Table of Contents
  • Home
  • /
  • Blog
  • /
  • Step-by-Step Procedure to Deploy RDP Certificates Using GPO
February 15, 2024
|
7m

Step-by-Step Procedure to Deploy RDP Certificates Using GPO


Step By Step Procedure To Deploy Rdp Certificates Using Gpo

Remote Desktop Protocol (RDP) is an essential tool for IT administrators to remotely manage servers and desktops. However, by default, RDP uses weak encryption and is susceptible to man-in-the-middle attacks. Administrators use RDP certificates to secure weak RDP connections. We have published a blog post, Step By Step Procedure To Fix The RDP Certificate Error On Windows Servers There, we showed how to get RDP certificate and how to bind that certificate to a Windows server. Deploying RDP certificates on a server or a small number of servers could be manageable, but what if, in larger environments, its laborious, isnt it? Administrators can use Group Policy Objects (GPOs) to deploy RDP certificates.

RDP certificates utilize the Transport Layer Security (TLS) protocol to authenticate and encrypt RDP connections. The certificates are issued by an internal Public Key Infrastructure (PKI) or Certificate Authority (CA). When RDP clients connect to servers, the server presents the RDP certificate, which the client validates against the CA. This prevents attackers from intercepting the connection.

In this step-by-step tutorial, we will walk through the process of deploying RDP certificates using GPOs on a Windows domain environment. We will cover:

  • Configuring a CA template for RDP authentication

  • Publishing the template on the CA

  • Creating and linking a GPO to deploy the template

  • Verifying certificate enrollment and RDP connections

By the end of this guide, you will have learned how to enhance the security of RDP in your organization using PKI certificates and group policy. Lets get started!

Prerequisites to Deploy RDP Certificates using GPO

  • Windows Server with Active Directory Domain Services installed

  • Windows Server with Certificate Authority role installed

  • Administrative access to Domain Controller

  • Administrative access to Certificate Authority

  • Administrative access to Group Policy Management

How to Deploy RDP Certificates Using GPO?

Source:

Following these steps will allow you to securely deploy RDP certificates using group policy.

Step 1. Install the Certificate Authority (CA) Role

The first step is to install the Certificate Authority role on a Windows Server. This will be the CA that issues and manages certificates for your organization.

On the server you want to be the root CA, open Server Manager and click Add roles and features. On the Server Roles step, check the box for Active Directory Certificate Services. Complete the wizard to install the role.

After installation, open the Certification Authority console. Right-click on the server name and click Configure Active Directory Certificate Services on the destination server. Choose the Root CA configuration and complete the wizard.

Your CA is now ready start issuing certificates.

Follow these blog posts to learn how to set up different types of Certificate Authorities:

What Are The Different Types Of Certificate Authority
Choosing the Right CA Type- Types of Certificate Authorities in ADCS
Step -By-Step Procedure To Set Up An Enterprise Root CA On Windows Server
Step -By-Step Procedure To Set Up A Standalone Root CA On Windows Server
Step-By-Step Procedure To Set Up An Enterprise Issuing CA In ADCS

Step 2. Create a Certificate Template for RDP Authentication

We need to create a certificate template on the CA specifically for RDP authentication. This will allow computers to request certificates for this purpose.

In the Certification Authority console, right-click on Certificate Templates and click Manage. In the Certificate Templates console, right-click on the Computer template and click Duplicate Template.

On the General tab, give the template a name like RDP Authentication and change other properties like validity period if desired.

On the Extensions tab, click Edit. Remove the Client Authentication extension and click Add > New. Name the new extension Remote Desktop Authentication and give it an object identifier of 1.3.6.1.4.1.311.54.1.2. This identifies it as an RDP auth certificate.

On the Security tab, add the computers and groups you want to be able to enroll for this template. On the Cryptography tab, set a suitable key length like 2048 or higher.
Click OK to create the template.

Step By Step Procedure To Fix The RDP Certificate Error On Windows Servers
How to Create a Template for RDP Certificate in a Local Certificate Authority?

Step 3. Publish the Template to the CA

In order for computers to request the new template, we need to publish it to the CA.

In the Certification Authority console, right-click Certificate Templates and click New > Certificate Template to Issue. Select your new RDP template and click OK to publish it.

How to Create a Template for RDP Certificate in a Local Certificate Authority?

Step 4. Create a GPO to Deploy the Template

We now need to configure a Group Policy Object that will be linked to the Active Directory Container where the hosts we want to be able to request the certificate template.

Start by creating a new GPO or selecting an existing GPO, right-click, and choose Edit.

Navigate to
Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.
Select the
Server authentication certificate template policy.

Click on
Enable, and under Certificate Template Name, enter the name of the certificate template created earlier.

For example, RDP Authentication.

Click
OK to set the server auth certificate template.

This will deploy the selected template to computers the GPO is applied to.

Step 5. Enable Server authentication certificate template policy.
Step 6. Configure RDP to Use SSL/TLS

While still editing the GPO, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

Double-click on the Require use of specific security layer for remote (RDP) connections policy. Enable it and select SSL from the drop-down menu.

Step 7. Link GPO to OU

Link the GPO to the OU containing your servers / desktops that need RDP certificates. They will auto enroll when Group Policy is updated.

To force an immediate update, run gpupdate /force on a client computer. Or reboot it.

Step 8. Force update the group policy on the server
Step 9. Verify Certificate Enrollment

To confirm that certificates have been enrolled successfully, open the Certification Authority console, right-click on Issued Certificates, and click Find Certificates. Search for your RDP template name.

You should see certificates issued to your computers. The templates column will show RDP Authentication, for example.

Step 10. Verify RDP Connectivity

Finally, test connecting to a server via RDP using a TLS connection. You should not receive any certificate errors if you enrolled successfully.

Check that the connection is encrypting traffic under the General tab by clicking the Settings button in the RDP client. Thats it.

Conclusion

Following these steps will allow you to securely implement RDP in your environment using PKI certificates and group policy. Key benefits include:

  • Encrypted RDP connections preventing MITM attacks

  • Mutual authentication between client and server

  • No need to manually manage certificates

  • Seamless end-user experience

RDP provides essential remote access for IT administration. Hardening it with certificates and GPO takes things to the next level. This enhances security and reduces risk without impacting functionality.

Let us know in the comments if you have any questions! We are happy to help with implementing this in your own infrastructure. We hope this post helps you know how to deploy RDP certificates using GPOs on a Windows domain environment. Thanks for reading this post. Please share this post and help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.  

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Tutorials

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe