2

I'm securing RDP by adding my SSL cert to my Windows host and of course, I'm working on scripting everything. I've got it 99% complete, the only step I can't figure out how to script is relating to permissions.

Eg: https://superuser.com/questions/1093159/how-to-provide-a-verified-server-certificate-for-remote-desktop-rdp-connection/1093160#1093160

1.Start > Run > mmc

2.File > Add Remove Snap-in > Certficates > Add > Computer Account > Local Computer > OK

3.In the left-hand window right-click on Certificates (Local Computer)Personal, choose All Tasks/Import…

4.Locate the pfx file and import it, I suggest that for security reasons you don’t make it exportable.

5.Expanding your Personal/Certificates you should now see 3 certificates, one of which is your site certificate (e.g. mysite.com). Right-click on this site certificate and right-click, choose All Tasks / Manage Private Keys…

6.Add user ‘NETWORK SERVICE’ with Read permission only (not Full Control), then Apply

7.Close mmc

I'm trying to script step 6 in this guide. Does anybody have any ideas where to start?

FreeSoftwareServers
  • 515
  • 1
  • 8
  • 26

1 Answers1

2

There are 2 methods actually that I found to get this working. Of course the better answer came from StackOverflow and not Microsoft.

You can use winhttpcertcfg.exe which must be downloaded separately as it doesn't come with Windows. Another issue was it granted Full Control permissions when only Read was needed. I found no way to rectify this, but in my search I found a better way.

This command will grant NETWORK SERVICE READ Permissions to all files in the SSL Cert directory:

icacls.exe "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*" /grant "NETWORK SERVICE":R

https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server

https://docs.microsoft.com/en-us/windows/win32/winhttp/winhttpcertcfg-exe--a-certificate-configuration-tool

https://blogs.technet.microsoft.com/operationsguy/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell/

https://stackoverflow.com/questions/1678584/winhttpcertcfg-giving-access-to-iis-user-in-windows-7

FreeSoftwareServers
  • 515
  • 1
  • 8
  • 26
  • 1
    I spent a whole day trying to track down a problem where I could read from the Certificate Store when using a console app but not a web app, this finally did the trick! – Wildcat Matt Jun 02 '23 at 19:44