Now lets configure the client settings to make sure that we always select to warn in the case the host certificate con not be authenticated.
We select Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Settings/Remote Desktop Connection Client We double click on Configure Authentication for Client Select Enable and set the Option to Warn me if authentication fails Click on OK and close the screen.
Since the days of Vista and Windows 2008 Microsoft has provided a new mechanism for securing RDP connections with what they call Network Level Authentication, this uses Microsoft Cred SSP Protocol to authenticate and negotiate credential type before handing off the connection to RDP Service.
Now we select Computer Configuration/Policies/Windows Settings/Public Key Policies under that node we double click on Certificate Services Client – Auto-Enrollment we now select on the properties under Configuration Model we select Enable and make sure that the boxes for managing certificates in the store and for updating the certificate if the template is modified.
Now we have finished the section that will cover the certificate assignment for computers that get this GPO applied to.
Please remember to be considerate of other members.
If you are new to the CNET Forums, please read our CNET Forums FAQ.
NLA is present in the latest versions of Windows, for Server: NLA was introduced first with RDP 6.0 in Windows Vista and later on Windows XP SP3.
One of the biggest advantages also is that since TLS is used it will warn us if it can not validate the identity of the host we are connecting to.
For this we will need a PKI infrastructure integrated with AD in our Windows environment.
On a Windows 2008 environment we can install on a server the role of Active Directory Certificate Service to install a Enterprise CA accepting all defaults so it can provide Computer Certificates to the machines in the domain in an automated way using Group Policy.
Recently there has been a lot of attention given to the Remote Desktop Protocol for attacker.