代码之家  ›  专栏  ›  技术社区  ›  Prescott Chartier

RDP无法通过PCI-DSS扫描

  •  1
  • Prescott Chartier  · 技术社区  · 6 年前

    由于设置RDP时Microsoft Server(2012 R2)生成的默认自签名证书,RDP未能通过PCI-DSS扫描(端口3389),我遇到了一个问题。我需要将RDP配置为使用受信任的证书。我该怎么做?我找不到任何东西可以解释这是怎么做的。

    右/

    1 回复  |  直到 6 年前
        1
  •  0
  •   Prescott Chartier    6 年前

    非常感谢Ait.Com的支持人员帮我解决了这个问题。以下步骤是针对Windows Server 2012 r2的,不能说它适用于任何其他版本。

    Right click on Windows icon on bottom left and select Run
    Enter "gpedit.msc" & hit Enter or click OK
    You will see the Group Policy Editor window, on left pane select:
    Computer Configuration ->
    Administrative Template ->
    Windows Components ->
    Remote Desktop Services ->
    Remote Desktop Session Host ->
    Security
    Under Security we will change the following settings:
    Server authentication certificate template: Select Enabled
    inside the input box, enter TLS 1.2 click Apply and OK to close the window
    Set client connection encryption level: Select Enabled and on Encryption level dropdown select High Level
    Require use of specific security layer for remote (RDP) connections: Select Enabled and on Security layer dropdown select SSL
    Require user authentication for remote connections by using Network Level Authentication: Select Enabled
    Install the verified TLS 1.2 certificate you bought from a certificate authority:
    Right click on Windows icon on bottom left and select Run
    Enter MMC & hit Enter or Click OK, a Console1 window will appear
    On File menu select Add/Remove snap-in...
    Select Certificates on left pane & click the Add button at the center
    Select Computer Account & click Next
    Select Local Computer & click finish
    On left pane select Certificates (Local Computer) -> Personal
    Inside Personal folder, you may or may not find a Certificates subfolder, but its ok in either case
    If not already, we will import the TLS 1.2 certificate here inside Personal folder Right click -> All Tasks -> Import
    By default, Local Machine is selected, click Next
    Browse the file path and select the file here, click Next
    Enter Password for the certificate & click Next
    Select Place All certificates in the following Store, Click Browse to Select Personal folder, we can also select Remote Desktop folder here but only one is required...
    Click Next and Click Finish
    You should see your certificate inside Personal -> Certificates or Remote Desktop -> Certificate folder (whichever you selected)
    Run these commands in power-shell (replace #YourHash# with your Thumbprint from the notepad). run these commands in each line one after the other. PowerShell should show a message that all went successful
    $TSGeneralSetting = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'" 
    $Hash = "#YourHash#"
    $TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
    $TSGeneralSetting.put() 
    
    推荐文章