0

We used Comodo for PCI scanning and although it had a dislike for the RDP port it still passed as a false positive.

Comodo have now sold their business to Sectigo and are using the Qualys engine for PCI scanning and it failed on this issue, with the solution being

Please install a server certificate signed by a trusted third-party Certificate Authority.

Clearly there is a valid certificate for normal HTTPS connections.

Remote Desktop Session Host Configuration manager no longer seems to exist so pointing to a third party certificate that way is blocked.

Looking at this tutorial...

https://aventistech.com/2019/08/ssl-certificate-for-windows-remote-desktop-server/

...seemed like as solution, but it requires CA - Certification Authority Console

I installed that, but Enterprise CA was greyed out so proceeded with Standalone CA.

Turns out that Certificate Templates that I need are only installed with Enterprise CA.

Any ideas?

Thank you

======================= EDIT ==========================

Just a thought - 99.99% of the time RDP connections are only required from within our network - so limiting IP addresses to that range within the firewall for that port should block that hole. If I had to connect from outside our network would connecting to another server that doesn't have this blocked, then RDP to the restricted one work? I gather it is possible to chain RDP connections.

Improve this question
11
  • Does the server have the Remote Desktop Services role installed? Or are you just using Remote Desktop for admin access? Are you trying to reuse an existing certificate for the server or generate a new one? If you're trying to reuse an existing certificate, are you using IIS as your web server or a third-party server like Apache? Commented Dec 22, 2019 at 20:56
  • Hi Harry - Remote Desktop Services role is installed. It's used just for admin access, but the ability to connect from outside our network is useful (otherwise I could just restrict it to private network, or our internal IP addresses) - Yes I want to use the existing IIS certificate if possible Commented Dec 22, 2019 at 21:33
  • This might help, though most of the answer won't apply to you since you already have a certificate in place. The problem will be whether or not the IIS certificate is configured to allow the private key to be exported - if not, I don't think there's anything you can do. Commented Dec 22, 2019 at 21:38
  • ... but are you sure that Remote Desktop Services is installed? It would be an unusual choice in this scenario, because it requires you to purchase remote desktop client access licences, set up a licencing server, and so on, none of which is needed for admin access. I ask because if I remember rightly, in a non-RDS configuration you don't need to be able to export the private keys in order to use an existing certificate. Commented Dec 22, 2019 at 21:42
  • In case it is useful to you or others, the answers to this question explain how to select a certificate for a non-RDS server. Commented Dec 22, 2019 at 21:47

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.