You can use a digital signature to sign .rdp files. When you sign rdp files with trusted certificates, your clients can verify that important settings such as which server to connect to haven’t changed since the creation of the rdp file.
This enables clients to recognize your organization as the source of the RemoteApp program or the remote desktop connection, and allows them to make more informed trust decisions about whether to start the connection.
Following error will be displayed if someone opens a manually edited signed rdp file:
So what do you have to do to sign a .rdp file?
First: Create your .rdp file
Second: Get your certificate's thumbprint
Third: Sign your .rdp file by using rdpsign.exe
Create a .rdp file
A .rdp file is a basically a simple file ( filled with parameters) that defines the connection settings for a Remote Desktop or RemoteApp session. You can easily edit, copy and distribute it.
Basically you can create a .rdp by using the notepad and add the standard parameters. However, for this you'll have to know all the parameters.
The simplest way to do this is to run TSX Connection (tstsc.exe), configure your basic settings and save it. You can also use Microsoft's Remote Desktop Client (mstsc.exe).
Thinstuff has developed TSX Connection to make a Remote Connection client that allows you to configure,change and save Remote Desktop connections as well as RemoteApp connections.
Microsoft's Remote Desktop Client offers no possibility to configure or activate RemoteApp connections.
You can download TSX Connection from here.
In the download also included is the TSX Connection Manager - With this tool you can manage all your Remote Desktop, RemoteApp Connections in a graphical user interface and export, import them easily.
After the download please install the package and launch TSX Connection.
Now customize all required fields to your needs.
Following two fields are required: Connection Type and Computer in the General Tab
Now save your .rdp file. Please remember the path where you've saved it!
Get your certificate's thumbprint
The next step is to import your certificate and get your certificate's thumbprint. This step requires a valid .pfx certificate (either self-signed or CA-signed) and the export password from the .pfx file.
Manage Certificates with the Management Console
- Open your Management Console ( Start -> Run - >type in "mmc.exe")
- Goto File -> "Add/Remove Snap-in" in or use the shortcut Ctrl+M
- Now select "Certificates" and click on "Add"
- Choose "My user account" to manage your personal certificates. After that click on "finish"
- Now apply with "Ok"
Import your Certificate
- Goto Action - > All Tasks -> Import
- The 'Certificate Import Wizard' window appears and click on 'Next'
- Now click on 'Browse' and choose 'Personal Information Exchange .pfx, .p12' as file type.
- Select your certificate and click on 'Open'
- Click on 'Next'
- Type in the export password which you've entered by creating the .pfx file and click on 'Next
- Select 'Personal' as certificate store and click on 'Next'
- Click on 'Finsih' to complete the import process.
Get your certificate's thumbprint
- To get the certificate's thumbprint please do the following:
- Navigate to 'Certificates - Current User' -> Personal -> Certificates and double-click your recently imported certificate
- Switch to the 'Details' tab and locate the field 'Thumbprint'
- Now select the thumbprint, copy it and paste it in your notepad.exe
- To use the rdpsign.exe you've the remove all blank spaces from your thumbprint. Goto File -> Replace (Ctrl +H) in the notepad and enter a blank space in the 'Find what:' field and click on 'Replace All'
- Mark your thumbprint and copy it
More informations about certifiactes/cryptography can be found at wikipedia.com:
We used e.g 'openssl' to create the .cert/.pfx certificate - www.openssl.org
Sign your .rdp file
After you've created your .rdp file and copied the certificate's thumbprint(without blank spaces) you can sign your .rdp file.
Now open a command promt as Administrator and use the following command:
rdpsign [options] [items to sign]
- As option use /sha1 and then paste your thumbprint(without blank spaces). Now remove the first character, which is a '?'
- Enter the path of your .rdp file instead of [items to sign]
C:\Windows\system32>rdpsign /sha1 f9f89d00ec0ra2d5da259h7990144df53b413efb c:\Se rver01.rdp
After you've exectuted your command following will be displayed:
All rdp file(s) have been succesfully signed.
If you open now your .rdp file a trust dialogue will be displayed:cert, cryptography, dialogue, digital signature, hash, import create certificates, openssl, pfx, public key, rdpsign, remoteapp, security, sha1, thumbprint, trust