How to Set Up MFA for Remote Desktop

How to Set Up MFA for Remote Desktop
How to Set Up MFA for Remote Desktop

Protecting entry to our systems is more important than ever in a world where people work from home and use technology increasingly. One powerful way to enhance your business security is by implementing Multi-Factor Authentication (MFA) for Remote Desktop connections.

This guide will walk you through the process of setting up MFA for Remote Desktop, explaining key concepts and providing detailed, step-by-step instructions. We'll explore various methods for implementing MFA RDP (Remote Desktop Protocol) and discuss best practices to ensure your remote access remains secure.

What is RDP?

Remote Desktop Protocol (RDP) is a proprietary protocol made by Microsoft that allows users to connect to another computer over a network connection. It provides a graphical user interface to communicate and interact with a remote computer like you were sitting directly in front of it. RDP is widely used for remote work, IT support and accessing resources on distant servers.

Key features of RDP include:

  • Graphical user interface access
  • File transfer capabilities
  • Printer redirection
  • Audio redirection
  • Multi-monitor support
  • Clipboard sharing

RDS vs RDP: Key Differences

While discussing remote desktop technologies, it's important to differentiate between RDP and RDS:

  • RDP (Remote Desktop Protocol): This is the protocol used for remote connections to individual Windows computers. It's typically used for one-to-one connections and is built into Windows operating systems. RDP is often used by individuals or small teams for remote access to specific machines.
  • RDS (Remote Desktop Services): This is a more comprehensive platform that allows multiple users to connect to a server simultaneously. RDS is often used in enterprise environments to provide centralised application and desktop access to many users. It includes several components:
  • Remote Desktop Session Host (RDSH): Hosts Windows applications or desktops
  • Remote Desktop Web Access (RDWA): Provides a web interface for accessing remote resources
  • Remote Desktop Gateway (RDG): Enables secure internet access to internal network resources
  • Remote Desktop Connection Broker (RDCB): Manages connections to RDSH servers

RDS can be seen as a more scalable and manageable solution for providing remote access to multiple users, while RDP is more suited for individual remote connections.

For the purposes of this guide, we'll focus primarily on securing RDP connections, but many of the principles apply to RDS as well. Understanding the distinction between RDP and RDS is crucial when planning your MFA implementation strategy.

The Importance of MFA for Remote Desktop

MFA for Remote Desktop, also known as Remote Desktop two-factor authentication or MFA RDP, provides an extra level of safety for your remote connections. When you use MFA for RDP, here are some of the main benefits:

  1. Enhanced Security: MFA requires users to provide two or more verification factors, making it significantly harder for unauthorised users to gain access. This multi-layered approach to security is especially crucial for RDP, which can be a target for cybercriminals.
  2. Compliance: Many industry regulations and standards, such as HIPAA, PCI DSS and GDPR, require or strongly recommend MFA for remote access to sensitive systems. Implementing MFA for RDP can help your organisation meet these compliance requirements. For example:
  • If someone wants to access computer protected health information, HIPAA requires covered companies to make sure they have the right permissions.
  • PCI DSS requirement 8.3 mandates the use of MFA for all remote network access originating from outside the entity's network.
  • Even though MFA isn't required by GDPR, the load balancing tab increasing the number is generally thought to be the safest way to keep personal data safe.
  1. Protection Against Password Attacks: Even if a password is compromised through phishing, keylogging, or other means, MFA provides an additional barrier to entry. This is particularly important for RDP, as compromised RDP credentials are often sold on the dark web. Common password-based attacks that MFA helps mitigate include:
  • Brute force attacks
  • Credential stuffing
  • Password spraying
  1. User-Friendly: Modern MFA solutions offer convenient options like push notifications or biometric verification, making the additional security step relatively painless for end-users. Many users are already familiar with MFA from consumer applications, which can help with adoption.
  2. Flexibility: There are different ways to set up MFA, so companies can pick the one that works best for their systems and security needs. Options include:
  • SMS codes
  • Mobile apps (like Microsoft Authenticator or Google Authenticator)
  • Hardware tokens
  • Biometric factors
  • Smart cards
  1. Audit Trail: Many MFA solutions provide detailed logs of authentication attempts, enhancing your ability to monitor and investigate potential security incidents related to RDP access. This can be very helpful for responding to incidents and filing safety reports.
  2. Reduced Risk of Insider Threats: By requiring a second factor, MFA can help mitigate the risk of insider threats. Even if an internal user's credentials are compromised or misused, the additional factor provides an extra layer of protection.
  3. Scalability: MFA solutions can often be easily scaled as your organisation grows, allowing you to maintain security as you add more users or systems.
  4. Cost-Effective Security: Compared to many other security measures, MFA often provides a high return on investment, significantly improving security without requiring extensive infrastructure changes.

Methods for Implementing MFA RDP

There are several approaches to implementing MFA for Remote Desktop. Each method has its own advantages and considerations:

  1. Azure AD and Network Policy Server (NPS) Extension: This method leverages Microsoft's cloud-based Azure Active Directory for MFA in conjunction with an on-premises Network Policy Server. It's a popular choice for organisations already using Azure AD.
  2. Third-party MFA solutions: Many vendors offer MFA solutions that can integrate with RDP. These often provide additional features and flexibility.
  3. Remote Desktop Gateway with MFA: Some RD Gateway solutions come with built-in MFA capabilities, simplifying the setup process.
  4. VPN with MFA + Remote Desktop: This approach requires users to connect to a VPN with MFA before accessing Remote Desktop, adding an extra layer of security.

In this guide, we'll focus primarily on the first method using Azure AD and NPS Extension, as it's a common and relatively straightforward approach for organisations already invested in the Microsoft ecosystem.

Setting Up MFA for Remote Desktop Using Azure AD (Microsoft Entra ID) and NPS Extension

This method involves using Azure Active Directory (Azure AD) for MFA in conjunction with the Network Policy Server (NPS) extension. Here's a detailed, step-by-step guide:

Step 1: Prerequisites

Before you begin setting up MFA for RDP, ensure you have the following:

  • An Azure AD Premium licence (P1 or P2)
  • Azure AD Connect set up to sync your on-premises directory with Azure AD
  • Windows Server 2008 R2 SP1 or later with the NPS role installed
  • Remote Desktop Services (RDS) infrastructure
  • Azure AD GUID ID
  • Proper network connectivity between your on-premises servers and Azure AD

Step 2: Configure Azure AD MFA

  1. Sign in to the Azure portal (portal.azure.com) with global administrator permissions.
  2. Navigate to Azure Active Directory > Security > MFA.
  3. Choose your preferred MFA methods. Options typically include:
  • Microsoft Authenticator app
  • SMS text message
  • Phone call
  • OATH hardware token
  1. Configure Conditional Access policies to require MFA for RDP access:
  • Go to Azure Active Directory > Security > Conditional Access
  • Create a new policy
  • Set the appropriate conditions (e.g., all users, specific groups)
  • Under Access controls, select "Grant" and check "Require multi-factor authentication"
  • Enable the policy

Step 3: Install and Configure the NPS Extension

  1. Download the NPS extension from the Microsoft website.
  2. Install the extension on your NPS server (note: this should not be the RD Gateway server).
  3. During installation, you'll need to provide:
  • Your Azure AD global administrator credentials
  • Your Azure AD tenant ID (can be found in the Azure portal under Azure Active Directory > Properties)

Step 4: Configure Certificates for the NPS Extension

  1. Open PowerShell as an administrator on the NPS server.
  2. Navigate to the NPS extension configuration folder:

cd 'c:\Program Files\Microsoft\AzureMfa\Config'

  1. Run the following script:

.\AzureMfaNpsExtnConfigSetup.ps1

  1. Follow the prompts to sign in with your Azure AD admin credentials and provide the tenant ID.

The script will create a self-signed certificate for secure communication between the NPS server and Azure AD.

Step 5: Configure the Remote Desktop Gateway

  1. On the RD Gateway server, open the Remote Desktop Gateway Manager.
  2. Go to the RD CAP Store tab.
  3. Select "Central server running NPS" and enter the IP address or name of your NPS server.

Click Add and provide a shared secret for RADIUS communication. Make sure to remember this secret, as you'll need it when configuring the NPS server.

Step 6: Adjust RADIUS Timeout Settings

  1. On the RD Gateway server, open the Network Policy Server console.
  2. Expand RADIUS Clients and Servers > Remote RADIUS Server Groups.
  3. Select the TS GATEWAY SERVER GROUP.
  4. Edit the properties of your NPS server.

On the Load Balancing tab, increase the "Number of seconds without response before request is considered dropped" to 60 seconds. This extended timeout is necessary to accommodate the additional time required for MFA.

Step 7: Configure NPS Policies

On the NPS server:

  1. Open the NPS console.
  2. Register the server in Active Directory if not already done:
  • Right-click on NPS (Local) and select "Register server in Active Directory."
  1. Create a new RADIUS client for the RD Gateway:
  • Right-click on RADIUS Clients and select "New."
  • Enter a name and the IP address of your RD Gateway
  • Enter the shared secret you created in Step 5
  1. Configure a Network Policy to authorise valid connection requests:
  • Expand Policies and right-click on "Network Policies."
  • Select "New" to create a new policy
  • Name the policy (e.g., "RDP MFA Policy")
  • Add a condition for "Windows Groups" and select the appropriate user groups
  • Under "Settings," ensure "Access granted" is selected

Configure authentication methods as needed (typically, you'll want to allow MS-CHAPv2)

Step 8: Test the Configuration

  1. Attempt to connect to your Remote Desktop server using an RDP client.
  2. Enter your username and password as usual.
  3. You should now be prompted for the second factor of authentication (e.g., approve a push notification or enter a code).
  4. Upon successful MFA, you should be granted access to the remote desktop.

Troubleshooting MFA for Remote Desktop

If you encounter any problem while setting up or using MFA for Remote Desktop, consider these common troubleshooting steps:

  1. Check Azure AD Sync: Ensure that user accounts are properly synced between your on-premises Active Directory and Azure AD. Use the Azure AD Connect Health tool to diagnose synchronisation issues.
  2. Verify NPS Extension Installation: Make sure the NPS extension is correctly installed and configured on your NPS server. Check Windows Event Viewer for errors.
  3. Review RADIUS Settings: Double-check the RADIUS client and server configurations, including shared secrets and IP addresses. Ensure that the RD Gateway and NPS server can communicate over the necessary ports (typically UDP 1812 and 1813).
  4. Check Network Connectivity: Ensure that all relevant servers can communicate with each other and with Azure AD. Use tools like telnet or Test-NetConnection to verify connectivity.
  5. Examine Logs: Review event logs on the NPS server and RD Gateway for any error messages. The NPS extension logs can be found in the Windows Event Viewer under Applications and Services Logs > Microsoft > AzureMFA.
  6. Test MFA Separately: Verify that MFA is working correctly for the user in other contexts (e.g., Office 365 login). This can help isolate whether the issue is with the RDP configuration or the MFA setup itself.
  7. Increase Timeout Values: If authentication is failing due to timeouts, consider further increasing the RADIUS timeout settings. Be cautious not to set them too high, as this could impact the user experience.
  8. Check User Accounts: Ensure that the users attempting to connect have the necessary permissions and are properly configured for MFA in Azure AD.
  9. Verify Certificate Settings: Check that the self-signed certificate created by the NPS extension script is valid and properly trusted.
  10. Monitor Azure AD Connect: Ensure that Azure AD Connect is running and synchronising correctly. Check the synchronisation logs for any errors.
  11. Test with Different Clients: If issues persist, try connecting from different RDP clients or devices to isolate any client-specific problems.
  12. Review Firewall Settings: Ensure that necessary ports are open between your on-premises servers and Azure AD.

Remember, troubleshooting MFA for RDP often requires a systematic approach. Start with the basics (network connectivity, user permissions) and work your way up to more complex issues. Don't hesitate to engage Microsoft support if you encounter persistent issues.

Alternative Methods for MFA RDP

While the Azure AD and NPS Extension method is popular, there are other approaches to implementing MFA for Remote Desktop. Let's explore these alternatives in more detail:

Third-Party MFA Solutions

Many third-party MFA providers offer solutions specifically designed to secure remote desktop connections. These often integrate with various identity providers and offer additional features like adaptive authentication or passwordless options.

When choosing a third-party solution for MFA RDP, consider factors like:

  • Ease of integration with your existing infrastructure
  • Supported authentication methods (e.g., push notifications, biometrics, hardware tokens)
  • Cost and licensing model
  • User experience and mobile app quality
  • Additional features like risk-based authentication or single sign-on capabilities

Remote Desktop Gateway with Built-in MFA

Some Remote Desktop Gateway solutions come with built-in MFA capabilities. These can be easier to set up than the Azure AD method but may offer less flexibility or integration with other systems. Examples include:

  • Apache Guacamole: An open-source clientless remote desktop gateway that supports various MFA methods.
  • Devolutions Server: Offers a comprehensive remote connection management solution with built-in MFA options.
  • Parallels Remote Application Server (RAS): Provides a complete virtual desktop and application delivery solution with integrated MFA.

VPN with MFA + Remote Desktop

Another approach is to require users to connect to a VPN with MFA before accessing Remote Desktop. This increases security but may slow speed and user experience. Steps typically involve:

  1. Setting up a VPN server with MFA capabilities
  2. Configuring the VPN to only allow access to specific RDP resources
  3. Requiring VPN connections before RDP sessions

This can be useful for organisations that already have a robust VPN infrastructure in place.

Windows Hello for Business

For organisations fully invested in the Microsoft ecosystem, Windows Hello for Business offers a way to implement strong authentication for RDP without traditional MFA. It uses biometric factors or PINs tied to specific devices, providing a seamless user experience while maintaining high security.

Best Practices for MFA RDP Implementation

To ensure the most secure and efficient use of MFA for Remote Desktop, consider these best practices:

  1. Use Strong Base Passwords: Even with MFA, it's important to maintain strong password policies. Encourage the use of long, complex passwords or passphrases.
  2. Implement Least Privilege Access: Only grant remote access to users who truly need it, and limit their permissions to what's necessary for their roles.
  3. Keep Systems Updated: Regularly update your Remote Desktop servers, gateways, and related components to patch security vulnerabilities. This includes keeping the NPS extension and Azure AD Connect up to date.
  4. Monitor and Audit: Implement logging and monitoring solutions to track Remote Desktop access attempts and spot unusual activity. Consider using Azure AD's reporting features or third-party SIEM solutions.
  5. Educate Users: Provide comprehensive training on the importance of MFA and how to use it correctly. Ensure users understand the risks of sharing authentication factors or bypassing security measures.
  6. Consider Adaptive MFA: If available, use adaptive or risk-based MFA that adjusts authentication requirements based on factors like location, device, or user behaviour patterns.
  7. Backup Authentication Methods: Ensure users have multiple MFA options (e.g., both app and SMS) in case their primary method is unavailable. This prevents lockouts and reduces support calls.
  8. Regular Testing: Periodically test your MFA setup to ensure it's working correctly and providing the expected level of security. This includes testing failover scenarios and recovery procedures.
  9. Use Secure Protocols: Ensure that you're using the latest version of RDP and that it's properly configured to use encryption and network-level authentication (NLA).
  10. Implement Network Segmentation: Use network segmentation to isolate systems accessible via RDP, reducing the potential impact of a breach.
  11. Consider Just-In-Time Access: Implement solutions that provide just-in-time privileged access to RDP sessions, reducing the window of opportunity for attackers.
  12. Utilise IP Restrictions: Where possible, limit RDP access to known IP ranges or require connection through a VPN.

Future of MFA for Remote Desktop

As technological development continues, we should anticipate improvements in MFA for Remote Desktop. Here are some patterns and potential changes to monitor:

  1. Passwordless Authentication: More solutions may move towards eliminating passwords entirely, relying on strong MFA methods instead. This could involve technologies like FIDO2 security keys or biometric factors.
  2. Biometric Integration: Increased use of biometric factors like fingerprints, facial recognition, or even behavioural biometrics for remote authentication. This could provide a more seamless user experience while maintaining high security.
  3. AI and Machine Learning: Advanced systems may use AI to detect anomalies and adjust authentication requirements in real time. This could involve analysing patterns in user behaviour, device characteristics, and network conditions to make dynamic access decisions.
  4. Unified Identity Management: Greater integration between on-premises and cloud-based identity systems for seamless MFA across all services. This could simplify management and provide a more consistent user experience.
  5. Enhanced Mobile Integration: As mobile devices become more central to our work lives, we may see tighter integration between mobile devices and RDP authentication, possibly leveraging device health and integrity checks as part of the authentication process.
  6. Continuous Authentication: Rather than just authenticating at the beginning of a session, future systems might continuously verify the user's identity throughout the RDP session, using factors like keystroke dynamics or mouse movement patterns.
  7. IoT (Internet of Things) Expansion: As IoT grows, we may see new authentication mechanisms based on smart devices or surroundings factors.

Conclusion

Implementing MFA for Remote Desktop is a crucial step in securing your organisation's remote access infrastructure. While it may seem complex at first, the security benefits far outweigh the initial setup effort. By following the steps outlined in this guide and following best practices, you can significantly enhance your remote access security posture.At InstaSafe, our secure remote access solution empowers your team to work from anywhere without compromising security. With one-click application access and Zero Trust protection, we make remote work both seamless and safe for your organisation.