Share via


About Digitally Signing RemoteApp Programs

Updated: March 2, 2011

Applies To: Windows Server 2008 R2

You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the Remote Desktop Session Host (RD Session Host) server. This includes the .rdp files that are used for connections through RD Web Access to RemoteApp programs and to the desktop of an RD Session Host server.

Important

To connect to a RemoteApp program by using a digitally signed .rdp file, the client must be running at least Remote Desktop Client (RDC) 6.1. (The RDC 6.1 client supports Remote Desktop Protocol 6.1.)

If you use a digital certificate, the cryptographic signature on the connection file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the RemoteApp program or the remote desktop connection, and allows them to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user.

You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate], a Code Signing certificate, or a specially defined Remote Desktop Protocol (RDP) Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs), or from an enterprise CA in your public key infrastructure hierarchy. Before you can use an RDP Signing certificate, you must configure a CA in your enterprise to issue RDP Signing certificates.

If you are already using an SSL certificate for RD Session Host server or RD Gateway connections, you can use the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from public or home computers, you must use either of the following:

  • A certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547).

  • If you are using an enterprise CA, your enterprise CA-issued certificate must be co-signed by a public CA that participates in the Microsoft Root Certification Program Members program.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To configure the digital certificate to use

  1. On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.

  2. In the Actions pane of RemoteApp Manager, click Digital Signature Settings. (Or, in the Overview pane, next to Digital Signature Settings, click Change.)

  3. Select the Sign with a digital certificate check box.

  4. In the Digital certificate details box, click Change.

  5. In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.

Note

The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file

You can use Group Policy to configure clients to always recognize RemoteApp programs from a particular publisher as trusted. You can also configure whether clients will block RemoteApp programs and remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.

The relevant Group Policy settings are:

  • Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

  • Allow .rdp files from valid publishers and user’s default .rdp settings

  • Allow .rdp files from unknown publishers

These Group Policy settings are located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client and User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

These Group Policy settings can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (https://go.microsoft.com/fwlink/?LinkId=138134).