Working in the Datacenter – Protect Remote Desktop Connection Manager using Self Signed Certificates
Posted by Mikael Nystrom on November 13, 2015
Note: Script has been updated to include $YEARS, the suggestion came from firstname.lastname@example.org, Thanks!
Even if IT is changing into more “Pets” and “Cattle’s”, we still have a massive amount of system that will be managed using Remote Desktop for a long time. Using Remote Desktop Connection Manager makes that process easier, you can basically work with all machines in a single windows.
Security is important
One really great feature is that you can save the password for each and every connection, and if you read the help file, it states:
RDCMan can encrypt the passwords stored in files either with the local user’s credentials via CryptProtectData or an X509 certificate
Hmm, ok, the first one is kind of bad. If I move the RDCMan file to another computer then all the passwords are lost, on the other hand, that is also more safe. But I really have that situation. I need to have to be able to use the configurations files on more then one computer and they need to be protected. So lets use Certificate instead, but, how do you create a Certificate that can be moved around easy and at the same time is secure and protect itself?
According to the help file, we shall of course use the one utility on the planet that I hate most, I don’t like that fact that you need to spend hours to download an SDK kit just to run a app to create file that takes 1 second. There just to have to be a replacement for makecert.exe…
PowerShell to the Rescue!
So, lets us first create the certificate, export it and then remove it and finally import it. This way way we know we can import it even on other computers. You need to protect the certificate with a password, that way it will be protected from being imported by anyone else than you
Create and export a self signed Certificate for Remote Desktop Connection Manager
#Create and Export Certificate $PlainPassword = “P@ssw0rd” $ExportFolder = "C:\Test" $Subject = "RDCMan" $YEARS = 1 $CertificateFileName = "RDCManCertificate.pfx" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears($YEARS) Export-PfxCertificate -Cert $RDCManCertificate -FilePath "$ExportFolder\$CertificateFileName" -Password $SecurePassword $RDCManCertificate | Remove-Item
Import the Self Signed Certificate for Remote Desktop Connection Manager
#Import Certificate $PlainPassword = “P@ssw0rd” $ImportFolder = "C:\Test" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $CertificateFileName = "RDCManCertificate.pfx" Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Password $SecurePassword -FilePath "$ImportFolder\$CertificateFileName"
Use the Certificate in Remote Desktop Connection Manager
In the setting for each .rdg file you can configure encryption, like this.
Hey, almost missed, my friend and co-worker Markus Lassfolk have a really cool script that dumps all servers from AD and create the .RDG file fore you, go grab that here: http://www.isolation.se/automatically-generate-rdcman-connection-files-with-a-script/