Steps to Replace RDP Default Self Sign Certificate to fix the vulnerability detected by Nessus Scanner
You will see the following error message when connecting to remote server via Remote Desktop (RDP) due to the Default Self Sign SSL Certificate is used by default
Certificate Template for RDS
- Right click on Certificate Template and Manage
- Highlight Computer and right click to select Duplicate Template
- Change the Template Name to RDS
- Select Extensions – Application Policies and remove all the existing Application policies
Click Add to include the following
- Name = Remote Desktop Authentication
- Object Identifier = 1.3.6.1.4.1.311.54.1.2
- Right click Certificate Template and select New – Certificate Template to Issue by selecting RDS Template
- Verify RDS is shown in Certificate Template
Replace RDP Default Self Sign Certificate
A. Enforce with Default Domain Domain Group Policy
Open Group Policy Management and edit the Default Domain Policy to apply the Certificate Template to all servers in the AD Domain
Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and enter the Template Name that you created
Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL
Run “gpupdate /force” and Restart Remote Desktop Services to force the settings to be applied immediately
#Force GPO to update immediately
gpupdate /force
#Restart RDS Service
Restart-Service TermService
RDS Authentication Certificate is installed successfully in Certificate – Local Computer
There is NO SSL Certificate error when you login to Remote Server with FQDN via Remote Desktop now
B. Replace RDP Default Self Sign Certificate manually
Open Certificate Authority and modify the RDS Template following the steps below
- Change the Compatibility to
- Certification Authority – Windows Server 2008 R2 or above
- Certificate Recipient – Windows 7 / Server 2008 R2 or above
- Go to Subject Name to Select Supply in the request and Use subject information from existing certificate for autoenrollment renewal request
Request RDS Certificate from Server
Open Certificate – Local Computer with certlm.msc and select Create Custom Request
Select RDS Template
Click Properties
Select Common Name and enter the FQDN of the Server
Enter a Friendly Name to identify this certificate
Save the Office Request
Login to http://CA_SERVER/certsrv and select Request a Certificate
Select Advanced Certificate Request
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste the content of Offline Request and select RDS as Certificate Template
Download and import to Certificate – Local Computer
Check the Thumbprint of the RDS Certificate
Set-Location Cert:\LocalMachine\my
Get-ChildItem
Thumbprint Subject
---------- -------
AA439E86EA877521C5A98460DBEBA70CC28C70E6 CN=ib-ccdb.ibernas.plgroup.com.my
Replace the default self sign certificate with RDS Certificate
#Replace Certificate for RDS
wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="AA439E86EA877521C5A98460DBEBA70CC28C70E6"
Verify the RDS Certificate is installed successfully
Get-WmiObject "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "Termina
lName='RDP-tcp'"
SecurityLayer : 2
SSLCertificateSHA1Hash : AA439E86EA877521C5A98460DBEBA70CC28C70E6
SSLCertificateSHA1HashType : 3
Status :
TerminalName : RDP-Tcp
TerminalProtocol : Microsoft RDP 8.0
Transport : tcp
UserAuthenticationRequired : 1
WindowsAuthentication : 0
PSComputerName : IB-CCDB
The new RDS Certificate will be when we connect to the server via Remote Desktop now
Reference Links