• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

SupportICT

  • Home
  • Our Offering
    • IT Services
      • Our Approach
      • Migration
      • Security
    • Cloud
      • Office 365
      • Hosting
      • Web Sites
    • Network
      • Mobile
      • Wireless
      • Fixed Line
  • Support
    • Tools
    • Downloads
    • Login
  • About
    • Us
    • Case Studies
  • Blogs
    • Our Approach
    • Migration
    • Security
    • Office 365
    • Hosting
    • Web Sites
    • Mobile
    • Wireless
    • Fixed Line
    • The Rest
  • Contact

Increasing Windows RDP security without a CA

Increasing Windows RDP security without a CA

Increasing Windows RDP security without a CA

For windows 7 and above the built in Remote Desktop access for support uses a self-signed certificate that makes use of the now deprecated SHA1.  If you delete the certificate and reboot, or start/stop the RDP service, the self-signed certificate gets auto recreated with the same SHA1 and so far I have not found a way to increase the encryption standard for the auto creation.

You can of course use a Certificate Authority (CA) server but this only usually exists in large organisations.  If you do have a CA then this article is useful.

Set out below is a process to use a stronger certificate.

  1. Using a windows machine with PowerShell 3 or greater user the script New-SelfSignedCertificate to create a new certificate. Make sure to:
    • # Set number of bits to at least 2048
    • # Use at least SHA256
    • # Set expiry no longer than 3 years
    • # Make a note of the SHA thumbprint
  2. There are other ways using the command line using MakeCert but this has been deprecated in favour of the PowerShell script.
  3. Using MMC open the certificate management for the “Computer account” on the machine you want to increase the RDP for.

Example MMC for new RDP certificate

  1. Import the new certificate in the personal store.
  2. Set the certificate to have NETWORK SERVICE -> READ security by right clicking on the certificate and selecting All Tasks -> Manage private keys.
  3. Using the registry editor open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp and add a new binary key called SSLCertificateSHA1Hash with the thumbprint of the new certificate.
  4. Reboot the machine

It is also advisable to use a policy to set the RDP security level as shown. At present this only allows up to TLS1.0.

Example RDP strong policy

Now in addition to the above I strongly recommend you look at the encryption and cyphers configuration. You are best to use the IISCrypto.exe tool  which helps with this. Also make sure you have all the KB patches loaded to support this and the related registry keys.

Example SCHANNEL config tool

  • Enable TLS 1.0, 1, and 1.2 in the HKLM for  Client and Server. If SSL 3 is not there set it up but disable SSL2 and SSL3 for Client and server. NOTE that this applies to all circuits on the computer including browsers.
  • Restrict the Hashes used.
  • Restrict the cipher suites . For more on cyphers see the OWASP article.

 

 

 

 

 

Previous Post: « GDPR Musings
Next Post: Network Penetration Testing – Nessus »

Primary Sidebar

Find Posts By Date

May 2025
M T W T F S S
 1234
567891011
12131415161718
19202122232425
262728293031  
« Aug    

Find by Category

Search Site

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Filter by Categories
Fixed Line
Migration
Mobile
Office 365
Our Approach
Security
Uncategorised
Web SItes
Company Logo transparent

Copyright SupportICT © 2025 · Privacy And Cookie Policy · Terms And Conditions · Accessibility · Site Map · Log in

Accessibility by WAH
  • Accessibility
  • Case Studies
  • Contact
  • Downloads
  • Fixed Line
  • Fixed Line
  • GDPR – Request personal data
  • Home
  • Hosting
  • Hosting
  • Logon
  • Migration
  • Migration
  • Mobile
  • Mobile
  • Office 365
  • Office 365
  • Our Approach
  • Our Approach
  • Privacy And Cookie Policy
  • Security
  • Security
  • Site Map
  • Terms And Conditions
  • The Rest
  • Tools
  • Us
  • Web Sites
  • Web Sites
  • Wireless
  • Wireless