Configure RDP over SSL with SelfSSL
Windows 2003 Service Pack 1 included a new feature, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections using SelfSSL to create the SSL certificate. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.
Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.
Server-side
- The Terminal Server must run 2003 SP1
- The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA
- The certificate must meet the following criteria
- Certificate is a computer certificate
- Certificate is for server authentication
- Certificate must have a private key
- Certificate is stored in the TS personal store
- Certificate has a Crytographic Service Provider that can be used for TLS/SSL
Client-side
- Must run Windows 2000, Windows XP, or Windows 2003
- Must use RDP Client 5.2, this can be found on the 2003 SP1 server under %systemroot%system32clientstsclientwin32msrdpcli.msi
- Must trust the root CA for the certificate
If you do not have a CA, don't wish to spend money on a "real" SSL cert, or just want to do some testing, you can use SelfSSL from the IIS 6.0 Resource Kit. Once you have downloaded and installed SelfSSL, run it with the following command
SelfSSL.exe /CN=domain.com /V:365
The command will create and install a certificate for domain.com that is valid for 365 days. If you do not have IIS installed, you may get an error message but you can ignore this message, the SSL certificate is still created and installed. The CN must be the name you will be accessing the TS with.
Next open up Administrative Tools, and launch the Terminal Server Configuration applet. Right-click RDP-Tcp and select properties.
Click Edit next to the Certificate, you will be shown the SSL certificate that SelfSSL created. Select it and click OK
Next, select SSL from the Security Layer drop down box and set the Encryption Level to High.
Now you will need to install the new RDP client on all workstations that will be accessing the Terminal Server. You will notice a new tab under the connection properties called Security. Select this tab and then choose Require Authentication from the drop down.
When you try to connect, you will be denied access because the SSL cert is not trusted. Click View Certificate, and then Install to install the certificate to the local machines certificate store.
Attempt to connect again and the connection will be allowed. You are now connected through RDP over SSL. If you are connected in full screen mode, you will see the SSL lock symbol next to the pushpin in the yellow toolbar.
For more information see:
Server-side
- The Terminal Server must run 2003 SP1
- The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA
- The certificate must meet the following criteria
- Certificate is a computer certificate
- Certificate is for server authentication
- Certificate must have a private key
- Certificate is stored in the TS personal store
- Certificate has a Crytographic Service Provider that can be used for TLS/SSL
Client-side
- Must run Windows 2000, Windows XP, or Windows 2003
- Must use RDP Client 5.2, this can be found on the 2003 SP1 server under %systemroot%system32clientstsclientwin32msrdpcli.msi
- Must trust the root CA for the certificate
If you do not have a CA, don't wish to spend money on a "real" SSL cert, or just want to do some testing, you can use SelfSSL from the IIS 6.0 Resource Kit. Once you have downloaded and installed SelfSSL, run it with the following command
SelfSSL.exe /CN=domain.com /V:365
The command will create and install a certificate for domain.com that is valid for 365 days. If you do not have IIS installed, you may get an error message but you can ignore this message, the SSL certificate is still created and installed. The CN must be the name you will be accessing the TS with.
Next open up Administrative Tools, and launch the Terminal Server Configuration applet. Right-click RDP-Tcp and select properties.
Click Edit next to the Certificate, you will be shown the SSL certificate that SelfSSL created. Select it and click OK
Next, select SSL from the Security Layer drop down box and set the Encryption Level to High.
Now you will need to install the new RDP client on all workstations that will be accessing the Terminal Server. You will notice a new tab under the connection properties called Security. Select this tab and then choose Require Authentication from the drop down.
When you try to connect, you will be denied access because the SSL cert is not trusted. Click View Certificate, and then Install to install the certificate to the local machines certificate store.
Attempt to connect again and the connection will be allowed. You are now connected through RDP over SSL. If you are connected in full screen mode, you will see the SSL lock symbol next to the pushpin in the yellow toolbar.
For more information see:
No comments:
Post a Comment