Why you should sign RDP files and how to script the signing

RDP file signing is all about security.  When you sign RDP files with trusted certificates, your clients can verify that important settings such as which server to connect to haven’t changed since the creation of the RDP file. This helps protect both the user and the server from potential attacks.  As an added benefit, because the identity of the publisher can be determined, the client doesn’t need to display warning dialogs stating that the RDP file might not be safe.

So how do you get all this goodness for your users?

You can create signed RDP files using the RemoteApp manager tool, but if you’re looking for a scripted approach this isn’t practical.  Luckily, there’s a tool that helps sign RDP files in a script called rdpsign.exe.  Unfortunately, it shipped without the ability to write out the Unicode header, but this is easily fixed with vbscript and has been fixed in the next release of Windows. 

So how do you sign using rdpsign? 

First, create or import the certificate that you are going to be using.  You can find more information on how to set up the certificates here:  http://technet.microsoft.com/en-us/library/cc754499.aspx.  

Second, get the thumbprint by looking at the certificates, clicking the Details tab, and then scrolling to the bottom. Keep in mind that the command line tool assumes there are no spaces in the thumbprint. 

Third, sign the file with rdpsign.exe.   You can find more information on the command line use of the tool here: http://technet.microsoft.com/en-us/library/cc753982.aspx.  This will sign the rdp file, but when you double-click it, the mstsc dialog box will open with incorrect settings. This is because mstsc is trying to read the file as ASCII and it is encoded in Unicode.  This bug has been fixed in the next release of Windows 7.

Finally, to fix this encoding issue, you can save the vb-script below and run the script on the file (for example: “fixsignRdp.vbs mySignedFile.rdp”).  This script reads the file in as Unicode and writes it back out with the Unicode Byte-Order Mark.  Then the RDP file will be signed and ready for anyone to use.

Update: The encoding issue has been fixed in Windows Server 2008.  See this hotfix.

Kevin London


' This script will read in the file as Unicode 
' and then write the file back out as Unicode. 
' The issue is that the file is missing the Unicode header 
' and forcing the re-write adds this to the file. 

Dim argCount:argCount = Wscript.Arguments.Count

If (argCount < 1) Then
                Wscript.Echo "Usage: fixRdpSignature "
                Wscript.Quit 1
End If

path = Wscript.Arguments(0)

Dim fso,rdpFile

Set fso = CreateObject("Scripting.FileSystemObject")
Set rdpFile = fso.OpenTextFile(path,1, 0, -1)
rdpContents = rdpFile.ReadAll()

Set rdpFile = fso.OpenTextFile(path, 2, 0, -1)
rdpFile.Write rdpContents