PeteNetLive - KB944 - Windows Server 2012 - Secure RDP Access

RDP on Server 2012

Rdp / October 16, 2016

DetailsThis Post will show you how to deploy a Remote desktop session server (RDSH) in a workgroup (non Domain).

This deployment is Session based and will allow the use of desktop sessions. The down side to having a none domain joined Session host is that you will need to create users on the host and configure local Group policy’s to restrict user access.

I have deployed a single server (non domain Joined) with Server 2012 R2.

Configuring the FQDN

As this is a workgroup server (non Domain) you will need to configure the Fully Qualified Domain name.

This can be done under system Properites


GPeditorWe are going to deploy the RDS 2012 Session Host Role and the RDS licencing role

This image shows the roles and features that have been installed, as you can see the session host and remote desktop roles are shown as installed.

Adding the RDSH Certificate

Firstly you will need to import your certificate to the Local Computer, Personal Folder as shown in the screen shot.

Before configuring RDSH Servers you will see a warning stating that the certificate is untrusted.

This is because the configuration data for RDSH is stored in the WMI, class in WMI in the rootcimv2TerminalServices namespace. You will need to change the certificate from default using the following commands.

Firstly, You will need to find the certificate thumbprint.

You can also use PowerShell to find the Thumbprint:

RDSH CertifcateGet-Childitem Cert:\LocalMachine\My

Run one of the following cmds to apply the new certificate to the Win32_TSGeneralSetting:

Command Prompt:

wmic /namespace:\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="Thumbprint"

PowerShell Cmd:

$path = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").__path Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash="THUMBPRINT"}


thumbpirntYou will need to configure the licencing to allow multiple users to connect via sessions.

Adding Users

Add the users under Computer Management, Local Users and groups

Add the users to the remote desktop group.

you can also do this in the server manager under local Computer

As you are connecting to the RDSH host locally, use local\username

Applying Security

As you can see from the screen shots, users cannot install roles and features or modify Group Policy’s with out Administrator permissions, I would recommend configuring local group policy’s to lock down remote users, as you would in a Domain. You can access the local group policy editor via MMC and add the snapin for the Group policy editor.

Administering sessions

In the Group Policy editor, I have set the idle limit on the sessions so that if users are inactive for over a hour their session will be terminated.

by right clicking on the user, you get a number of options including disconnecting the user, Sign them off, sending messages, and Connect which allows you to connect to a user session. You will need to be the user in question to do this.

When users are finished with their sessions they simply sign out, or they can disconnect. There is no option to shut down the server for remote session users.

Deployment 9 GPeditor1 GPeditor2 FQDN1