For Windows environments that want extra security, one of the features that has been around for ages is requiring TLS 1.0 for Windows RDP (Remote Desktop) connections. This functionality requires a certificate on the server, since TLS is based on the usage of X.509 certificates. Installing a RDP SSL certificate is easy. By default Windows will create a self-signed certificate automatically for use with RDP. But as we all know, self-signed certificates are nearly worthless, and could easily be intercepted for man-in-the-middle attacks. So one should reconfigure Windows to use a trusted certificate. Thankfully this is fairly easy, and once configured, pushed down to all servers via GPO for automated deployment.
I’ve validated that this procedure works both on Windows Server 2008 R2 and Windows Server 2012. It may work on Windows Server 2008.It requires the use of a Microsoft enterprise online certificate authority. Again, I’ve used both Windows Server 2008 R2 and Windows Server 2012 CAs with success. Not surprising, since certificates are industry standard. For the purposes of this article I’ll use Windows Server 2008 R2 CA, and Windows Server 2012 “target” server. The general process is first creating a new Certificate Authority certificate template that has an extended key usage to limit its use to only Remote Desktop TLS sessions. Second, we configure a GPO setting to automatically configure servers to request a certificate via this template, and use it for RDP TLS.
Refresh GPO on the target server, and finally we attempt to connect via a stand-alone computer to verify it sees the certificate that we deployed. Installing a RDP SSL Certificate 1. Polysics polysics or die rar files. On your Microsoft certificate authority server open the Certificate Templates console. Duplicate the Computer template and use the Windows Server 2003 Enterprise format (Server 2008 v3 templates will NOT work).
Change the template display name to RemoteDesktopComputer (no spaces). Verify the Template Name is exactly the same (no spaces). You can use a different name if you want, but both fields must match exactly. Once the certificate appears, double click on the certificate to open it. On the Details tab look at the first few characters of the thumbprint value and remember them.
Seaman For Windows Ver. 1.00
To make sure the RDP service is aware of the new certificate, I restart the Remote Desktop Services service. Open an elevated PowerShell prompt and run this command: Get-WmiObject -class “Win32TSGeneralSetting” -Namespace root cimv2 terminalservices -Filter “TerminalName=’RDP-tcp'” Validate that the Security Layer value is 2 and that the thumbprint matches the certificate. If both of those settings are correct, then you are good to go!
As a quick test I attempted to connect to this server from a non-domain joined computer that did not have the root certificate for my CA. I configured the RDP client to warn on any security issues. As expected, the client threw errors about the CRL not being available, and that it didn’t trust the chain. I also viewed the certificate and verified it was the correct one.
It seems Windows 8 has much more stringent certificate checking than Windows 7. The screenshots below are from Windows 7, in case you didn’t recognize the chrome. When using a Windows 7 non-domain joined computer to access the same TLS protected server, I got NO certificate warnings. That was even with the RDP 8 add-on hotfix. I’m glad to see Win8 does thorough certificate validation.
Company Overview Seaman Paper Company Of Massachusetts, Inc. Manufactures and sells paper products. It offers jumbo rolls of lightweight specialty papers and industrial grades; bakery tissues and sandwich wrap waxed papers; satinwrap premium wrapping tissue papers; pear wraps, eggplant wrappers, citrus packaging papers for agriculture markets; and interleaving papers for stainless, alloys, copper and brass, plastics, and textiles markets. The company also offers footwear and apparel packaging for shoes, handbags, and apparel; industrial grades battery tissues, packing papers, and stuffing tissues; crepe streamers and folds, arts and crafts tissues, and flame proofing papers for parties, crafts, and schools. Seaman Paper Company Of Massachusetts, Inc.
Manufactures and sells paper products. It offers jumbo rolls of lightweight specialty papers and industrial grades; bakery tissues and sandwich wrap waxed papers; satinwrap premium wrapping tissue papers; pear wraps, eggplant wrappers, citrus packaging papers for agriculture markets; and interleaving papers for stainless, alloys, copper and brass, plastics, and textiles markets. The company also offers footwear and apparel packaging for shoes, handbags, and apparel; industrial grades battery tissues, packing papers, and stuffing tissues; crepe streamers and folds, arts and crafts tissues, and flame proofing papers for parties, crafts, and schools; florist tissues; and shredded tissue for gift boxes. In addition, it provides consumer products private label resale gift tissues and giftwrap programs; plates and sleeves; and packaging printed OPP films and substrates. The company distributes products from the United States and Asia.
It serves customers worldwide. Seaman Paper Company Of Massachusetts, Inc. Was founded in 1945 and is based in Baldwinville, Massachusetts with additional offices in Dongguan City; and Gardner, Massachusetts.
Seaman For Windows Ver. 1.09
It has manufacturing facilities in Dongguan City and Putian City.
Some industries, like Government, require the use of certain cryptography algorithms. One of the great features of Windows Server 2008 R2 and Windows 7 is the support for ciphers.
![Seaman for windows ver. 1.09 Seaman for windows ver. 1.09](/uploads/1/2/3/7/123762624/319903447.jpg)
TLS 1.2 ciphers support AES-256 encryption with SHA-256 hashes. Unfortunately, Microsoft did not enable these protocols out of the box. I wanted IIS 7.5 to negotiate TLS 1.2 connections with my Windows 7 clients. After some registry hacking I was successful, as shown by a Wireshark trace. I created a simple PowerShell script that enables TLS 1.2 for both client and server communications. It also disables SSL 2.0 server responses, in case you need to be PCI compliant.
The lines are pretty long, so pay attention to the wrapping. After you run the PS script (with elevated rights) you must reboot the client and server. Please note that all values must be DWORD. This is very important, as any other value type will NOT work and you may be pulling your hair out wondering why it’s not working. # Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7 # These keys do not exist so they need to be created prior to setting values.