The Deployment Bunny

OS Deployment, Virtualization, Microsoft based Infrastructure…

  • Archives

  • Meta

Working in the Datacenter – Protect Remote Desktop Connection Manager using Self Signed Certificates

Posted by Mikael Nystrom on November 13, 2015

Note: Script has been updated to include $YEARS, the suggestion came from hans@aid.se, Thanks!

Even if IT is changing into more “Pets” and “Cattle’s”, we still have a massive amount of system that will be managed using Remote Desktop for a long time. Using Remote Desktop Connection Manager makes that process easier, you can basically work with all machines in a single windows.

image
The mini view of 3 computers in RDCMan 2.7

Security is important

One really great feature is that you can save the password for each and every connection, and if you read the help file, it states:

RDCMan can encrypt the passwords stored in files either with the local user’s credentials via CryptProtectData or an X509 certificate

Hmm, ok, the first one is kind of bad. If I move the RDCMan file to another computer then all the passwords are lost, on the other hand, that is also more safe. But I really have that situation. I need to have to be able to use the configurations files on more then one computer and they need to be protected. So lets use Certificate instead, but, how do you create a Certificate that can be moved around easy and at the same time is secure and protect itself?

According to the help file, we shall of course use the one utility on the planet that I hate most, I don’t like that fact that you need to spend hours to download an SDK kit just to run a app to create file that takes 1 second. There just to have to be a replacement for makecert.exe…

PowerShell to the Rescue!

So, lets us first create the certificate, export it and then remove it and finally import it. This way way we know we can import it even on other computers. You need to protect the certificate with a password, that way it will be protected from being imported by anyone else than you

Create and export a self signed Certificate for Remote Desktop Connection Manager

#Create and Export Certificate
$PlainPassword = “P@ssw0rd”
$ExportFolder = "C:\Test"
$Subject = "RDCMan"
$YEARS = 1
$CertificateFileName = "RDCManCertificate.pfx"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears($YEARS)
Export-PfxCertificate -Cert $RDCManCertificate -FilePath "$ExportFolder\$CertificateFileName" -Password $SecurePassword
$RDCManCertificate | Remove-Item

 

Import the Self Signed Certificate for Remote Desktop Connection Manager

#Import Certificate
$PlainPassword = “P@ssw0rd”
$ImportFolder = "C:\Test"
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$CertificateFileName = "RDCManCertificate.pfx"
Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Password $SecurePassword -FilePath "$ImportFolder\$CertificateFileName"

 

Use the Certificate in Remote Desktop Connection Manager

In the setting for each .rdg file you can configure encryption, like this.

image

Hey, almost missed, my friend and co-worker Markus Lassfolk have a really cool script that dumps all servers from AD and create the .RDG file fore you, go grab that here: http://www.isolation.se/automatically-generate-rdcman-connection-files-with-a-script/
/mike

7 Responses to “Working in the Datacenter – Protect Remote Desktop Connection Manager using Self Signed Certificates”

  1. apaladi said

    Creation fails, the New-SelfSignedCertificate cmdlet has a different syntax on my Powershell 4:

    New-SelfSignedCertificate [-CertStoreLocation ] [-CloneCert ] [-DnsName ] [-Confirm] [-WhatIf] []

  2. First of all. Nice work!
    I’ve just implemented this for my self but saw a “flaw” in your creation of the certificate. It’s only valid for 12 months. At least for me this is a bit to short. So i added -NotAfter $(Get-date).AddYears(10) on the end of the line for the creation of the certificate. So that I can utilize this solution for many years to come (since I’ve too been annoyed with the “changing computer problem” =) )

    $RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears(10)

  3. hans694 said

    First of all. Nice work!
    I’ve just implemented this for my self but saw a “flaw” in your creation of the certificate. It’s only valid for 12 months. At least for me this is a bit to short. So i added -NotAfter $(Get-date).AddYears(10) on the end of the line for the creation of the certificate. So that I can utilize this solution for many years to come (since I’ve too been annoyed with the “changing computer problem” =) )

    $RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears(10)

  4. George Kuff said

    Hello there! How do you insert the selectable (copy/paste) PowerShell Script within your webpage ? Is it using a special app? HTML something ? Thx!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: