I'm securing RDP by adding my SSL cert to my Windows host and of course, I'm working on scripting everything. I've got it 99% complete, the only step I can't figure out how to script is relating to permissions.
1.Start > Run > mmc
2.File > Add Remove Snap-in > Certficates > Add > Computer Account > Local Computer > OK
3.In the left-hand window right-click on Certificates (Local Computer)Personal, choose All Tasks/Import…
4.Locate the pfx file and import it, I suggest that for security reasons you don’t make it exportable.
5.Expanding your Personal/Certificates you should now see 3 certificates, one of which is your site certificate (e.g. mysite.com). Right-click on this site certificate and right-click, choose All Tasks / Manage Private Keys…
6.Add user ‘NETWORK SERVICE’ with Read permission only (not Full Control), then Apply
7.Close mmc
I'm trying to script step 6 in this guide. Does anybody have any ideas where to start?
There are 2 methods actually that I found to get this working. Of course the better answer came from StackOverflow and not Microsoft.
You can use
winhttpcertcfg.exe
which must be downloaded separately as it doesn't come with Windows. Another issue was it grantedFull Control
permissions when onlyRead
was needed. I found no way to rectify this, but in my search I found a better way.This command will grant
NETWORK SERVICE
READ
Permissions to all files in the SSL Cert directory:https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/appv-v4/how-to-modify-private-key-permissions-to-support-management-server-or-streaming-server
https://docs.microsoft.com/en-us/windows/win32/winhttp/winhttpcertcfg-exe--a-certificate-configuration-tool
https://blogs.technet.microsoft.com/operationsguy/2010/11/29/provide-access-to-private-keys-commandline-vs-powershell/
https://stackoverflow.com/questions/1678584/winhttpcertcfg-giving-access-to-iis-user-in-windows-7