This blog is intended for Remote Desktop Gateway (RD Gateway) users who want to turn on certificate revocation checking on the RD Gateway client as a security best practice.
An RD Gateway server is configured with a server authentication certificate that is used for authenticating and securing the communication between the RD Gateway client and the RD Gateway server. To learn more about certificates on RD Gateway, see the blog Introduction to TS Gateway certificates.
To help maintain the integrity of an organization's public key infrastructure (PKI), the administrator of a certification authority (CA) must revoke a certificate if the subject of the certificate leaves the organization, if the certificate subject's private key has been compromised, or if some other security-related event dictates that it is no longer desirable to have a certificate considered valid. When a certificate is revoked by a CA, it is added to that CA's certificate revocation list (CRL). To learn more, see the TechNet article Revoking certificates and publishing CRLs.
The RD Gateway client by default is not configured to check whether the certificate installed on the RD Gateway server is revoked or not. As such, if you want to enable your RD Gateway clients to check for certificate revocation and proceed with the connection only if the server certificate is not revoked, run the following command on a command prompt on the RD Gateway client computer:
reg add "HKCU\Software\Microsoft\Terminal Server Gateway\Transports\Rpc" /v CheckForRevocation /t REG_DWORD /d 1
Posts
0 comments:
Post a Comment