Change the Remote Desktop Services Service Certificate


I’m going to skip past how to get such a certificate and go directly into how to apply it ’cause I tend to go way off track very easily.

I know about three ways of achieving this:

  1. PowerShell
  2. Group Policy
  3. Microsoft Easy Fix (big asterisk on this one, tell you later)

PowerShell

Step 1. Import your certificate to the Computer’s Personal (also called “My”) certificate store.

  • If it’s a PFX this is as easy as double-clicking it and clicking on next ’till the end, the only options needed are: entering the password to unlock the file and selecting to import all certificates contained in the file, if they’re already in the system they’ll will do no harm to it. If they’re not, well, you need them.
  • A CER, CRT, or other type of certificate doesn’t need a password and usually means you started the request from the host requesting it, the private key is already in the system and should be matched with the certificate (AKA the signed public key) at import time.

Step 2. Get the thumbprint of the certificate.

In PowerShell, you can navigate to the certificate stores as if they were storage drives, instead of C:\ or D:\ you type Cert:\, it’s a really smart idea—as far as Microsoft goes.

Just type ls Cert:\LocalMachine\My or navigate to it first (cd Cert:\LocalMachine\My) then ls.

A lot of commands I use are PowerShell aliases added to accommodate UNIX users. Despite I have a lot more time using Windows, I got first comfortable with the command line using Bash in Linux and macOS, thus by force of habit I default to the Bash-like commands first. These are completely interchangeable though, if it doesn’t follows “verb-something” is probably an alias or a pre-PowerShell holdout. You can know for sure by using:

Get-Command ls

Which will tell you that ls (or mv, or cp, etc) is an alias for Get-ChildItem. You can also use Get-Help ls, for instance, to get directly the help for Get-ChildItem.

Sidenote
Notice the problem there? How do you know what the right one?

It’s almost a given certificates for the machine will be indistinguishable one from another because the My store is the machine’s store. All subjects should match it, thus it’s likely for them to have the same name or be wildcards.

You may have to launch mmc an open the certificate to ID the thumbprint, but before you do you might still be able to get away without it. See, the way they’re listed is a table, but if you get them to list them as a list, more information is shown by default. Pipe the command to fl (alias of Format-List):

The long command syntax is: “Get-ChildItem Cert:\LocalMachine\My | Format-List” exactly the same thing.

Notice how one of the “rds” certificates has the same thing on Subject and Issuer, i.e; it’s the self-signed one. Therefore, the one I’d be looking for is the other one. Now with the mouse cursor, you simply select the thumbprint and right-click to copy and right click again to paste, but since you’ll be copying another thing it will be overwritten so instead save it in a variable:

$rdscert=”<right-click-to-paste-thumbprint>”

That’s “name_of_the_variable” after “$” sign–can be anything you want (it’s deleted as soon as you close the window), “=” sign, then value of the variable enclosed in double quotes. e.g;

$rdscert="E78BCD53368ECAF97F1716DA5C9C7C483F923667"

Unlike Bash, in PowerShell, “=” can be surrounded by spaces, e.g;

$rdscert = "E78BCD53368ECAF97F1716DA5C9C7C483F923667"

Like in Bash, you can use echo to check it out:

#> PS C:\Users\username> echo $rdscert
#> E78BCD53368ECAF97F1716DA5C9C7C483F923667

Now run:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="$rdscert"

Group Policy

This is the slowest to implement, definitely requires plenty of planning but once you finish all computers request and automatically choose select the certificate their for RDS.

Naturally, it requires you to have a functioning PKI, which in turn requires you to be on top of your domain given all the things involved.

Once you have done this which is too complex to quickly go over it here, you need to create a certificate template with the EKU Server Authentication, which is available in several templates; you can clone Workstation, Web Server, Kerberos Authentication, etc. or with the EKU (AKA: Extensions ➜ Application Policies) “Remote Desktop Authentication” which is found in no preexisting template, you’ll need to add it yourself. Its OID is 1.3.6.1.4.1.311.54.1.2. Avoid spaces in when naming the new template.

If you don’t have already a GPO for RDS-related settings, create a new one for it, open it for edit and navigate to: Computer Configuration ➜ Policies Administrative Template Windows Components  Remote Desktop Services Remote Desktop Session Host Security  Server authentication certificate template. Select the Enabled radio button and enter the name of the template in the box below. OK your way out of it and it’ll eventually be setup on its own on the next policy update.

This can be set domain-wide if you want, they not only apply to RDS servers but to any Windows system capable (by license, technically all of them are) of serving Remote Desktop sessions.

Microsoft Easy Fix

For the last method you’ll need a PFX certificate bundle, and to be alone because it involves entering its passwords in cleartext, no little asterisks or chunky dots to cover it.

Also you need to either trust a file I’m hosting (the big asterisk I mentioned earlier), or try to find it yourself in Microsoft’s website; last time I check it wasn’t there anymore.

Search for the Microsoft Easy Fix 20151. If you can find it, the one I personally use is on:

https://hyperfetch.vitanetworks.link/get/rdpfix.diagcab

and if you have a antivirus-enabled proxy you can access it without TLS. Verify that IP address is the same though, somebody or something other than your own proxy might be intercepting the unsecured connection:

http://hyperfetch.vitanetworks.link/get/rdpfix.diagcab

I modified the server so it could serve it without having to be compressed in a zip file first, this way it can be scanned on-the-fly by most anti-malware software/networks. The file is only around 130KB, way less than the 5MB the Squid proxy server is normally set to scan, for instance.

I honestly don’t know if it’s signed by Microsoft, but I can tell you it presents no warnings anywhere between Windows Server 2012 R2 all the way to Windows Server 2022 (pictured below). It’s also quite the statement of how little Microsoft work has put on this which is a major component of Windows Server, showing they truly don’t give a fuck for their customers.

To use it simple skip past the first screen leaving the checkbox to fix things checked, browse to your certificate or type/paste its path in the box. Next is the scary party, somebody in Microsoft thought it was a good idea to leave it in clear text:

I mean… It’s Microsoft, it’s hardly surprising. Then, continue on until it’s done, like one or two clicks more. It will leave your existing PFX where it is and copy the necessary things where they belongs.

Tip: Copy this file a network server and use a GPO to map the drive so it’s easily accessible from all computers, for instance, we have a share network storage location mounted on drive B:. All authenticated users can read and write to it. So from the Run (⊞R) dialog we could type B:\rdpfix.diagcab ⏎ then enter B:\rdpcert.pfx ⏎ if we’d dropped both the little app and the cert in there. You remote into each computer to run it, there’s no automation/scripting.

One last option…

When I said I knew about three ways to set it up, I actually lied, I know about four. The last one is using the Windows Registry but I don’t fuck with that.

If you’re interested, here’s the link: https://docs.microsoft.com/en-US/troubleshoot/windows-server/remote/remote-desktop-listener-certificate-configurations

[/et_pb_text]
[/et_pb_column]
[/et_pb_row]
[/et_pb_section]