You can use a digital signature to sign .rdp files that are used for connections to virtual desktops through Conexão com RemoteApp e Área de Trabalho. This includes the .rdp files that are used for connections to s and área de trabalho virtual pessoals.

Importante

To connect to a virtual desktop by using a digitally signed .rdp file, the client must be running at least Remote Desktop Client (RDC) 6.1. (The RDC 6.1 client supports Remote Desktop Protocol 6.1.)

If you use a digital certificate, the cryptographic signature on the .rdp file provides verifiable information about your identity as its publisher. This enables clients to recognize your organization as the source of the virtual desktop connection, and allows them to make more informed trust decisions about whether to start the connection. This helps protect against the use of .rdp files that were altered by a malicious user.

You can sign .rdp files that are used for virtual desktop connections by using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate], a Code Signing certificate, or a specially defined Remote Desktop Protocol (RDP) Signing certificate. You can obtain SSL and Code Signing certificates from public certification authorities (CAs), or from an enterprise CA in your public key infrastructure hierarchy. Before you can use an RDP Signing certificate, you must configure a CA in your enterprise to issue RDP Signing certificates.

If you are already using an SSL certificate for connections to a server or Gateway de Área de Trabalho Remota, you can use the same certificate to sign .rdp files. However, if users connect to virtual desktops from public or home computers, you must use either of the following:

  • A certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (https://go.microsoft.com/fwlink/?LinkID=59547).

  • If you are using an enterprise CA, your enterprise CA-issued certificate must be co-signed by a public CA that participates in the Microsoft Root Certification Program Members program.

Use the following procedure to configure the digital certificate with which to sign .rdp files for virtual desktop connections.

A associação ao grupo Administradores local ou equivalente, no servidor do Agente de Conexão de Área de Trabalho Remota que você planeja configurar, é o mínimo exigido para completar esse procedimento. Revise os detalhes sobre o uso de contas e associações a grupos apropriadas em https://go.microsoft.com/fwlink/?LinkId=83477 (a página pode estar em inglês).

To configure the digital certificate to use
  1. No servidor do Agente de Conexão de Área de Trabalho Remota, abra o Gerenciador de Conexão de Área de Trabalho Remota. Para abrir o Gerenciador de Conexão de Área de Trabalho Remota, clique em Iniciar, aponte para Ferramentas Administrativas, para Serviços de Área de Trabalho Remota, e clique em Gerenciador de Conexão de Área de Trabalho Remota.

  2. In the left pane, click RD Virtualization Host Servers, and then on the Action menu, click Properties.

  3. In the Virtual Desktops Properties dialog box, on the Digital Signature tab, select the Sign with a digital certificate check box.

  4. In the Digital certificate details box, click Select.

  5. In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.

    Observação

    The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores.

  6. When you are finished, click OK to close the Virtual Desktops Properties dialog box.

For more information about Conexão com RemoteApp e Área de Trabalho security, see About RemoteApp and Desktop Connection Security.

Using Group Policy settings to control client behavior when opening a digitally signed .rdp file

You can use Group Policy to configure clients to always recognize virtual desktop connections from a particular publisher as trusted. You can also configure whether clients block remote desktop connections from external or unknown sources. By using these policy settings, you can reduce the number and complexity of security decisions that users face. This reduces the chances of inadvertent user actions that may lead to security vulnerabilities.

The relevant Group Policy settings are:

  • Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

  • Allow .rdp files from valid publishers and user’s default .rdp settings

  • Allow .rdp files from unknown publishers

These Group Policy settings are located in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client and User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client.

These Group Policy settings can be configured by using either the Local Group Policy Editor or the Group Policy Management Console (GPMC).

Para obter mais informações sobre as configurações de Diretiva de Grupo para Serviços de Área de Trabalho Remota, consulte a Referência Técnica de Serviços da Área de Trabalho Remota (https://go.microsoft.com/fwlink/?LinkId=138134).

Additional references


Sumário