Your company has an Active Directory domain. The company runs Remote Desktop services.
Standard Users who connect to the Remote Desktop Sessions Host Server are in an organizational unit (OU) named OU1. Administrative users are in OU1. No other users connect to the Remote Desktop Session Host Server.
You need to ensure that only members of OU1 can run Remote Desktop Protocol files.
What should you do?
A. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and user’s default .rdp settings policy setting in the Remote Desktop Client Connection template to Enabled. Apply the GPO to OU1.
B. Create a Group Policy object (GPO) that configures the Specify SHA1 thumbprints of certificates represting trusted .rdp publishers policy setting in the Remote Desktop Client Connection template to Enabled. apply the GPO to OU1.
C. Create a Group Policy object (GPO) that configures the Allow .rdp files from unknown publishers policy setting in the Remote Desktop Client Connection template to Disabled. Apply the GPO to OU1.
D. Create a Group Policy object (GPO) that configures the Allow .rdp files from valid publishers and user’s default .rdp settings policy setting in the Remote Desktop Client Connection template to Disabled. Apply the GPO to OU1.
Correct Answer: B
Explanation/Reference:
Version 1: DISABLE "Allow .rdp files from valid publishers and user’s default .rdp settings" for All Domain Users and ENABLE "SHA1 thumbprints" Policy with of RDS Server’s certificates for OU1. It will enable possibility of execution .rdp files only for users from OU1 which will use SHA1-thumbprints to run signed .rpd files.
Version 2: DISABLE "Allow .rdp files from valid publishers and user’s default .rdp settings" for All Domain Users and ENABLE "Allow .rdp files from valid publishers and user’s default .rdp settings" for OU1. It will enable possibility of execution .rdp files only for users from OU1.
Which is correct – I don’t know.
Allow .rdp files from valid publishers and user’s default .rdp settings
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client’s Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. Notes:
You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.
This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user’s default .rdp settings" policy setting.
If the list contains a string that is not a certificate thumbprint, it is ignored.
