RDP Gateway MFA

rdp gateway mfa

Multi-factor authentication (MFA) for Remote Desktop Gateway and RDP connections should be very high on your security to-do list. Some or even your entire workforce might now be dispersed but their access to company networks still needs to be protected. Here we look at why a second factor of authentication is recommended to protect remote access and how UserLock is best positioned to help.

RDP Connections

The Microsoft Remote Desktop Protocol (also known as RDP) is used to allow remote desktop to a computer. Very easy to use and widely implemented, remote desktop even comes built-in to most versions of Microsoft Windows.

However, weak passwords, flawed encryption mechanisms in older versions, and a lack of access controls are cited as vulnerabilities that make RDP such a frequent entry point of malware and ransomware.

Enhance RDP Security through RD Gateway and VPN

Remote Desktop Gateway (RDG or RD Gateway) is a Windows Server role that provides a secure encrypted connection to the server via RDP. It enhances control by removing all remote user access to your system and replaces it with a point-to-point remote desktop connection.

Once configured correctly it allows remote users to connect to internal network resources from more ‘untrusted networks’ outside of your company, and ‘in theory’ without the need for a virtual private network (VPN).

However, when you use a VPN connection, you are adding another extra layer of security to your RDP connections.A VPN works by establishing encrypted connections between devices that remain private even if they stretch across public internet infrastructure. If a criminal has infiltrated an intermediate internet exchange point (IXP) and is monitoring all data passing through, all the criminals can now see is the encrypted version of the data.

Whilst enhancing security, there are drawbacks of using VPN without any additional access controls. If an attacker steals a user’s login credentials, then they are able to breach the VPN — they can then gain access to all connected data. Also, VPNs open up access to a large group of users all at once. However, in practice, IT teams often need to tailor permissions to an individual user. VPNs are not a way of offering granular access control.

UserLock MFA for RD Gateway, RDP and VPN Connections

So while RPD and VPN offer powerful and convenient business tools to facilitate remote working – they do need further securing.

Enabling multi-factor authentication (MFA), also referred to as two-factor authentication (2FA) on these remote connections should be very high on your security priority list. First, access should be restricted by ensuring Remote Desktop is used behind a secure VPN. Then MFA that is compatible with RDP should be implemented to augment traditional password authentication.

UserLock MFA makes this easy. It teams up seamlessly with your on-premises Active Directory, to allow you to deploy MFA on Windows logins, RDP and VPN connections. Administrators can define under what circumstances MFA is asked for. For example, all RDP connections that pass through a gateway can be prompted for MFA. Alternatively, you can consider only RDP connections that originate from outside the network are to be challenged with MFA. Frequency, circumstances and different connection types can all be considered to set granular MFA policies for different users, user groups or OU.

Once the administrator activates MFA, enrollment is simple and intuitive for users to do on their own. A second factor can be supported by either mobile authenticator applications or hardware tokens such as YubiKey and Token2.


If your business relies on remote access, make sure the proper cybersecurity controls are in place to protect remote working. Download a 30-day fully functional free trial of UserLock now.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.