Configure Digital Signature Settings (Optional)
Applies To: Windows Server 2008
You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the terminal server. This includes the .rdp files that are used for connections through TS Web Access to RemoteApp programs on the terminal server and to the terminal server desktop.
To connect to a RemoteApp program by using a digitally signed .rdp file, the client must be running Remote Desktop Connection (RDC) 6.1. The RDC 6.1 (6.0.6001) client supports Remote Desktop Protocol 6.1.
If you use a digital certificate, the cryptographic signature on the connection file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the RemoteApp program or the remote desktop connection, and allows the clients to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user.
You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication certificate (SSL certificate) or a Code Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs) or from an enterprise CA in your public key infrastructure hierarchy.
If you already use an SSL certificate for terminal server or TS Gateway connections, you can use the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from public or home computers, you must use either of the following:
A certificate from a public certification authority (CA) that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547)
An enterprise CA-issued certificate that is co-signed by a public CA that participates in the Microsoft Root Certification Program Members program
To configure the digital certificate to use
In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings. (Or, in the Overview pane, next to Digital Signature Settings, click Change.)
Select the Sign with a digital certificate check box.
In the Digital certificate details box, click Change.
In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.
The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores.
Using Group Policy settings to control client behavior when opening a digitally signed .rdp file
You can use Group Policy settings to configure clients to always trust RemoteApp programs from a particular publisher. You can also configure whether clients will block RemoteApp programs and remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.
The relevant Group Policy settings are located in the Local Group Policy Editor at the following location, in the Computer Configuration node and in the User Configuration node:
Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client
The available policy settings include the following:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted .rdp file publishers. If you enable this policy setting, any certificate with a SHA1 thumbprint that matches a thumbprint on the list is trusted.
Allow .rdp files from valid publishers and user’s default .rdp settings
This policy setting allows you to specify whether users can run .rdp files from a publisher that signed the file with a valid certificate. This policy setting also controls whether the user can start an RDP session by using default .rdp settings, such as when a user directly opens the RDC client without specifying an .rdp file.
Allow .rdp files from unknown publishers
This policy setting allows you to specify whether users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer.
To use these Group Policy settings, the client computer must be running RDC 6.1.
For more information about these policy settings, view the Group Policy Explain text in the Local Group Policy Editor.