Forum Discussion
RDP Web Access MFA
This has got to be a stupid question but here goes.
We use Remote Desktop Services to deliver remote desktops and apps to external parties. We have MFA setup on the launching of the published app or desktop. However, the initial login to the RD Web Access portal (remote.whitehavencoal.com.au) is not MFA enabled and vulnerable to password guessing. I was able to successfully exploit this.
The MSP who set this up claims it’s not possible to put MFA on the initial RDP Web Access portal. I find that very hard to believe given MFA is so prevalent and recommended by everyone including Microsoft on everything.
Could you help me either confirm this weakness or point me to a solution.
3 Replies
Option 2: RD Gateway with NPS Extension for Azure MFA
- Install Network Policy Server (NPS) Extension for Azure MFA:
- Install the NPS extension on the RD Gateway server.
- Configure it to work with Azure MFA.
- Redirect Authentication:
- Configure RD Web Access to use RD Gateway for all authentication requests.
- The RD Gateway will enforce MFA for every connection, including RD Web Access logins.
- Test and Validate:
- Confirm that MFA challenges are enforced during RD Web Access login.
Benefits: Protects both RD Web Access and the remote desktop connections.
Option 3: Third-Party MFA Solutions
- Use a third-party MFA provider like Duo Security:
- Install Duo's RD Web MFA integration on the RD Web Access server.
- Configure Duo policies to require MFA for all users accessing the RD Web Access portal.
Benefits: Offers flexibility if Azure AD is not part of your setup.
Additional Recommendations
- Account Lockout Policies:
- Configure account lockout settings to mitigate brute-force attacks.
- Enable monitoring and alerting for failed logins.
- Limit External Access:
- Use VPN or IP whitelisting to restrict access to the RD Web Access portal.
- Consider publishing RD Web Access internally and requiring VPN access for external users.
- Secure the Login Page:
- Implement CAPTCHA or rate-limiting features to reduce the risk of automated attacks.
- Regularly update the RD Web Access server to patch known vulnerabilities.
- Install Network Policy Server (NPS) Extension for Azure MFA:
Azure AD Application Proxy with Azure MFA
- Deploy Azure AD Application Proxy:
- Install the Azure AD Application Proxy Connector on a Windows Server within your network.
- Configure it to publish the RD Web Access URL through Azure AD.
- Configure Azure AD Authentication:
- Add the RD Web Access URL as an enterprise application in Azure AD.
- Require MFA using Conditional Access policies (e.g., enforce MFA for users accessing the RD Web Access app).
- Users will access the RD Web Access portal through the Azure Application Proxy endpoint, secured with Azure MFA.
Benefits: Seamless integration with Azure AD, no on-premises changes to RD Web Access needed.
- Deploy Azure AD Application Proxy:
You're correct to question the claim that Multi-Factor Authentication (MFA) cannot be applied to the Remote Desktop Web Access (RD Web Access) portal. It is possible to enable MFA on RD Web Access to mitigate the risk of password-guessing attacks. Here’s an explanation and solution
The RD Web Access portal is an external-facing endpoint, making it a prime target for brute-force or credential-stuffing attacks. Without MFA, it relies solely on passwords, which can be compromised.
Solution Overview
To protect the RD Web Access portal with MFA, you can integrate it with:
- Azure AD MFA
- Third-party MFA solutions (e.g., Duo, Okta)
- Conditional Access policies via Azure AD (if you use Hybrid Azure AD or Azure AD authentication).
