Note: Script has been updated to include $YEARS, the suggestion came from hans@aid.se, Thanks!
Even if IT is changing into more “Pets” and “Cattle’s”, we still have a massive amount of system that will be managed using Remote Desktop for a long time. Using Remote Desktop Connection Manager makes that process easier, you can basically work with all machines in a single windows.
The mini view of 3 computers in RDCMan 2.7
Security is important
One really great feature is that you can save the password for each and every connection, and if you read the help file, it states:
RDCMan can encrypt the passwords stored in files either with the local user’s credentials via CryptProtectData or an X509 certificate
Hmm, ok, the first one is kind of bad. If I move the RDCMan file to another computer then all the passwords are lost, on the other hand, that is also more safe. But I really have that situation. I need to have to be able to use the configurations files on more then one computer and they need to be protected. So lets use Certificate instead, but, how do you create a Certificate that can be moved around easy and at the same time is secure and protect itself?
According to the help file, we shall of course use the one utility on the planet that I hate most, I don’t like that fact that you need to spend hours to download an SDK kit just to run a app to create file that takes 1 second. There just to have to be a replacement for makecert.exe…
PowerShell to the Rescue!
So, lets us first create the certificate, export it and then remove it and finally import it. This way way we know we can import it even on other computers. You need to protect the certificate with a password, that way it will be protected from being imported by anyone else than you
Create and export a self signed Certificate for Remote Desktop Connection Manager
#Create and Export Certificate $PlainPassword = “P@ssw0rd” $ExportFolder = "C:\Test" $Subject = "RDCMan" $YEARS = 1 $CertificateFileName = "RDCManCertificate.pfx" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears($YEARS) Export-PfxCertificate -Cert $RDCManCertificate -FilePath "$ExportFolder\$CertificateFileName" -Password $SecurePassword $RDCManCertificate | Remove-Item
Import the Self Signed Certificate for Remote Desktop Connection Manager
#Import Certificate $PlainPassword = “P@ssw0rd” $ImportFolder = "C:\Test" $SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force $CertificateFileName = "RDCManCertificate.pfx" Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Password $SecurePassword -FilePath "$ImportFolder\$CertificateFileName"
Use the Certificate in Remote Desktop Connection Manager
In the setting for each .rdg file you can configure encryption, like this.
Hey, almost missed, my friend and co-worker Markus Lassfolk have a really cool script that dumps all servers from AD and create the .RDG file fore you, go grab that here: http://www.isolation.se/automatically-generate-rdcman-connection-files-with-a-script/
/mike
Share this:
Categories: Datacenter, PowerShell
The Deployment Bunny 
Creation fails, the New-SelfSignedCertificate cmdlet has a different syntax on my Powershell 4:
New-SelfSignedCertificate [-CertStoreLocation ] [-CloneCert ] [-DnsName ] [-Confirm] [-WhatIf] []
Yes, I’m sorry, this works in PowerShell 5, so you will need to create the certificate on Windows 10 (Windows Server 2016) or you need to install PowerShell 5 on you machine: http://www.microsoft.com/en-us/download/details.aspx?id=48729 PowerShell 5 is currently in “Windows Management Framework 5.0 Production Preview” and therefore supported in production
First of all. Nice work!
I’ve just implemented this for my self but saw a “flaw” in your creation of the certificate. It’s only valid for 12 months. At least for me this is a bit to short. So i added -NotAfter $(Get-date).AddYears(10) on the end of the line for the creation of the certificate. So that I can utilize this solution for many years to come (since I’ve too been annoyed with the “changing computer problem” =) )
$RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears(10)
First of all. Nice work!
I’ve just implemented this for my self but saw a “flaw” in your creation of the certificate. It’s only valid for 12 months. At least for me this is a bit to short. So i added -NotAfter $(Get-date).AddYears(10) on the end of the line for the creation of the certificate. So that I can utilize this solution for many years to come (since I’ve too been annoyed with the “changing computer problem” =) )
$RDCManCertificate = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject $Subject -KeyExportPolicy Exportable -KeySpec KeyExchange -NotAfter $(Get-date).AddYears(10)
Well it was not really a flaw. I think that client certificates like this is fine for a year, but if you are ok with more than a year go a head. I’ll add a parameter to the script so it will be possible to specify the length. Goof catch and thanks for providing the solution!
/mike
Updated so t does include Years as well.
Hello there! How do you insert the selectable (copy/paste) PowerShell Script within your webpage ? Is it using a special app? HTML something ? Thx!