Why you should sign RDP files and how to script the signing

Why you should sign RDP files and how to script the signing

  • Comments 8

RDP file signing is all about security.  When you sign RDP files with trusted certificates, your clients can verify that important settings such as which server to connect to haven’t changed since the creation of the RDP file. This helps protect both the user and the server from potential attacks.  As an added benefit, because the identity of the publisher can be determined, the client doesn’t need to display warning dialogs stating that the RDP file might not be safe.

So how do you get all this goodness for your users?

You can create signed RDP files using the RemoteApp manager tool, but if you’re looking for a scripted approach this isn’t practical.  Luckily, there’s a tool that helps sign RDP files in a script called rdpsign.exe.  Unfortunately, it shipped without the ability to write out the Unicode header, but this is easily fixed with vbscript and has been fixed in the next release of Windows. 

So how do you sign using rdpsign? 

First, create or import the certificate that you are going to be using.  You can find more information on how to set up the certificates here:  http://technet.microsoft.com/en-us/library/cc754499.aspx.  

Second, get the thumbprint by looking at the certificates, clicking the Details tab, and then scrolling to the bottom. Keep in mind that the command line tool assumes there are no spaces in the thumbprint. 

Third, sign the file with rdpsign.exe.   You can find more information on the command line use of the tool here: http://technet.microsoft.com/en-us/library/cc753982.aspx.  This will sign the rdp file, but when you double-click it, the mstsc dialog box will open with incorrect settings. This is because mstsc is trying to read the file as ASCII and it is encoded in Unicode.  This bug has been fixed in the next release of Windows 7.

Finally, to fix this encoding issue, you can save the vb-script below and run the script on the file (for example: “fixsignRdp.vbs mySignedFile.rdp”).  This script reads the file in as Unicode and writes it back out with the Unicode Byte-Order Mark.  Then the RDP file will be signed and ready for anyone to use.

Update: The encoding issue has been fixed in Windows Server 2008.  See this hotfix.

Cheers,
Kevin London

fixsignRdp.vbs 

' This script will read in the file as Unicode 
' and then write the file back out as Unicode. 
' The issue is that the file is missing the Unicode header 
' and forcing the re-write adds this to the file. 

Dim argCount:argCount = Wscript.Arguments.Count

If (argCount < 1) Then
                Wscript.Echo "Usage: fixRdpSignature "
                Wscript.Quit 1
End If

path = Wscript.Arguments(0)

Dim fso,rdpFile

Set fso = CreateObject("Scripting.FileSystemObject")
Set rdpFile = fso.OpenTextFile(path,1, 0, -1)
rdpContents = rdpFile.ReadAll()
rdpFile.Close

Set rdpFile = fso.OpenTextFile(path, 2, 0, -1)
rdpFile.Write rdpContents
rdpFile.Close

 

Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post
  • Its really a nice information while signing an rdp file.

    But After signing rdp file and executing the vbs file, if we run the signed rdp file on any machine having lower version of mstsc, it gets some ascii character infront of IP address.

    Can you guide on this issue?

  • @Pv:

    Can you tell us what the exact version is of the “lower version of mstsc”?

    Also, could you send us one of the signed RDP files so we can look at it?  You can e-mail it to tstmblog (at) microsoft.com

    Thanks,

    Rob [MSFT]

  • We have signed the RDP file on server 2008. And deployed that rdp file on various computers.

    Computers which are having a mstsc version 6.0 or above are able to connect the server directly without any problem and with security certificate.

    But comptuers having a mstsc version 5.2 are not able to connect. In this case, there are some ascii characters added after the IP address, so it can't connect to the specified server.

    Thanks

    Pratik

  • RDP team,

    How does one generate or issue an RDP-signing certificate?

    I understand how to generate and issue SSL and code signing certificates, either in a private enterprise CA or through a public CA.  But what about this mysterious "RDP signing certificate"?  Is there a template for it in certificate management (I can't find it)?  Is there an MSDN article on this type of certificate (I can't find it)?

    Thanks!!!

    (You can respond to janderse At g mail.com as well)

    -Jon

  • Is this still an issue? I am signing RDP files and am not seeing any problems. Does this only affect certain RDC versions?

  • @KG.  The encoding issue is now fixed.

  • Any word on when signing will work on Server 2008 R2 SP1 with RDP 8.0? Now signing produces a corrupt rdp file.

    -Kevin

  • Hi folks,

    I also burned a lot of time over this stuff.

    What I found out (after finding the following page (technet.microsoft.com/.../cc754499.aspx,)) was that you not only need to enter your thumbprint in CAPS, but you also need to perform this function in an elevated command prompt.

    That was something I overlooked and ultimately caused me losing many hours on this.

    So, here's a recap:

    1. Open an *elevated* command prompt session

    2. Type rdpsign /sha1 THUMBPRINT-IN-CAPS your-rdp-file.rdp

    3. You should be all set.

    Cheers,

    George

Page 1 of 1 (8 items)