Q: How can a Windows Remote Desktop client verify the identity of a Windows Server 2008 Remote Desktop Session Host server to ensure it doesn't set up RDP connections with a rogue server?

A: By default, RDP doesn't provide server authentication to verify the identity of a remote desktop session host server. Starting with Windows Server 2003 SP1, you can enhance the security of RDP sessions to a Windows server by using SSL/Transport Layer Security (TLS) for server authentication. To do so, your Remote Desktop Session Host server (or Terminal Services server in pre-Windows Server 2008 versions) must have an X.509 server authentication certificate and be configured correctly.

On a Remote Desktop Session Host (or Terminal Services) server, you can configure SSL/TLS from the Remote Desktop Session Host Configuration MMC snap-in. In the Connections container, right-click the RDP-Tcp connection object and click Properties. Then, on the General tab, select the SSL (TLS 1.0) Security Layer. You can then either select a server authentication certificate that's already installed on the RD Session Host server using the Select pushbutton or click the Default button to generate a self-signed certificate. If you select SSL (TLS 1.0), SSL/TLS will be used for server authentication and also for encrypting all data transferred between the RDP server and client.