Remote Desktop Services Mfa

| Posted on by



Remote Desktop Services Mfa

  1. Remote Desktop Services Download

The ability to secure your Windows Remote Desktop Server (RDS) with Multi-Factor Authentication (MFA), also sometimes referred to as Two Factor Authentication (2FA), should be very high on your security checklist.

DesktopRemote Desktop Services Mfa

RDS secured with nothing other than a username & password makes it open for attack. Sure, you can use third party products such as RDPGuard to protect your server or even use a port other than 3389, but this is just a reactive approach.

Mfa

On the Remote Desktop Gateway I am removing the ADC Server as central policy server and add the MFA server (proxy radius): After changing the setting open the NPS Console on the RDG server. We need to change the timeout settings for the request to the radius server as we need time to authenticate to the Azure MFA, answer the call or click the. Duo Authentication for Microsoft Remote Desktop Services Last Updated: January 14th, 2020 Duo integrates with Remote Desktop Web Access (formerly Terminal Services Web Access or TS Web Access) or Remote Desktop Gateway (formerly Terminal Services Gateway or TS Gateway) to add two-factor authentication to RD Web and RD Gateway logons.

Windows remote desktop service

To secure your RDS using MFA, all you need is:

  • An existing Office365/Microsoft365 tenant (i.e. account)
  • A Remote Desktop (RD) Gateway role configured on your RDS
  • An Active Directory Server synced with Azure Active Directory (AAD)

Configuring MFA

  1. Install the Network Policy Service (NPS) on your AD server
  2. Download and install the NPS Extension on your AD
    https://aka.ms/npsmfa
  3. Open PowerShell as Administrator on AD
  4. Go to c:Program FilesMicrosoftAzureMfaConfig
  5. Execute .AzureMfaNpsEnxtConfigSetup.ps1
  6. When prompted for Sign-In, use your Tennant Account
  7. You will be asked to provide a Directory ID, to get this Sign into https://portal.azure.com Azure Active Directory > Properties
  8. Paste the Directory ID into PowerShell, and then continue to let the script run
  9. On your RDS server open up Remote Desktop Gateway Manager
  10. Right-click the Server name > Properties > RD CAP Store
  11. Choose ‘Central server running NPS’
  12. Type in your AD server name or IP address > Add
  13. Enter in a Shared Secret, note this as it will be used later
  14. On your RDS server open up Network Policy Server
  15. Expand RADIUS Clients and Servers > Remote RADIUS Server > TS GATEWAY SERVER GROUP
  16. Select the RAIDUS Server > Edit > Load Balancing
  17. Change the Seconds to 60 for both
  18. Reboot your RDS
  19. Head over to your AD Server > Network Policy Server
  20. Right-Click NPS (local) > Register server in Active Directory
  21. Expand RADIUS Clients and Servers > Right-Click RADIUS Clients > New
  22. Give it a name such as RDS and then enter the secret you created in step 13
  23. Expand Policies > Network Policies
  24. Right-Click Connections to other access servers > Duplicate
  25. Give it a name such as RDG_CAP
  26. Double click RDG_CAP > Overview > Grant access
  27. Conditions > Add > User Groups > Add a AD group who you want to allow
  28. Constraints > Authentication Methods > Tick Allow clients to connect without negotiating.
  29. Move the Policy RDG_CAP to the top position 1

All done. If you need a hand feel free to reach out.

Remote Desktop Services Download

Contact IT Networks regarding any aspect of your IT support requirements. All it takes is a brief phone consultation.