Securing Remote Desktop Connections With SSL Certificate From a Trusted Certificate Authority
The best that I could find is this: https://support.microsoft.com/en-us/kb/2001849
From the article:
Note: It is necessary to edit the registry directly because there is no user interface on Windows client SKUs to configure a server certificate.
Related videos on Youtube
JCM
Updated on September 18, 2022Comments
-
JCM over 1 year
Currently I'm using a desktop machine running Windows 7 Ultimate x64. Also have configured it to enable remote connections using MS Remote Desktop Services (RDS); however, since the machine issues its own self-signed security certificate I get a warning every time I connect to this computer.
So my questions are:
- Would it be more secure if I install a SSL certificate from a trusted CA such as GoDaddy, VeriSign, DigiCert, etc rather than simply continuing using a self-signed certificate?
Related to the previous question, reading http://www.alkia.net/index.php/faqs/106-how-to-secure-remote-desktop-connections-using-tls-ssl-based-authentication (specific to Windows Server 2003 including SP1), it says that the certificate should be computer based. So, I imagine when creating the Certificate Signing Request (CSR) the Common Name (CN) would the hostname/computer name rather than a domain name.
- Once I obtain the certificate, how would I install it on the Remote Desktop Protocol (RDP) server so that it is used to secure the remote connections?
This computer is a member of a workgroup.
-
Marki555 almost 9 yearsCert from trusted CA won't be more secure. The same security will be achieved by installing the self-signed server certificate on your client machine, so that the cert will be known and it will be able to notify you if someone would try to present you a different cert during an attack.
-
Russell Uhl almost 9 yearsWould it be more secure? no. A trusted CA is essentially used so that you the user (not you the machine) can be confident that the machine you're connecting to is the one you actually mean to be connecting to. You could just as easily create your own self-signed cert with custom information, or just use the default
-
I say Reinstate Monica almost 7 yearsThis is essentially a link-only answer.