How to enable multi-factor authentication for RDP

Generally, remote employees use Microsoft Remote Desktop Protocol (RDP) to connect to their work devices from an external network, using only a password to authenticate their devices. This makes RDP-based access highly vulnerable to password-based attacks like brute-force attacks.

Implementing multi-factor authentication (MFA) helps thwart unauthorized remote access attempts to employee devices. ADSelfService Plus' MFA feature can secure local and remote access to Windows, macOS, and Linux machines and help secure logins via RDP.

How to enable MFA for RDP using ADSelfService Plus

Prerequisites:

1. Your ADSelfService Plus license must include the Endpoint MFA add-on. Visit the store to purchase the add-on.
2. SSL must be enabled in ADSelfService Plus.
3. The Windows logon agent that comes bundled with ADSelfService Plus must be installed on the machines that are going to be secured via RDP MFA.
4. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.

Steps involved:

1. Log in to the ADSelfService Plus admin portal.
2. Navigate to Configuration > Multi-factor Authentication > Authenticators Setup.
3. Click the Choose the Policy drop-down, and select the policy for which you wish to enable MFA. This policy will determine which users will have MFA for RDP logins enabled.
   Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
4. Configure any of the authenticators present according to organizational preference. ADSelfService Plus supports 19 authentication methods.

   

5. Navigate to Configuration > Multi-factor Authentication > MFA for Endpoints.
6. In the MFA for Machine Login section, check the box next to Enable _ factor authentication for machine login, and choose the number of authentication factors you'd like to implement.
7. Choose the authentication methods you would like to implement.
8. Click Save Settings.

   

Benefits of using MFA for RDP logins using ADSelfService Plus

• Customized configuration: Enforce MFA for RDP and use different sets of authentication techniques for different users based on domain, OU, and group memberships.
• Ensure user adoption: Automate user enrollment for MFA for RDP by importing domain information of users through CSV files or force enrollment using login scripts.
• Get detailed reports: Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
• Simplify authentication: Use authentication techniques like fingerprint authentication, push notification authentication, YubiKey, and QR-code-based authentication to help users complete the RDP MFA process with minimal effort.