Remote Desktop Protocol (RDP) is an essential tool for IT administrators to remotely manage servers and desktops. However, by default, RDP uses weak encryption and is susceptible to man-in-the-middle attacks. Administrators use RDP certificates to secure weak RDP connections. We have published a blog post, “Step By Step Procedure To Fix The RDP Certificate Error On Windows Servers” There, we showed how to get RDP certificate and how to bind that certificate to a Windows server. Deploying RDP certificates on a server or a small number of servers could be manageable, but what if, in larger environments, it’s laborious, isn’t it? Administrators can use Group Policy Objects (GPOs) to deploy RDP certificates.
RDP certificates utilize the Transport Layer Security (TLS) protocol to authenticate and encrypt RDP connections. The certificates are issued by an internal Public Key Infrastructure (PKI) or Certificate Authority (CA). When RDP clients connect to servers, the server presents the RDP certificate, which the client validates against the CA. This prevents attackers from intercepting the connection.
In this step-by-step tutorial, we will walk through the process of deploying RDP certificates using GPOs on a Windows domain environment. We will cover:
- Configuring a CA template for RDP authentication
- Publishing the template on the CA
- Creating and linking a GPO to deploy the template
- Verifying certificate enrollment and RDP connections
By the end of this guide, you will have learned how to enhance the security of RDP in your organization using PKI certificates and group policy. Let’s get started!
Prerequisites to Deploy RDP Certificates using GPO
- Windows Server with Active Directory Domain Services installed
- Windows Server with Certificate Authority role installed
- Administrative access to Domain Controller
- Administrative access to Certificate Authority
- Administrative access to Group Policy Management
Following these steps will allow you to securely deploy RDP certificates using group policy.
Time needed: 2 hours
How to Deploy RDP Certificates Using GPO?
- Install the Certificate Authority (CA) Role
The first step is to install the Certificate Authority role on a Windows Server. This will be the CA that issues and manages certificates for your organization.
On the server you want to be the root CA, open Server Manager and click “Add roles and features”. On the Server Roles step, check the box for Active Directory Certificate Services. Complete the wizard to install the role.
After installation, open the Certification Authority console. Right-click on the server name and click “Configure Active Directory Certificate Services on the destination server”. Choose the Root CA configuration and complete the wizard.
Your CA is now ready start issuing certificates.
Create a Certificate Template for RDP Authentication
We need to create a certificate template on the CA specifically for RDP authentication. This will allow computers to request certificates for this purpose.
In the Certification Authority console, right-click on Certificate Templates and click Manage. In the Certificate Templates console, right-click on the Computer template and click Duplicate Template.
On the General tab, give the template a name like “RDP Authentication” and change other properties like validity period if desired.
On the Extensions tab, click Edit. Remove the Client Authentication extension and click Add > New. Name the new extension “Remote Desktop Authentication” and give it an object identifier of “126.96.36.199.4.1.3188.8.131.52”. This identifies it as an RDP auth certificate.
On the Security tab, add the computers and groups you want to be able to enroll for this template. On the Cryptography tab, set a suitable key length like 2048 or higher.
Click OK to create the template.
Publish the Template to the CA
In order for computers to request the new template, we need to publish it to the CA.
In the Certification Authority console, right-click Certificate Templates and click New > Certificate Template to Issue. Select your new RDP template and click OK to publish it.
- Create a GPO to Deploy the Template
We now need to configure a Group Policy Object that will be linked to the Active Directory Container where the hosts we want to be able to request the certificate template.
Start by creating a new GPO or selecting an existing GPO, right-click, and choose Edit.
Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
Select the Server authentication certificate template policy.
Click on Enable, and under Certificate Template Name, enter the name of the certificate template created earlier.
For example, “RDP Authentication”.
Click OK to set the server auth certificate template.
This will deploy the selected template to computers the GPO is applied to.
- Enable Server authentication certificate template policy.
- Configure RDP to Use SSL/TLS
While still editing the GPO, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
Double-click on the “Require use of specific security layer for remote (RDP) connections” policy. Enable it and select SSL from the drop-down menu.
- Link GPO to OU
Link the GPO to the OU containing your servers / desktops that need RDP certificates. They will auto enroll when Group Policy is updated.
To force an immediate update, run “gpupdate /force” on a client computer. Or reboot it.
- Force update the group policy on the server
- Verify Certificate Enrollment
To confirm that certificates have been enrolled successfully, open the Certification Authority console, right-click on Issued Certificates, and click Find Certificates. Search for your RDP template name.
You should see certificates issued to your computers. The templates column will show “RDP Authentication,” for example.
- Verify RDP Connectivity
Finally, test connecting to a server via RDP using a TLS connection. You should not receive any certificate errors if you enrolled successfully.
Check that the connection is encrypting traffic under the General tab by clicking the Settings button in the RDP client. That’s it.