Executive Summary:

Windows Vista SP1 and XP SP 3 introduced the Remote Desktop Connection 6.1 client, which allows Remote Desktop Protocol (RDP) files to be digitally signed. Group Policy, used in conjunction with Windows Server 2008 Terminal Services, can help you restrict RDP files, preventing users from connecting to un-trusted terminal servers. Learn how to request a certificate from an Active Directory (AD)–integrated Server 2008 Certification Authority (CA), sign RemoteApp RDP files, and configure Group Policy to allow only RDP files signed with a specified certificate.


Solution Snapshot
Problem: The ability to map local resources to the Terminal Server creates the risk that users could give away sensitive data should they inadvertently connect to a rogue machine.
Solution: Use the Remote Desktop Connection 6.1 client to digitally sign Remote Desktop Protocol (RDP) files, then define a list of trusted publishers in Group Policy.
What You Need: A Windows Server 2008 Active Directory (AD) domain, a Server 2008 member server with Terminal Services and AD Certificate Services installed, and a Windows Vista SP1 or Windows XP SP 3 workstation joined to the domain.
Solution Steps:
1. Add code signing to the list of certificate templates on the CA.
2. Log on to Terminal Server and request a certificate.
3. Create signed RemotedApp RDP files.
4. Configure trusted publishers in Group Policy.
Difficulty: 3 out of 5

With application virtualization and Software as a Service (SaaS) solutions increasing in popularity, the line between remote, local, and virtualized applications is becoming more blurred. Among the many improvements to Terminal Services in Windows Server 2008 is the ability to display remote applications as if they are running locally on users’ desktops, as opposed to in a remote desktop window, as in previous versions of Windows Server.

The appearance of running locally offers several advantages, such as providing a seamless experience, better integration with users’ desktops, and being able to open programs on different Terminal Servers simultaneously without having to manage a remote desktop window for each server. However, the improved visual experience might make it harder for users to differentiate between local and remote applications. Worse, the ability to map local resources to the Terminal Server creates the risk that users could give away sensitive data should they inadvertently connect to a rogue machine. We can’t rely on users to police this technology.

To address this problem, Microsoft has added the ability to digitally sign Remote Desktop Protocol (RDP) files and define a list of trusted publishers in Group Policy. This enables administrators to restrict RDP files to those that are signed with certificates defined as trusted, reducing the chances that users could mistakenly connect and transfer data to a terminal server outside of the organization.

I’ll show you how to request a certificate from an Active Directory (AD)–integrated Server 2008 Certification Authority (CA), sign RemoteApp RDP files, and configure Group Policy to allow only RDP files signed with a specified certificate. You’ll need a Server 2008 AD domain, a Server 2008 member server with Terminal Services and AD Certificate Services installed, and a Windows Vista SP1 or Windows XP SP 3 workstation joined to the domain.

Requesting and Installing a Certificate on Terminal Server
RDP files should be signed with SSL or code-signing certificates. If you happen to be running Terminal Services Gateway, you can use your existing SSL certificate to sign RDP files. In this scenario, we’re using a standard TS server and will need to obtain a code-signing certificate from our internal CA. This means that the certificate will only be trusted by intranet clients, unless it’s been co-signed by a public CA.

The code-signing certificate template isn’t enabled by default, so first we’ll add code signing to the list of certificate templates on our CA. Log on to your CA as a domain administrator, then do the following:
1. Go to Start, Administrative Tools, Certification Authority to open the Certification Authority Microsoft Management Console (MMC).
2. Expand your CA under Certification Authority (Local) and click Certificate Templates to display the currently enabled templates.
3. Right-click Certificate Templates and select New, Certificate Template to Issue from the menu.
4. In the Enable Certificate Templates dialog box, select Code Signing from the list and click OK.
5. Back in the Certification Authority MMC, Code Signing should now be shown in the list of certificate templates. Close the Certification Authority MMC.

Now that we can request a code-signing certificate from our CA, we need to log on to our Terminal Server and request a certificate. Log on as a domain administrator:
1. Type MMC in the Search box on the Start menu and press Enter.
2. In the MMC window, select Add/Remove Snap-In from the File menu.
3. In the Add or Remove Snap-ins dialog box, select Certificates under Available snap-ins and click Add in the center of the window. Select My user account in the Certificates snap-in dialog box and click Finish.
4. Click OK.
5. In MMC, expand Certificates – Current User, then Personal.
6. Right-click the Certificates folder under Personal and select All Tasks, Request New Certificate.
7. Click Next on the Before You Begin screen in the Certificate Enrollment dialog box. Select Code Signing under Request Certificates and click Enroll.
8. The status should display Succeeded under Certificate Installation Results. Click Finish. The new code-signing certificate should now appear in your personal certificate store, which you can see in Figure 1.
9. Double-click the code-signing certificate in the central pane and select the Details tab.
10. Make sure that Show is set to All and scroll to the bottom field, which is the SHA1 thumbprint shown in Figure 2. Make a note of the number or copy it to Notepad, as you’ll need it later.
11. Click OK on the Certificates dialog box, then close the Certificates MMC.

Signing RDP Files
With our code-signing certificate in place on the terminal server, we can create signed RDP files for previously existing or new RemoteApps. Still on our terminal server, open Terminal Services RemoteApp Manager:
1. To open TS RemoteApp Manager go to Start, Administrative Tools, Terminal Services.
2. On the right of Digital Signature Settings click Change in the Overview section of the TS RemoteApp Manager window.
3. In the RemoteApp Deployment Settings dialog box, make sure that the Digital Signature tab is selected and select the check box Sign with a digital certificate.
4. Under Digital certificate details click Change. In the Select Certificate dialog box, select your code-signing certificate from the list and click OK.
5. The details of the certificate should appear in the RemoteApp Deployment Settings dialog box, which Figure 3 shows. Click OK.

Any RemoteApps you add to this server will now be published with a digitally signed RDP file. Let’s add WordPad as a RemoteApp and create an RDP file:
1. In TS RemoteApp Manager, click Add RemoteApp Programs in the Actions pane on the right. Click Next in the RemoteApp Wizard.
2. Select WordPad in the RemoteApp Programs list and click Next.
3. Click Finish on the Review Settings screen.
4. WordPad should now appear at the bottom of the TS RemoteApp Manager window under RemoteApp Programs, which Figure 4 shows. Select WordPad under RemoteApp Programs and click Create .rdp File beneath WordPad on the Actions pane.
5. Click Next in the RemoteApp Wizard, leaving everything as default on the Specify Package Settings screen. Note that the file will be signed with your certificate, and click Next. Click Finish on the Review Settings screen.

The default location for RDP files created by TS RemoteApp Manager (c:\program files\packaged programs\) should now open, showing you the new file, wordpad.rdp.

Configuring Trusted Publishers in Group Policy
The default configuration for Remote Desktop Connection in Group Policy is to allow all files to be run; unsigned, trusted, or otherwise. Let’s configure Group Policy so that only RDP files signed using our certificate can be run on our workstation:
1. Open Group Policy Management Console (GPMC) and expand your forest, domain, and the Group Policy Objects folder.
2. Right-click the Group Policy Objects folder, and select New from the menu. Call the new GPO RemoteApp Trusted Publishers, and click OK.
3. Right-click the new GPO under Group Policy Objects, and select Edit from the menu.
4. In Group Policy Editor window under Computer Configuration, expand Policies, Administrative Templates, Windows Components, Terminal Services and click Remote Desktop Connection Client.
5. In the right pane, disable the first two settings, Allow .rdp files from valid publishers and user’s default .rdp settings and Allow .rdp files from unknown publishers.
6. Change to the GPMC window and link the new GPO to your domain. Right-click the domain, in this case ad.contoso.com, in the left pane of GPMC and select Link an Existing GPO from the menu.
7. In the Select GPO dialog box, select the RemoteApp Trusted Publishers GPO from the list and click OK.

At this point, log on to your workstation as a domain administrator and force a Group Policy update by running

gpupdate /force

from the command line. After Group Policy has refreshed, run wordpad.rdp from the Packaged Programs folder on the terminal server. You should find that the file is blocked.

Back in Group Policy Management Editor, let’s continue to configure our GPO. Now we add our code-signing certificate to the list of trusted publishers:
1. Double-click Specify SHA 1 thumbprints of certificates representing trusted .rdp publishers in the right pane of the editor window.
2. Select Enabled in the policy setting dialog box and enter the SHA 1 thumbprint for the code-signing certificate that you saved earlier. The thumbprint should be entered without spaces.
Back on the workstation, force a Group Policy refresh as you did above. This time you should find that wordpad.rdp will run without any warnings.

Restricting Access
The capability to restrict powerful features such as the Remote Desktop Connection client at a granular level is important. And, in addition to the TS RemoteApp Manager, Microsoft provides a command-line tool for signing RDP files, rdpsign.exe. If you decide to add Terminal Services Web Access to the setup I described above, your certificates and Group Policy configuration will also apply to RemoteApps launched from the TS Web Access site. Similar to software restriction policy, restricting individual RDP files based on digital certificates reduces the likelihood that users will connect to terminal servers other than those permitted by system administrators.

Related Reading: