In my lab, I’ve created a ‘Remote Desktop Computer’ certificate template and enabled it to be autoenrolled via Group Policy. This article has a great walk-through of the entire process and more: RDP TLS Certificate Deployment Using GPO. Some articles will walk through this configuration and recommend removing the Server Authentication policy however, the certificates will then not work on non-Windows clients. This was key for OS X clients - both of these policies must exist.
To configure a certificate for use with Remote Desktop Services (or RDP into any Windows PC), you’ll need to create a new certificate template and enable both the Server Authentication and the Remote Desktop Authentication application policies. Using certificates in Remote Desktop Services.Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services (Part 2 of 2).Enterprise PKI with Windows Server 2012 R2 Active Directory Certificate Services (Part 1 of 2).I won’t cover installing and configuring an enterprise certificate authority here however, here are a number of articles worth reading on this topic: The new Remote Desktop Universal app on Windows 10:Īnd the Remote Desktop client on OS X 10.11: First up the original Remote Desktop Connection (mstsc) on Windows: Here are the client certificate warnings on various Microsoft Remote Desktop clients, including OS X.
Client Warnings for Untrusted Certificates While I may only be configuring certificates in my lab environment, there’s not much effort required to remove these certificate warnings. To get OS X clients to accept the certificate takes a little extra configuration not required on Windows clients. An environment with an enterprise certificate authority can enable certificate autoenrollment to enable trusted certificates on the RDP listener, thus removing the prompt.
When connecting to a Windows PC, unless certificates have been configured, the remote PC presents a self-signed certificate, which results in a warning prompt from the Remote Desktop client. Because of that, companies should implement information security policies to give employees guidance on when they can use it.Windows has supported TLS for server authentication with RDP going back to Windows Server 2003 SP1. While remote access can be a convenient tool, having it enabled can increase your risk exposure. Uncheck the boxes next to Remote Login and Remote Management. Click the Apple icon > System Preferences, then click the Sharing icon.Ģ. Once bugs like this get identified developers can issue patches, which still requires a user to ensure those security updates get installed or they’ve turned on auto-updates for security patches. Security researchers actually discovered a vulnerability in Apple computers for enterprise companies that allowed them to remotely hack a brand new Mac the first time it connected to Wi-Fi. The remote access option being left on all the time just leaves you and your company more vulnerable to a potential attack. The security of your laptop is determined by reducing the “surface area of attack” by malicious actors. But leaving this feature on could be negligent. This is a convenient tool in certain situations where you might not be able to physically access your computer. Remote access for your macOS is convenient because it allows a user to access your laptop using your administrator login and password.