How to Configure Multi-Factor Authentication (MFA) for Remote Desktop Server

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook

The ability to secure your Windows Remote Desktop Server (RDS) with Multi-Factor Authentication (MFA), also sometimes referred to as Two Factor Authentication (2FA), should be very high on your security checklist.

RDS secured with nothing other than a username & password makes it open for attack. Sure, you can use third party products such as RDPGuard to protect your server or even use a port other than 3389, but this is just a reactive approach.

To secure your RDS using MFA, all you need is:

  • An existing Office365/Microsoft365 tenant (i.e. account)
  • A Remote Desktop (RD) Gateway role configured on your RDS
  • An Active Directory Server synced with Azure Active Directory (AAD)

Configuring MFA

  1. Install the Network Policy Service (NPS) on your AD server
  2. Download and install the NPS Extension on your AD
    https://aka.ms/npsmfa
  3. Open PowerShell as Administrator on AD
  4. Go to c:Program FilesMicrosoftAzureMfaConfig
  5. Execute .AzureMfaNpsEnxtConfigSetup.ps1
  6. When prompted for Sign-In, use your Tennant Account
  7. You will be asked to provide a Directory ID, to get this Sign into https://portal.azure.com Azure Active Directory > Properties
    Azure Active Directory Properties
  8. Paste the Directory ID into PowerShell, and then continue to let the script runPaste the Directory ID into PowerShell
  9. On your RDS server open up Remote Desktop Gateway Manager
  10. Right-click the Server name > Properties > RD CAP Store
  11. Choose ‘Central server running NPS’Remote Desktop CAP Store
  12. Type in your AD server name or IP address > Add
  13. Enter in a Shared Secret, note this as it will be used later
  14. On your RDS server open up Network Policy Server
  15. Expand RADIUS Clients and Servers > Remote RADIUS Server > TS GATEWAY SERVER GROUP
  16. Select the RAIDUS Server > Edit > Load Balancing
  17. Change the Seconds to 60 for bothRADIUS Server Settings
  18. Reboot your RDS
  19. Head over to your AD Server > Network Policy Server
  20. Right-Click NPS (local) > Register server in Active DirectoryRegister server in Active Directory
  21. Expand RADIUS Clients and Servers > Right-Click RADIUS Clients > New
  22. Give it a name such as RDS and then enter the secret you created in step 13
  23. Expand Policies > Network Policies
  24. Right-Click Connections to other access servers > DuplicateDuplicate Policy
  25. Give it a name such as RDG_CAP
  26. Double click RDG_CAP > Overview > Grant accessGrant access for RDG CAP Policy
  27. Conditions > Add > User Groups > Add a AD group who you want to allow
  28. Constraints > Authentication Methods > Tick Allow clients to connect without negotiating.Allow MFA clients to connect
  29. Move the Policy RDG_CAP to the top position 1

All done. If you need a hand feel free to reach out.

Contact IT Networks regarding any aspect of your IT support requirements. All it takes is a brief phone consultation.