About Digitally Signing RemoteApp Programs

Applies To: Windows Server 2008

You can use a digital signature to sign .rdp files that are used for RemoteApp connections to the terminal server. This includes the .rdp files that are used for connections through TS Web Access to RemoteApp programs and to the terminal server desktop.

If you use a digital certificate, the cryptographic signature on the connection file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the RemoteApp program or the remote desktop connection, and allows them to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user.

You can sign .rdp files that are used for RemoteApp connections by using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate], a Code Signing certificate, or a specially defined Remote Desktop Protocol (RDP) Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs), or from an enterprise CA in your public key infrastructure hierarchy. Before you can use an RDP Signing certificate, you must configure a CA in your enterprise to issue RDP Signing certificates. For more information, see the Windows Server 2008 Terminal Services Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=79603).

If you are already using an SSL certificate for terminal server or TS Gateway connections, you can use the same certificate to sign .rdp files. However, if users will connect to RemoteApp programs from public or home computers, you must use either of the following:

• A certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547).

• If you are using an enterprise CA, your enterprise CA-issued certificate must be co-signed by a public CA that participates in the Microsoft Root Certification Program Members program.

To configure the digital certificate to use

1. In the Actions pane of TS RemoteApp Manager, click Digital Signature Settings. (Or, in the Overview pane, next to Digital Signature Settings, click Change.)

2. Select the Sign with a digital certificate check box.

3. In the Digital certificate details box, click Change.

4. In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file

You can use Group Policy to configure clients to always recognize RemoteApp programs from a particular publisher as trusted. You can also configure whether clients will block RemoteApp programs and remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.

The relevant Group Policy settings are located in the Local Group Policy Editor at the following location, in both the Computer Configuration and in the User Configuration node:

Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client

The available policy settings are:

• Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

• Allow .rdp files from valid publishers and user’s default .rdp settings

• Allow .rdp files from unknown publishers

For more information about these Group Policy settings, see the Group Policy Explain text, and the TS RemoteApp Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkId=84895).

Additional references

• Configure Deployment Settings