Using Let's Encrypt to secure Windows Remote Desktop connections

following on from what has been discussed

A) If you are going to use letsencrypt it is definitely a good idea to have the letsencrypt intermediate certificates on all servers and workstations in the domain (so it is trusted)
B) Deploying signed RDP files is also a good idea
C) Usually for these kinds of problem I would be running and internal ca (which AD will automatically distribute certificates for) however the requirement was for letsencryt with RDP
D) From my testing RDP seems to include the Intermediate certificate (i deleted the LetsEncrypt intermediate form the intermediate store)

Andrei

Hi mcdado,

I just put together a script to automate the issuing of server certificates for RDP listeners based on Marc Durdins script for Windows Web Servers. Just take a look at blogs.technet.microsoft.com/dmelanchthon/…automatisieren. The text is in German but you can just take the script This is for example a PowerShell snippet to bind a certificate to the RDP listener:

Bind the certificate to the RDP listener

Write-Output “Bind certificate with Thumbprint $certThumbprint”
$wmipath = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=‘RDP-tcp’”).__path
Set-WmiInstance -Path $wmipath -argument @{SSLCertificateSHA1Hash=$certThumbprint}

Have fun!
Daniel

3 Likes

Thanks @Daniel_MSFT

I briefly looked through the links you posted and it looks very interesting. If I understand this correctly, the ACMESharp is able to generate dns-01 challenges, but you’d need either to update your zone manually or using APIs from your DNS provider, is that right? (unless you’re running a public-facing DNS of course, which we’re not).

In this case, it would be interesting for me to implement the connector for my DNS provider in PowerShell, so that I could set it up on a local server in my local network to automatically perform renews based on the public facing DNS.

Thanks for your input!

This is really good work :smiley:

would you mind if i modified it slightly and add it to the list of clients

https://letsencrypt.org/docs/client-options/

there is a lot of confusion around windows and your powershell script should clear some of this up

I am going to use this for some of my projects as well

Thanks for sharing.

Andrei

1 Like

@mcdado: Yes, that’s right. You’ll need to add/change the TXT record in the public facing DNS server. I did this manually before and I am looking for an automated solution right now. My current DNS provider doesn’t provide an API for manipulating records. One could use PowerShell and IE - Using IE Automation in PowerShell to Simplify Browser Based Tasks - or Curl - Using Curl in Powershell - or the Perl module WWW::Mechanize::Shell to automate this task but this would be error prone with every web site change from the DNS provider.

Currently I am looking into Azure DNS. I already imported the DNS zone file from my domain - https://docs.microsoft.com/en-us/azure/dns/dns-import-export - and set the Azure DNS servers as the primary DNS servers for my domain. Having done this I installed the latest Azure Resource Manager modules from the PowerShell Gallery with Install-Module AzureRM to manage resources with Azure PowerShell and Resource Manager: http://docs.microsoft.com/en-us/azure/azure-resource-manager/powershell-azure-resource-manager

I hope How to manage DNS Zones using PowerShell - https://docs.microsoft.com/en-us/azure/dns/dns-operations-dnszones - will guide me to the solution to fully automize the DNS challange but this willl take a few days as I have to focus on different things right now.

But in a nutshell this is my idea how it could be done.

@Andrei: Please feel free to use my content and spread the word. Just give Marc the same credit as I did.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.