Create Trusted Remote Desktop Services RDP SSL Certificate. For Windows environments that want extra security, one of the features that has been around for ages is requiring TLS 1. Windows RDP Remote Desktop connections. This functionality requires a certificate on the server, since TLS is based on the usage of X. Installing a RDP SSL certificate is easy. By default Windows will create a self signed certificate automatically for use with RDP. But as we all know, self signed certificates are nearly worthless, and could easily be intercepted for man in the middle attacks. So one should reconfigure Windows to use a trusted certificate. Thankfully this is fairly easy, and once configured, pushed down to all servers via GPO for automated deployment. Ive validated that this procedure works both on Windows Server 2. R2 and Windows Server 2. It may work on Windows Server 2. It requires the use of a Microsoft enterprise online certificate authority. Hp Photosmart 330 Driver Download Vista on this page. Again, Ive used both Windows Server 2. R2 and Windows Server 2. CAs with success. Not surprising, since certificates are industry standard. For the purposes of this article Ill use Windows Server 2. R2 CA, and Windows Server 2. The general process is first creating a new Certificate Authority certificate template that has an extended key usage to limit its use to only Remote Desktop TLS sessions. Second, we configure a GPO setting to automatically configure servers to request a certificate via this template, and use it for RDP TLS. Refresh GPO on the target server, and finally we attempt to connect via a stand alone computer to verify it sees the certificate that we deployed. On your Microsoft certificate authority server open the Certificate Templates console. Duplicate the Computer template and use the Windows Server 2. Enterprise format Server 2. NOT work. 3. Change the template display name to Remote. Enable Remote Desktop Services Windows Server 2012' title='Enable Remote Desktop Services Windows Server 2012' />For Windows environments that want extra security, one of the features that has been around for ages is requiring TLS 1. Windows RDP Remote Desktop connections. Our new Server Tutorial tackles remote desktop connections for multiple users on Windows 8, Windows 10, Windows Server 2012 and Windows Server 2016. Desktop. Computer no spaces. Verify the Template Name is exactly the same no spaces. You can use a different name if you want, but both fields must match exactly. Now we need to create an application policy to limit the usage to RDS authentication, then remove the other application uses for the certificate. On the extensions tab click on Application Policies then click on Edit. Click on Add, then click on New. Set the value of Name to Remote Desktop Authentication. Change the object identifier to 1. From the Application Policies list, select Remote Desktop Authentication. Back on the certificate template properties, remove all other entries. Only Remote Desktop Authentication should be present. If you wish, you can modify the validity period of the certificate, making it say two years instead of the default of one. You probably want to secure your domain controllers as well, so for that we need to modify the security setting on the template. Open the Security tab and add the group Domain Controllers and give the group Read and Enroll not Autoenroll. Open the MMC snap in for managing your Certificate Authority and locate the Certificate Templates node. Right click, select New, then Certificate Template to Issue. Choose the Remote. Desktop. Computer template. Next up is configuring the GPO to utilize the new template. You can modify any GPO you wish, or create a new one. Obviously the scope of the GPO should cover any servers that you want to secure with TLS. This could be a server baseline GPO, domain GPO, or whatever you want. In the GPO editor locate the node Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session Host. Security. Modify the Server Authentication Certificate Template setting. Enable the policy and enter the certificate template name that exactly matches what you created in your CA. In the same GPO node, configure the Require use of specific security layer for remote RDP connections to use SSL TLS 1. Wait for the GPO to replicate, then refresh the GPO on a test server. Wait a minute, then open the Certificates MMC snap in for the computer account. Look in the Personal. Certificates store for a certificate that has the Intended Purposes of Remote Desktop Authentication. If its not there, wait a minute, and refresh. If it never appears, something is wrong. Look at the gpresult to make sure your GPO is being applied to the server. Once the certificate appears, double click on the certificate to open it. On the Details tab look at the first few characters of the thumbprint value and remember them. To make sure the RDP service is aware of the new certificate, I restart the Remote Desktop Services service. Open an elevated Power. Shell prompt and run this command Get Wmi. Object class Win. TSGeneral. Setting Namespace rootcimv. Filter Terminal. NameRDP tcpValidate that the Security Layer value is 2 and that the thumbprint matches the certificate. If both of those settings are correct, then you are good to goAs a quick test I attempted to connect to this server from a non domain joined computer that did not have the root certificate for my CA. I configured the RDP client to warn on any security issues. As expected, the client threw errors about the CRL not being available, and that it didnt trust the chain. I also viewed the certificate and verified it was the correct one. It seems Windows 8 has much more stringent certificate checking than Windows 7. The screenshots below are from Windows 7, in case you didnt recognize the chrome. When using a Windows 7 non domain joined computer to access the same TLS protected server, I got NO certificate warnings. That was even with the RDP 8 add on hotfix. Im glad to see Win. Connecting to the same server from a domain joined computer that trusted the root CA resulted in no security warnings and a successful connection. If you look at a Wireshark capture you can also validate that CRL information is being exchanged between the computers, which means TLS is being used. Windows Shadow command to interactconnect with a user Remote Desktop Session. Windows Shadow command to interactconnect with a user Remote Desktop Session. Purpose of Shadow Utility. This Window feature allows a remote RDP user to interact with another remote user of the same server. Shadow allows both the users to view and interact with the remote desktop session. For example if dont have Gotomeeting, Web. Ex to call the user for a meeting and the user is having less bandwidth, to view the problem that user facing in the remote desktop session, shadow the user session, view the issue and recommend the fix. Shadow Remote Desktop Session on the terminal server. Scenario describes with two users O and M, where O wants to shadow M Remote Desktop session. Both user need to login the terminal server using Remote Desktop Connection. User O need to open Window Task Manager and identify the remote Session ID used by M. User need to open command prompt with Administrator privilege and enter the commandShadow rdp tcp0User M is prompted with a wizard for allowing access for O, after granting the access user session of M is shadowed. Remote desktop shadow command line in Windows 8. An administrator can also run the following command line on a machine with the Windows 8. MSTSC. EXE package. Mstsc. exe shadow session. ID v Servername u Username control no. Consent. Promptshadow IDStarts shadow with the specified session. ID. v servername. If not specified, will use the current server as the default. If not specified, the currently logged on user is used. If not specified, will only view the session. Consent. Prompt. Attempts to shadow without prompting the shadowee to grant permission. Before running mstsc. ID using some other mechanism, such as qwinsta. Shadow desktop of users using Windows 2. Remote Desktop Service. Select Remote Desktop Services, Choose the user, right click and select Shadow. Query Remote Desktop Session details using Command linequery session lt Session. Name lt User. Name lt Session. ID server lt Server. Name mode flow connect counterParameter. Descriptionlt Session. Name Specifies the name of the session that you want to query. User. Name Specifies the name of the user whose sessions you want to query. Session. ID Specifies the ID of the session that you want to query. Server. Name Identifies the RD Session Host server to query. The default is the current server. Displays current line settings. Displays current flow control settings. Displays current connect settings. Displays current counters information, including the total number of sessions created, disconnected, and reconnected. Displays help at the command prompt.