Problem:
This is how to ensure traffic sent over RDP is protected by SSL/TLS
Solution:
Create an RDP Certificate Template
1. On the domain CA Launch the Certification Authority Management Console > Certificates Templates > Right click > Manage.
2. Locate, and make a duplicate of, the Computer template.
3. General tab > Set the display and template name to RemoteDesktopSecure.
4. Extensions tab > Application Policies > Edit > Add and add Client Authentication and Server Authentication
5. New > Name=SSL Secured Remote Desktop > Object Identifier=1.3.6.1.4.1.311.54.1.2 > OK.
6. Select the policy you have just created > OK.
7. Remove the other policies, so only the one we have just created remains > OK.
8. Security tab > Ensure that the the computer groups you want to apply the template to, are selected for Read and AutoEnroll
9. Issue/Publish the new certificate template.
Create a GPO to secure RDP access with Certificates.
10. From the Group Policy Management Console, create (or edit) a GPO and give it a name.
11. Edit that policy and navigate to;
Computer Configuration> Policies >Administrative Templates > Windows > Components > Remote Desktop Services >Remote Desktop Session Host > Security.
Locate the ‘Server authentication certificate template’ policy.
12. Enable it and set the template name to RemoteDesktopSecure > Apply > OK.
13. In the same location, locate the ‘Require use of specific security layer for remote (RDP) connections’ policy.
14. Enable the policy and set the security layer to SSL (TLS 1.0) > Apply > OK > Exit the policy editor.
15. Link the GPO to an OU that contains the servers you want to apply the policy to.
16. You may need to wait a short while, but eventually the servers will get their certificates.
