RDP & RD Gateway MFA
A Remote Desktop Gateway (RD Gateway) enables network access for remote users, over the internet. Enhance security with a secure VPN and granular multi-factor authentication (MFA) protection.
)
)
)
)
)
Multi-factor authentication (MFA) for Remote Desktop Gateway and RDP connections should be very high on your security to-do list. Whether your organization is fully remote or hybrid, remote user access to company networks still needs protection. Here we look at why a second factor of authentication is a best practiceto protect remote access, and how UserLock can help.
RDP connections
The Microsoft Remote Desktop Protocol (also known as RDP) allows remote desktop to a computer. Very easy to use and widely implemented, remote desktop even comes built-in to most versions of Microsoft Windows.
But weak passwords, flawed encryption mechanisms in older versions, and a lack of access controls are all vulnerabilities that make RDP a frequent entry point of malware and ransomware.
Enhance RDP security through RD Gateway and VPN
Remote Desktop Gateway (RDG or RD Gateway) is a Windows Server role that provides a secure encrypted connection to the server via RDP. It enhances control by removing all remote user access to your system and replaces it with a point-to-point remote desktop connection.
Once configured correctly it allows remote users to connect to internal network resources from more ‘untrusted networks’ outside of your company, and ‘in theory’ without the need for a virtual private network (VPN).
However, when you use a VPN connection, you are adding another extra layer of security to your RDP connections.A VPN works by establishing encrypted connections between devices that remain private even if they stretch across public internet infrastructure. If a criminal has infiltrated an intermediate internet exchange point (IXP) and is monitoring all data passing through, all the criminals can now see is the encrypted version of the data.
Whilst enhancing security, there are drawbacks of using VPN without any additional access controls. If an attacker steals a user’s login credentials, then they are able to breach the VPN — they can then gain access to all connected data. Also, VPNs open up access to a large group of users all at once. However, in practice, IT teams often need to tailor permissions to an individual user. VPNs are not a way of offering granular access control.
UserLock MFA for RD Gateway, RDP and VPN connections
So, while RPD and VPN offer powerful and convenient business tools to facilitate remote working, they do need extra security.
Enabling multi-factor authentication (MFA), also referred to as two-factor authentication (2FA) on these remote connections should be very high on your security priority list. First, access should be restricted by ensuring Remote Desktop is used behind a secure VPN. Then MFA that is compatible with RDP should be implemented to augment traditional password authentication.
UserLock MFA makes this easy. It teams up seamlessly with your on-premises Active Directory, to allow you to deploy MFA on Windows logins, RDP and VPN connections. Administrators can define under what circumstances MFA is asked for. For example, all RDP connections that pass through a gateway can be prompted for MFA. Alternatively, you can consider only RDP connections that originate from outside the network are to be challenged with MFA. Frequency, circumstances and different connection types can all be considered to set granular MFA policies for different users, user groups or OU.
Once the administrator activates MFA, enrollment is simple and intuitive for users to do on their own. A second factor can be supported by either mobile authenticator applications or hardware tokens such as YubiKey and Token2.