Remote Desktop Gateway: MFA and access controls for RD Gateway and RD Web

Remote Desktop Protocol (RDP) is a technology millions of organizations depend on, and criminals have come to love. For organizations, RDP is a hugely convenient way for admins and employees to connect remotely into or out of a Windows network. Unfortunately, RDP also has glaring security weaknesses criminals know they can exploit with little effort. The good news is, organizations can deploy RDP more securely thanks to Remote Desktop Gateway (RDG or RD Gateway).

The need for RD Gateway: Remote working and RDP vulnerabilities

The biggest RDP vulnerability is that RDP connections depend on passwords, which are easy to brute-force or phish.

Organizations also have a habit of leaving RDP’s default port 3389 exposed to the Internet, inadvertently opening a door through any firewall.

Many real-world incidents in recent years spell out the consequences, with RDP security failures now widely cited as a cause of ransomware, data breaches, and nation-state compromise.

Who uses RDP?

Alongside VPNs, admins depend on RDP for long-distance technical support and to administer remote servers and would struggle without it.

More recently, RDP use has surged with the advent of remote working because it allows employees to access Windows applications and files from home.

After all, your remote employees need access to files they don't have on their laptops. So accessing these remotely via an RDP connection has become routine.

Now multiply this scenario over dozens of hundreds of employees. Despite its security shortcomings, few organizations can do without RDP.

What is RD Gateway?

Organizations can mitigate RDP security issues using Microsoft’s Remote Desktop Services (RDS). A suite of tools or Windows “roles,” RDS makes RDP more secure to use and easier to manage. A central part of RDS, Remote Desktop Gateway (RDG or RD Gateway), gives organizations a way to deploy RDP more securely through a gateway proxy.

How to secure RDP with RD Gateway

By routing RDP through a gateway proxy (RD Gateway), organizations can deploy RDP more securely. The idea is simple: route all RDP traffic into and out of the network through a single server where it is easier to secure and monitor. This boosts security in important ways:

• RD Gateway encapsulates or “hides” RDP data inside an encrypted TLS connection on port 443 (also used by HTTPS web traffic) as it travels between one computer and another. This is backed by SSL certificates.

• Using a gateway removes the problem of multiple weak connections, channeling everything through a single point that acts as a shield for an organization’s RDP users and servers.

• RD Gateway supports multi-factor authentication (MFA), an essential security layer that dramatically increases the security of any service hackers might target.

• Using RD Gateway, admins can more easily monitor and audit RDP connectivity for suspicious traffic.

What is RD Web?

What software do users need to enable RDP remote access? The traditional method — running a dedicated remote access client application — forces users to download additional software. That’s why many organizations increasingly use a second optional feature of RDS, RD Web. RD Web enables RDP access via a secure RD Gateway using a web browser.

How to set up Remote Desktop Web access (RD Web)

An RD Web connection is accessed through a simple URL, for example:

https://hostname.domain/rdweb

The advantage is that by using RD Web, any computer running a supported web browser can access RDP via RD Gateway securely without the need for a client specific to that operating system.

However, because users can access RD Web through a public URL, it’s important to secure this risky form of remote access using MFA and access controls for RD Web.

MFA is essential for RD Gateway security

The whole point of RD Gateway is to make RDP connectivity more secure and centralized. A big part of securing RDP is applying MFA to every RDP connection to mitigate the RDP weaknesses stemming from how easy it is for threat actors to phish or brute force RDP (Windows) credentials.

At the same time, cyber insurance increasingly demands MFA protection for risky connections such as RDP.

Unfortunately, MFA implementation for RDP isn’t always easy for IT, or end users. MFA doesn’t lend itself to a one-size-fits-all approach.

For example, most Active Directory MFA solutions are based on cloud SaaS, which isn’t without drawbacks. For one, that cloud-based MFA can become a point of failure if the user loses internet connectivity while trying to authenticate. You also must be comfortable using a third party as your organization's authentication provider (and expanding your attack surface).

Securing RD Gateway access with UserLock

UserLock offers effective MFA and access security for all RD Gateway connections, including RD Web, without relying on a cloud-based SaaS provider.

Because UserLock is an on-premise MFA solution, you retain full control over your authentication infrastructure and MFA security when implementing RD Gateway. And everything you need to get started with UserLock — Microsoft Active Directory (AD) — is already in place.

Users start an RD Gateway session either by double clicking on an RDP file created by the admin which contains the necessary settings, by starting the MSTSC Remote Desktop Connection program, or in the case of RD Web by clicking on a URL.

The user is then asked to authenticate with their username and password. Once this has been authenticated, the target RDP server inside the network running the UserLock desktop agent (i.e. not the RD Gateway) initiates the user MFA request. This can happen via mobile authenticator applications, push authentication, or hardware 2fa tokens such as YubiKey and Token2.

Identifying the user’s IP address as an external or internal connection for MFA policies depends on RD Gateway running the Network Policy Server (NPS) agent. For more details, read How to Apply MFA for RD Gateway sessions.

Implement RD Gateway MFA

This makes the implementation phase of setting up RD Gateway MFA incredibly simple. Since UserLock integrates seamlessly with AD, you can deploy MFA for RD Web and RD Gateway in a way that gives your admins granular control over how MFA is asked for according to AD user, group, or Organizational Unit (OU).

The power of UserLock is that it makes implementing MFA for RDP connections simple and user-friendly. For example, admins can specify whether every MFA connection passing through the RD Gateway should require an authentication prompt, or only those originating outside the network.

Limit concurrent sessions on RD Gateway and RD Web

Concurrent sessions are a major security risk on any RDP service, including RD Gateway. Examples of how attackers exploit concurrent sessions include:

• Attackers attempt to brute force passwords will launch multiple sessions to attack credentials.

• Attackers directly hijack client sessions to gain unauthorized access to a server.

Using concurrent session security to minimize these attacks, alongside deploying MFA, reduces the risk of unauthorized access.

With UserLock, admins can centralize control over concurrent sessions in a way that reduces management overhead, limiting simultaneous sessions by user, user group, or organizational unit. By installing the desktop and NPS agent, you can apply more granular MFA policies based on whether the user is connecting from inside or outside the network, and also enforce geolocation restrictions.

Apply granular access controls for RD Gateway and RD Web

UserLock allows admins to offer up to two of three supported MFA methods to end users: authenticator applications, push notifications, or hardware tokens such as YubiKey and Token2.

To avoid MFA fatigue, admins can set authentication to allow, deny, or limit RD Gateway connections according to AD user, user group, or operational unit (OU), as well as according to contextual factors such as location (internal or external), device, and time.

This avoids the common complaint that MFA gets in the way of work. By applying it granularly, admins can prevent MFA from becoming a barrier to productivity. And since it's easy for users, IT doesn't have to spend time on MFA help tickets, or deal with frustrated users.

Importantly, UserLock integrates control of RD Gateway in the same console admins already use to control other types of remote access, including VPNs, IIS, and RemoteApp.

RD Gateway is the best way for Windows admins to manage the remote access connectivity their users now demand. For networks using on-premise AD, UserLock is the simplest and quickest way to secure it.

Secure RDP, VPN, IIS, and RemoteApp from a single console

To provide comprehensive, holistic security, UserLock allows admins to implement the same MFA and access controls across all connection times. So your RD Gateway MFA doesn't happen in isolation, and extends security on other connection types including RemoteApp, VPN, IIS, and SaaS.

A major advantage of UserLock is that it secures these connections from a single solution and console, centralizing control over disparate connection types.

The only prerequisite for UserLock to apply MFA to RD Gateway is that a UserLock desktop agent is installed on the target machines.