Share via


About Digitally Signing Files for Virtual Desktop Connections

Applies To: Windows Server 2008 R2

You can use a digital signature to sign .rdp files that are used for connections to virtual desktops through RemoteApp and Desktop Connection. This includes the .rdp files that are used for connections to virtual desktop pools and personal virtual desktops.

Important

To connect to a virtual desktop by using a digitally signed .rdp file, the client must be running at least Remote Desktop Client (RDC) 6.1. (The RDC 6.1 client supports Remote Desktop Protocol 6.1.)

If you use a digital certificate, the cryptographic signature on the .rdp file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the virtual desktop connection, and allows them to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user.

You can sign .rdp files that are used for virtual desktop connections by using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate], a Code Signing certificate, or a specially defined Remote Desktop Protocol (RDP) Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs), or from an enterprise CA in your public key infrastructure hierarchy. Before you can use an RDP Signing certificate, you must configure a CA in your enterprise to issue RDP Signing certificates.

If you are already using an SSL certificate for connections to a Remote Desktop Session Host (RD Session Host) server or RD Gateway, you can use the same certificate to sign .rdp files. However, if users connect to virtual desktops from public or home computers, you must use either of the following:

  • A certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547).

  • If you are using an enterprise CA, your enterprise CA-issued certificate must be co-signed by a public CA that participates in the Microsoft Root Certification Program Members program.

Use the following procedure to configure the digital certificate with which to sign .rdp files for virtual desktop connections.

Membership in the local Administrators group, or equivalent, on the RD Connection Broker server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at https://go.microsoft.com/fwlink/?LinkId=83477.

To configure the digital certificate to use

  1. On the RD Connection Broker server, open Remote Desktop Connection Manager. To open Remote Desktop Connection Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager.

  2. In the left pane, click RD Virtualization Host Servers, and then on the Action menu, click Properties.

  3. In the Virtual Desktops Properties dialog box, on the Digital Signature tab, select the Sign with a digital certificate check box.

  4. In the Digital certificate details box, click Select.

  5. In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.

Note

The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores.

  1. When you are finished, click OK to close the Virtual Desktops Properties dialog box.

For more information about RemoteApp and Desktop Connection security, see About RemoteApp and Desktop Connection Security.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file

You can use Group Policy to configure clients to always recognize virtual desktop connections from a particular publisher as trusted. You can also configure whether clients block remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.

The relevant Group Policy settings are:

  • Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

  • Allow .rdp files from valid publishers and user’s default .rdp settings

  • Allow .rdp files from unknown publishers

These Group Policy settings are located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client and User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

These Group Policy settings can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (https://go.microsoft.com/fwlink/?LinkId=138134).

Additional references