Should Remote Desktop use a dedicated certificate template?

windows-10 active-directory remote-desktop-services ad-certificate-services

Solution 1:

Automatic Certificate Request Settings (ACRS) only enrolls V1 certificate templates (Windows 2000 only supported this method). These are inflexible.

In general, any certificate including an EKU of Server Authentication (and containing a subject and/or SAN containing the DNS name the RDP client is validating against) should be usable for Remote Desktop-class certificates.

Should you use a separate certificate? It depends on the security profile of the certificates you're deploying to the machine.

  • If the key isn't useful for other things, then it doesn't really matter.
  • If you were going to give every client 2 certificates anyway, it might not matter.
  • If your RDP auth profile is significantly different from every other certificate provided to the device, it's worth keeping it as a different certificate type.
  • If you're providing certificates for another purpose as well - like SCCM authentication and management, or VPN, or both - could those other Client Authentication certificates be combined with Server Authentication to produce an all-in-one device certificate?
    • again, key tradeoffs: more certificates may = more management; fewer may be easier to manage, but evaluate security capabilities and tradeoffs carefully

Related

Linux: NAT punchback for VPN/SSH services [closed]
Dell R720 - can't install any operating system
Proftpd server: Server does not support non-ASCII characters
Is everything OK based on this DMARC report?
Recommended values for mon osd down out in ceph
How to view journalctl without rebooting system in RHEL 7/8?
Kubernetes + AWS Lambda [closed]
Why is SELinux blocking my Zabbix agent's sudo calls?
Rsyslog rotates, but still logging to old log
What is the proper way to configure /etc/fstab on an ec2 instance?
Ansible: updating select packages if installed without installing if not
Masking CNAME/A Record Requirements from Clients