How to make the RDP PCI DSS Compliant with TLS 1.2 - Windows Server 2012, R2 and 2016

PCI DSS is must require for companies that accept card payments. It recommends the best practices for server security for almost every service which can be accessed remotely from the server. RDP Encryption is not good enough alone, we will have to change the server defaults and remove any backward compatibility which is not recommended by the PCI compliance.

On this page I'm going to start from basics but will cover almost every point. First of all, its recommend to change Server defaults including the default Administrator username (as a safety from brute force attack), strict password policy, disable backward compatibility using Security Policy and enforce NTLM authentication with Encryption certificate template for TLS 1.2

PCI compliance require a verified TLS 1.2 certificate from an authority which we will setup using MMC and PowerShell and In the end we will verify TLS 1.2 certificate implementation using Microsoft Message analyzer

Steps to Change default Administrator username:

  • Right click on Windows icon on bottom left and select "Computer Management".
  • On the left pane select "Local Users and Group"
  • Select "Users" folder
  • Right click on the "Administrator" account and rename it to something uncommon, do not use any guessable name for any of the Windows account.
Strict Password Policy:
  • Right click on Windows icon on bottom left and select Run
  • Enter "SecPol.msc" & hit Enter or click OK
  • On left pane select "Account Policies", here you will see two more folders i.e. "Password Policy" and "Account Lockout Policy", you can setup values as per your discretion
Disable any backward compatibility:
  • Enter "SecPol.msc" & hit Enter or click OK, on left pane select "Local Policies"
  • Under "Security Options", change the following options to the give values:
    1. Network Security: LAN Manager authentication leve: change it to Send NTLMv2 response only. Refuse LM & NTLM
    2. Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients: Select both the options here
    3. Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers: Select both the options here
    4. Network Security: Restrict NTLM: Auditing for Incoming NTLM traffic: change it to Enable auditing for all accounts
NTLM authentication & TLS 1.2 certificate template Setup using Group Policy:
  • Right click on Windows icon on bottom left and select Run
  • Enter "gpedit.msc" & hit Enter or click OK
  • You will see the Group Policy Editor window, on left pane select:
    Computer Configuration ->
    Administrative Template ->
    Windows Components ->
    Remote Desktop Services ->
    Remote Desktop Session Host ->
    Security
  • Under Security we will change the following settings:
    1. Server authentication certificate template: Select Enabled
      inside the input box, enter TLS 1.2 click Apply and OK to close the window
    2. Set client connection encryption level: Select Enabled and on Encryption level dropdown select High Level
    3. Require use of specific security layer for remote (RDP) connections: Select Enabled and on Security layer dropdown select SSL
    4. Require user authentication for remote connections by using Network Level Authentication: Select Enabled
Install the verified TLS 1.2 certificate you bought from a certificate authority:
  • Right click on Windows icon on bottom left and select Run
  • Enter MMC & hit Enter or Click OK, a Console1 window will appear
  • On File menu select Add/Remove snap-in...
  • Select Certificates on left pane & click the Add button at the center
  • Select Computer Account & click Next
  • Select Local Computer & click finish
  • On left pane select Certificates (Local Computer) -> Personal
  • Inside Personal folder, you may or may not find a Certificates subfolder, but its ok in either case
  • If not already, we will import the TLS 1.2 certificate here inside Personal folder Right click -> All Tasks -> Import
  • By default, Local Machine is selected, click Next
  • Browse the file path and select the file here, click Next
  • Enter Password for the certificate & click Next
  • Select Place All certificates in the following Store, Click Browse to Select Personal folder, we can also select Remote Desktop folder here but only one is required...
  • Click Next and Click Finish
  • You should see your certificate inside Personal -> Certificates or Remote Desktop -> Certificate folder (whichever you selected)
  • Double click the certificate you want Remote Desktop to use and Click the Details tab
  • Select All under Show: and scroll down to the Thumbprint field and select the Thumbprint field.
  • Copy the text of the hash, paste it in a notepad and remove all spaces from your copied hash
  • Open PowerShell as an Administrator
  • Run these commands in power-shell (replace #YourHash# with your Thumbprint from the notepad). run these commands in each line one after the other. PowerShell should show a message that all went successful
    $TSGeneralSetting = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
    $Hash = "#YourHash#"
    $TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
    $TSGeneralSetting.put()

  • If PowerShell gave you any issue than ignore the above command and try these one below in Command Prompt (Admin):
  • wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="#YourHash#"

  • You can also try these below commands in PowerShell if you only have one certificate in personal folder in computer store, this will pick up the 1st certificate hash value and use it for RDP
  • $tsgs = gwmi -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
  • $thumb = (gci -path cert:/LocalMachine/My | select -first 1).Thumbprint
  • swmi -path $tsgs.__path -argument @{SSLCertificateSHA1Hash="$thumb"}

  • Note: Source for the above commands is serverfault
Verify the TLS 1.2 certificate implementation using Microsoft Message analyzer:
  • Run these commands in Command Prompt (Admin) on a client computer, replace #ServerIP# with server's IP address:
    C:\Windows\System32> netsh trace start capture = yes ipv4.address = #ServerIP#
    C:\Windows\System32> mstsc -v #ServerIP#
    C:\Windows\System32> netsh trace stop
    Tracing session was successfully stopped.
  • You will get the Trace File location as a filepath to \NetTrace.etl
  • Open the saved NetTrace.etl file in Microsoft Message analyzer and look for the Client Handshake inside the Module column against TLS value
  • Expand the details below and you should see Version: TLS 1.2
Furthermore, but not a requirement by PCI compliance:
  • Install an Intrusion Detection System on your server, I recommend ServerCloak
  • Set Firewall policy to allow RDP, FTP and other development team access to authorized IP address only.