Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Nov 21, 2024

RDP Web Access MFA

This has got to be a stupid question but here goes. We use Remote Desktop Services to deliver remote desktops and apps to external parties.  We have MFA setup on the launching of the published a...
security
windows server
kyazaferr's avatar
kyazaferr
MCT
Nov 25, 2024

Option 2: RD Gateway with NPS Extension for Azure MFA

  1. Install Network Policy Server (NPS) Extension for Azure MFA:
    • Install the NPS extension on the RD Gateway server.
    • Configure it to work with Azure MFA.
  2. Redirect Authentication:
    • Configure RD Web Access to use RD Gateway for all authentication requests.
    • The RD Gateway will enforce MFA for every connection, including RD Web Access logins.
  3. Test and Validate:
    • Confirm that MFA challenges are enforced during RD Web Access login.

Benefits: Protects both RD Web Access and the remote desktop connections.

Option 3: Third-Party MFA Solutions

  • Use a third-party MFA provider like Duo Security:
    1. Install Duo's RD Web MFA integration on the RD Web Access server.
    2. Configure Duo policies to require MFA for all users accessing the RD Web Access portal.

Benefits: Offers flexibility if Azure AD is not part of your setup.

Additional Recommendations

  • Account Lockout Policies:
    • Configure account lockout settings to mitigate brute-force attacks.
    • Enable monitoring and alerting for failed logins.
  • Limit External Access:
    • Use VPN or IP whitelisting to restrict access to the RD Web Access portal.
    • Consider publishing RD Web Access internally and requiring VPN access for external users.
  • Secure the Login Page:
    • Implement CAPTCHA or rate-limiting features to reduce the risk of automated attacks.
    • Regularly update the RD Web Access server to patch known vulnerabilities.