- Configure a private DNS server in Docker - Fri, Mar 24 2023
- Store secrets in AWS Secrets Manager - Fri, Mar 17 2023
- Install Windows 10 / 11 22H2 without Microsoft account - Tue, Feb 28 2023
Recently, I wrote a post about changing the default RDP port, which offers a slight obscurity to prevent dumbBots from knocking on the default port repeatedly. It doesn't secure RDP from a skilled attacker, though.
Remote Desktop Protocol (RDP) is one of the most common methods used by IT pros and the remote workforce for accessing Windows systems remotely. It remains the primary target of threat actors due to its popularity and has suffered various vulnerabilities in the past. Despite these risks, there are certain systems where you just can't avoid using it. Two-factor authentication for RDP is a way to mitigate some of these risks.
Prerequisites
- Duo 2FA works with all versions of Windows 10/11 and Windows Server 2016/2019/2022 (including the GUI-less Server Core).
- To follow this guide, make sure you have a Duo account. You can create one by visiting this link.
- Make sure that the time is correct on your Windows system.
User enrollment
Duo 2FA doesn't support the self-service enrollment process for new users. Thus, you must first manually enroll at least one user that you want to protect using Duo 2FA. If you install the Duo application without enrolling the user first, you will see an error, as shown below, and you will no longer be able to sign in.
The username you have entered is not enrolled with Duo Security. Please contact your system administrator.
Furthermore, Duo 2FA supports user normalization, which allows you to sign in in different ways (e.g., testlab\surender, surender@testlab.local, or surender).
To manually enroll a user, follow these steps:
Sign in to the Duo admin console using a web browser.
Select Users in the left navigation pane and click the Add User button.
Duo admin console Users page
In the Username text field, type the username that you want to protect, and click the Add User button.
Duo admin console Add new user
On the next page, fill the user details with full name, email address, group membership, etc., and click the Save Changes button.
Duo admin console Add user details
Once the email address and other details are updated for the user, click the Send Enrollment Email link at the top right to send an enrollment email. The user will now receive an email message containing an enrollment link.
The user then has to install the Duo Mobile app on their smartphone or tablet. The app is available on both Google Play and the App Store.
A sample enrollment email from Duo Security
Now, the user must open the email message on the smartphone or tablet and click the enrollment link. When prompted to select an option, the user must tap on Duo Mobile, as shown in the screenshot below.
Duo Mobile Select an option
The user is asked to enter their phone number to create an account. If they don't want to specify a number, they can simply click the I have a tablet link.
Duo Mobile setup I have a tablet
If they skip adding a phone number, they will not be able to use the Call Me option during 2FA.
The account is successfully enrolled and added to the Duo Mobile app.
Duo Mobile Viewing the newly enrolled account
The user can now use this passcode for two-factor authentication while logging in with RDP. We will leave the Duo Admin console open for the next section.
Configure two-factor authentication for RDP
After successful user enrollment, you need to configure 2FA for the RDP application in the Duo admin console:
In the Duo admin console, click the Applications link in the navigation menu.
Click the Protect an Application button.
Duo admin console Protect an application
Now, type RDP in the search box, and Microsoft RDP will appear in the search results. Click the Protect button on the right. This displays the integration key, the secret key, and the API hostname for Microsoft RDP.
Duo admin console Protect Microsoft RDP
Copy this information to a safe temporary location, as you will need it later to finish your 2FA setup. The secret key is like a password, so keep it highly confidential.
Duo admin console Viewing integration key secret key and API hostname
Scroll down on the same page to view and customize more settings related to RDP protection, such as group policy, application policy, user normalization, administrative unit, permitted groups, and offline access.
Install the Duo Security application
It is now time to install Duo authentication for the Windows logon application on the Windows system that you want to protect using Duo 2FA:
Download the installer package, Duo authentication for Windows logon.
Make sure your user account has administrator privileges to install the application.
Now, run the installer file, and click the Next button.
On the Duo Connectivity Check page, paste the API hostname that you copied from the Duo admin console.
Duo authentication for Windows logon Enter API hostname
Optionally, you can specify a custom proxy by enabling the checkbox Configure manual proxy for Duo traffic. I will skip it and click Next.
On the Duo Security Account Details page, paste your integration key and secret key, and click Next.
Duo authentication for Windows logon Enter integration key and secret key
The next page shows the Duo integration options, which are very important. Make sure you uncheck the FailOpen option. Keeping it enabled will make this whole 2FA setup process useless if the computer is not connected to the internet.
Duo authentication for Windows logon Duo integration options
I also enabled the Use auto push to authenticate if available option since it makes two-factor authentication more convenient. By default, Duo 2FA will work for all local and remote desktop logons. To enable Duo 2FA for RDP connections only, enable the last option, Only prompt for Duo authentication when logging in via RDP.
Duo 2FA also supports the use of smartcards. If you want, you can enable it on the next screen.
Duo authentication for Windows logon Enable smartcard support
I will keep this disabled for this demo and click Next.
Duo also supports user elevation protection, which uses User Accounts Control (UAC). If you enable it, Duo 2FA will be required for any operation requiring administrator privileges.
Duo authentication for Windows logon Enable UAC elevation protection
I'll skip this option since we are only protecting RDP connections here.
Finally, click the Install button and wait for the installation to finish.
Installing Duo authentication for Windows logon
Test your 2FA setup
Duo 2FA for RDP is now all set. You can now try to connect your Windows system using a remote desktop connection. After successful authentication with the first factor (username/password), the Duo Security screen appears. This allows you to click the Send Push button to receive a push notification. Alternatively, click Enter a Passcode to manually type the passcode generated in the Duo Mobile app on the mobile device.
Testing Duo 2FA protection for RDP
The Call Me option isn't available because I didn't provide a phone number during enrollment. Since I enabled auto push during installation, a push notification is received on my phone at every logon by default, as shown in the screenshot:
Duo Mobile Automatic push notification
I can now tap Approve or Deny the RDP login requests. Tapping Approve will pass the second-factor authentication, and the remote desktop connection will be established. The authentication logs and other detailed analytics will be available in the Duo admin console under the Reports menu.
Duo admin console Viewing Duo 2FA logs
Enable offline access [optional]
You might wonder what will happen if the computer is not connected to the internet. Well, Duo 2FA also works without an internet connection. In this case, your system will be unable to reach the Duo cloud service, so you must enable offline access by following some additional steps, as shown below:
In the Duo admin console, click Applications, and click the Microsoft RDP link.
Duo admin console Modify the Microsoft RDP app
Scroll down to the bottom and enable the checkbox that says Offline login and enrollment is enabled, and configure the remaining settings, as shown in the screenshot.
Duo admin console - Enable offline access
Notice that you must choose an option for the Prevent offline login after setting, which essentially ensures that offline access expires after either a certain number of offline logins or a certain number of days being offline. When this limit is reached, you must connect your Duo-protected system to the internet to reset the offline limit. Also, note that the Duo push notification won't work in offline access mode. You either need to type the passcode or use a security key (such as YubiKey) for offline two-factor authentication.
Once you enable the offline access settings, the user will see an option to set up offline access at the next login.
The user needs to select the offline authentication method and click Activate Now, as shown in the screenshot:
Duo authentication for Windows logon Log on to Windows even when youre offline
I will select Duo Mobile Passcode for this demo and click Activate Now. A QR code will now be displayed.
The user can now open the Duo Mobile app on their smartphone, tap the Add link, scan the QR code, and click Enter Offline Code.
Duo authentication for Windows logon Scan QR code with Duo mobile to begin activation
The account will now be added to the Duo Mobile app.
Duo Mobile - Add offline account
Finally, the user enters the passcode generated in offline mode and clicks Activate Offline Login.
Duo authentication for Windows logon Activate offline login
Offline login is now enabled for your user account.
To test the offline access, you can disable your internet connection on your Windows computer and try to log in using Remote Desktop again. The following screenshot shows that you can still sign in by typing a six-digit passcode generated using the Duo Mobile app.
Duo Security Your computer is not connected to the internet. Enter your six digit offline passcode.
You can also see a message showing how many days of offline access remain.
Subscribe to 4sysops newsletter!
Conclusion
I want to stress that using RDP over the internet is a really bad idea. If you have to keep it enabled, I highly recommend using VPN and enabling the RDP service for private network connections only. Working with two-factor authentication, as discussed in this post, adds an additional layer of security if you really need to connect via RDP through the public internet.
