How to allow RDP access based on client certificate

security authentication rdp certificate
36,996

Solution 1

One way is by implementing a smart card solution. Probably not what you are looking for due to the cost and pain threshold, but many smart cards are actually just that (hardware-based certificates with strong private key protection), and the Remote Desktop integration is seamless.

Solution 2

You could set up IPSEC with certificates on the affected machines, possibly in conjunction with NAP and use the Windows Firewall to filter RDP traffic which is coming in unencrypted.

Here is a walkthrough for a scenario which is similar to your request but using preshared keys instead of certificates.

But keep in mind that "creating a certificate and copying this to all computers" is a bad idea all in itself - you obviously should create one certificate per client and set up your access rules accordingly. This ensures confidentiality of your connections along with the possibility to revoke certificates as they get lost / disclosed without breaking other machine's connections.

Edit: something that might look tempting is setting up a Remote Desktop Gateway (basically an HTTPS tunnel gateway for RDP) and require client certificate authentication upon SSL connection setup via the IIS properties (the Gateway is implemented as an ASP.NET application within IIS). This however seems to be unsupported by the Remote Desktop Client - there is no way to provide a client certificate for a proxied connection.

Share:
36,996

Related videos on Youtube

kcode
Author by

kcode

Updated on September 18, 2022

Comments

  • kcode
    kcode almost 2 years

    How can I limit (RDP) access to a Windows Server not only by username/password but also with a client certificate?

    Imagine creating a certificate and copying this to all computers from which I want to be able to access the server from.

    This would not be as limited as IP based rules but would add some flexibility on the other hand as not every computer/laptop is in a certain domain or fix ip range.

    • Tim Brigham
      Tim Brigham over 12 years
      Are you talking about inside your network or publishing to the internet?
    • kcode
      kcode over 12 years
      this would be a public network.
  • Tim Brigham
    Tim Brigham over 12 years
    I tried going down the remote desktop gateway route. There are a couple questions here that show why it doesn't work as expected.
  • mwfearnley
    mwfearnley over 5 years

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)
php not redirecting and logging in
ASP.NET Core using custom authenticationhandler with cookieauthentication
WCF transport security with no authentication
ASP.Net Authentication using <credentials> in web.config
How to call web service using client certificates / mutual authentication?
python certificate based authentication in REST request
Error while creating self-signed SSL certificate
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
java.security.cert.CertificateParsingException