Remote desktop servers that are sitting out in DMZ’s or just forward facing RDP enabled servers are security risks at best since they are configured to answer to remote desktop sessions by design or purpose. No matter how strong your passwords are that are being used or other security mechanisms in place, in reality the only protection you have against someone logging into a terminal/RDP server is your username and password.
Duo Security is one of the few companies in my opinion that has actually made two factor authentication a viable means to secure some of the core network resources that are in place in most enterprises. Such services as we have mentioned like Remote Desktop Protocol as well as Outlook Web Access can be secured using the Duo service software integration into your Windows server.
The reason this is a game changer, is that you no longer have to fumble and pull out your phone and launch your preferred two factor authentication app such as Google Authenticator. The login requests are pushed to your phone and via the Duo App, these login attempts are displayed in your phones notifications so you can quickly and easily accept or deny a login request. The login request displays who is trying to login as well as which IP they are logging in from. This helps to verify the authenticity of any login attempt being made on your RPD server or OWA client again without a lot of painful fumbling through apps and getting OTP codes and plugging them in. The design is really ingenious in the solution and simplicity of its implementation.
I am not going to reinvent or rewrite the wheel here, as Duo has a really great step by step online document on how to implement the RDP app found here: https://www.duosecurity.com/docs/rdp
Just a quick run through however of the process is the following:
- Create a Duo account which is free
- After creating your free Duo account, you can spin up “integrations” which includes the RDP integration. Once you get the integration provisioned, you get an integration key, secret key, and API hostname. These pieces of information come into play when you actually run the setup on your RDP server.
- The last phase is simply running the Duo RDP installer on your server
Duo touts the steps as taking no longer than 3 minutes from start to finish if done correctly.
I have been using the Duo Security App and the RDP integration now for several months and I can say that it has been rock solid the entire time. I am using the free flavor of the service for home currently, however, I am sure to leverage the corporate service at some point in the future for clients or others interested in a great way to integrate two factor authentication into their security model.
There are limitations to the free version of course that limit some of the customizations you can do with the paid versions. One of these is that you can setup bypass network blocks that can bypass the two factor requirement on RDP or other integration by looking at the network you are coming from. This is a nice feature that might be utilized such as when a user logs into the RDP session from the LAN and not the WAN. You can bypass the need for the Duo two factor authentication if they login from the local LAN. However, the core functionality and security of what you get with the free version is the same as the paid versions. If you want a viable two factor authentication mechanism for your remote desktop enabled forward facing servers, Duo Security has done this right. Take a look at the pricing structure below.