as we are and not upgrade the internal CA.
joe_walshAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott CSenior Systems EnginerCommented:
If RDP behaves anything like OWA in Exchange you won't be able to get access from the outside.

I have a client with an Exchange server with a self-signed cert and OWA was working up until a couple of weeks ago.  Nothing has changed in their environment and now they can't use OWA from outside of the building.

Inside still works.

Going to have to purchase a "real" cert using SHA-2.
0
joe_walshAuthor Commented:
RDP has a MSTSC.exe client that is not a browser.
so my assumption it that SHA-1 deprecation  is all browser related
0
Brian MurphyIT ArchitectCommented:
Depends.  You might have internal Audit that shows this as a finding.

But, the certificate is bound to the RDP Service aka Registry Key.

You can do self-signed certificate which is default or change the binding to internal CA certificate.

So, it does technology impact only MSTSC..exe aka RDP Client connections.

If you have any websites using a internal certificate then any new browser like Chrome, IE 11, Firefox and so forth it will refuse at the client side.

I use ISCrypto.exe from www.ssllabs.com to test websites and clients.

I've disabled all SSL 1, 2 and 3.0 protocols.  Use TLS 1, 1.1, 1.2 only and removed all NULL, RC2, and RC4 streaming ciphers.

Clients and servers.

You can get a valid Verisign or "other" third-party CA that is SHA256 and 2048 Bit and use a generic FQDN with SPN Names added to the certificate.

This is not, however, best practice.  You would need a SERVERNAME.ADDOMAIN.FORESTNAME

Type of certificate unless you use Split-DNS and your internal/external DNS matches your AD Domain (dot) Forest.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.