Replace RDP Default Self Sign Certificate

Steps to Replace RDP Default Self Sign Certificate to fix the vulnerability detected by Nessus Scanner

You will see the following error message when connecting to remote server via Remote Desktop (RDP) due to the Default Self Sign SSL Certificate is used by default

Replace RDP Default Self Sign Certificate

Certificate Template for RDS

  1. Right click on Certificate Template and Manage

  1. Highlight Computer and right click to select Duplicate Template

  1. Change the Template Name to RDS

  1. Select Extensions – Application Policies and remove all the existing Application policies

Click Add to include the following

  • Name = Remote Desktop Authentication
  • Object Identifier = 1.3.6.1.4.1.311.54.1.2

  1. Right click Certificate Template and select New – Certificate Template to Issue by selecting RDS Template

  1. Verify RDS is shown in Certificate Template

Replace RDP Default Self Sign Certificate

A. Enforce with Default Domain Domain Group Policy

Open Group Policy Management and edit the Default Domain Policy to apply the Certificate Template to all servers in the AD Domain

Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and enter the Template Name that you created

Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL

Run “gpupdate /force” and Restart Remote Desktop Services to force the settings to be applied immediately

#Force GPO to update immediately
gpupdate /force
#Restart RDS Service 
Restart-Service TermService

RDS Authentication Certificate is installed successfully in Certificate – Local Computer

There is NO SSL Certificate error when you login to Remote Server with FQDN via Remote Desktop now

B. Replace RDP Default Self Sign Certificate manually

Open Certificate Authority and modify the RDS Template following the steps below

  1. Change the Compatibility to
  • Certification Authority – Windows Server 2008 R2 or above
  • Certificate Recipient – Windows 7 / Server 2008 R2 or above

  1. Go to Subject Name to Select Supply in the request and Use subject information from existing certificate for autoenrollment renewal request

Request RDS Certificate from Server

Open Certificate – Local Computer with certlm.msc and select Create Custom Request

Select RDS Template

Click Properties

Select Common Name and enter the FQDN of the Server

Enter a Friendly Name to identify this certificate

Save the Office Request

Login to http://CA_SERVER/certsrv and select Request a Certificate

Select Advanced Certificate Request

Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the content of Offline Request and select RDS as Certificate Template

Download and import to Certificate – Local Computer

Check the Thumbprint of the RDS Certificate

Set-Location Cert:\LocalMachine\my 
Get-ChildItem

Thumbprint                                Subject
----------                                -------
AA439E86EA877521C5A98460DBEBA70CC28C70E6  CN=ib-ccdb.ibernas.plgroup.com.my

Replace the default self sign certificate with RDS Certificate

#Replace Certificate for RDS 
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="AA439E86EA877521C5A98460DBEBA70CC28C70E6"

Verify the RDS Certificate is installed successfully

Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "Termina
lName='RDP-tcp'"

SecurityLayer                          : 2
SSLCertificateSHA1Hash                 : AA439E86EA877521C5A98460DBEBA70CC28C70E6
SSLCertificateSHA1HashType             : 3
Status                                 :
TerminalName                           : RDP-Tcp
TerminalProtocol                       : Microsoft RDP 8.0
Transport                              : tcp
UserAuthenticationRequired             : 1
WindowsAuthentication                  : 0
PSComputerName                         : IB-CCDB

The new RDS Certificate will be when we connect to the server via Remote Desktop now

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top