Remote Desktop Gateway: MFA and access controls for RD Gateway and RD Web

Remote Desktop Protocol (RDP) is a technology millions of organizations depend on, and criminals have come to love. For organizations, RDP is a hugely convenient way for admins and employees to connect remotely into or out of a Windows network. Unfortunately, RDP also has glaring security weaknesses criminals know they can exploit with little effort. The good news is, organizations can deploy RDP more securely thanks to multi-factor authentication (MFA) for Remote Desktop Gateway (RDG or RD Gateway).

Organizations can mitigate RDP security issues using Microsoft’s Remote Desktop Services (RDS). A suite of tools or Windows “roles,” RDS makes RDP more secure to use and easier to manage. A central part of RDS, Remote Desktop Gateway (RDG or RD Gateway), gives organizations a way to deploy RDP more securely through a gateway proxy.

The biggest RDP vulnerability is that RDP connections depend on passwords, which are easy to brute-force or phish.

Organizations also have a habit of leaving RDP’s default port 3389 exposed to the Internet, inadvertently opening a door through any firewall.

Many real-world incidents in recent years spell out the consequences, with RDP security failures now widely cited as a cause of ransomware, data breaches, and nation-state compromise.

Alongside VPNs, admins depend on RDP for long-distance technical support and to administer remote servers and would struggle without it.

More recently, RDP use has surged with the advent of remote working because it allows employees to access Windows applications and files from home.

After all, your remote employees need access to files they don't have on their laptops. So accessing these remotely via an RDP connection has become routine.

Now multiply this scenario over dozens of hundreds of employees. Despite its security shortcomings, few organizations can do without RDP.

By routing RDP through a gateway proxy (RD Gateway), organizations can deploy RDP more securely. The idea is simple: route all RDP traffic into and out of the network through a single server, where it is easier to secure and monitor.

This boosts security in important ways:

• RD Gateway encapsulates or “hides” RDP data inside an encrypted TLS connection on port 443 (also used by HTTPS web traffic) as it travels between one computer and another. This is backed by SSL certificates.

• Using a gateway removes the problem of multiple weak connections, channeling everything through a single point that acts as a shield for an organization’s RDP users and servers.

• RD Gateway supports multi-factor authentication (MFA), an essential security layer that dramatically increases the security of any service hackers might target.

• Using RD Gateway, admins can more easily monitor and audit RDP connectivity for suspicious traffic.

What software do users need to enable RDP remote access? The traditional way is to run a dedicated remote access client application, but this forces users to download additional software.

That’s why many organizations increasingly use a second optional feature of RDS, RD Web. RD Web enables RDP access via a secure RD Gateway using a web browser.

An RD Web connection is accessed through a simple URL, for example:

https://hostname.domain/rdweb

The advantage is that by using RD Web, any computer running a supported web browser can access RDP via RD Gateway securely without the need for a client specific to that operating system.

However, because users can access RD Web through a public URL, it’s important to secure this risky form of remote access using MFA and access controls for RD Web.

The point of RD Gateway is to centralize and secure RDP connections.

A big part of securing RDP is applying MFA to every RDP connection. This helps to:

• Mitigate RDP's weaknesses that trace back to how easy it is for threat actors to phish or brute force RDP (Windows) credentials.

• Meet cyber insurance MFA mandates on risky connections such as RDP.

• Support compliance-driven MFA requirements across frameworks, including CMMC, HIPAA, PCI DSS, and NIS2, that increasingly mandate MFA for remote access.

Offline MFA is important here. Most on-prem Active Directory MFA solutions are cloud-based, which means MFA can become a point of failure if the user loses internet connectivity while trying to authenticate.

You also must be comfortable using a third party as your organization's authentication provider (which expands your attack surface).

UserLock offers granular, on-prem MFA and access security for all RD Gateway connections, including RD Web, without adding cost or complexity.

UserLock is built for what your infrastructure actually looks like today, on-prem or moving towards Entra ID, and secures identity at every stage of that journey. Unlike cloud-first MFA tools, UserLock starts from your Active Directory and works outward.

Importantly, this approach gives IT full control over the authentication infrastructure and MFA security.

This stays true when you implement MFA for RD Gateway. UserLock integrates directly with your existing Active Directory. There's no new directory infrastructure, no migration, no additional identity provider. If you're running AD, you already have everything you need.

Users start an RD Gateway session either by double-clicking on an RDP file created by the admin, which contains the necessary settings, by starting the MSTSC Remote Desktop Connection program, or, in the case of RD Web, by clicking on a URL.

The user is then asked to authenticate with their username and password. Once this has been authenticated, the target RDP server inside the network running the UserLock desktop agent (i.e. not the RD Gateway) initiates the user MFA request.

This can happen via mobile authenticator applications, push authentication, or hardware 2FA tokens such as YubiKey and Token2.

Identifying the user’s IP address as an external or internal connection for MFA policies depends on RD Gateway running the Network Policy Server (NPS) agent. For more details, read How to Apply MFA for RD Gateway sessions.

This makes the implementation phase of setting up RD Gateway MFA incredibly simple. Since UserLock integrates seamlessly with AD, you can deploy MFA for RD Web and RD Gateway in a way that gives your admins granular control over how MFA is asked for according to AD user, group, or Organizational Unit (OU).

The power of UserLock is that it makes implementing MFA for RDP connections simple and user-friendly. For example, admins can specify whether every MFA connection passing through the RD Gateway should require an authentication prompt, or only those originating outside the network.

Concurrent sessions are a major security risk on any RDP service, including RD Gateway. Examples of how attackers exploit concurrent sessions include:

• Attackers attempt to brute force passwords will launch multiple sessions to attack credentials.

• Attackers directly hijack client sessions to gain unauthorized access to a server.

Using concurrent session security to minimize these attacks, alongside deploying MFA, reduces the risk of unauthorized access.

With UserLock, admins can centralize control over concurrent sessions in a way that reduces management overhead, limiting simultaneous sessions by user, user group, or organizational unit. By installing the desktop and NPS agent, you can apply more granular MFA policies based on whether the user is connecting from inside or outside the network, and also enforce geolocation restrictions.

UserLock allows admins to offer up to two of three supported MFA methods to end users: authenticator applications, push notifications, or hardware tokens such as YubiKey and Token2.

To avoid MFA fatigue, admins can set authentication to allow, deny, or limit RD Gateway connections according to AD user, user group, or operational unit (OU), as well as according to contextual factors such as location (internal or external), device, and time.

This avoids the common complaint that MFA gets in the way of work. By applying it granularly, admins can prevent MFA from becoming a barrier to productivity. And since it's easy for users, IT doesn't have to spend time on MFA help tickets or deal with frustrated users.

Importantly, UserLock integrates control of RD Gateway in the same console that admins already use to control other types of remote access, including VPNs, IIS, and RemoteApp.

RD Gateway is the best way for Windows admins to manage the remote access connectivity their users now demand. For networks using on-premise AD, UserLock is the simplest and quickest way to secure it.

To provide comprehensive, holistic security, UserLock allows admins to implement the same MFA and access controls across all connection times. So your RD Gateway MFA doesn't happen in isolation, and extends security on other connection types including RemoteApp, VPN, IIS, and SaaS.

A major advantage of UserLock is that it secures these connections from a single solution and console, centralizing control over disparate connection types.

The only prerequisite for UserLock to apply MFA to RD Gateway is that a UserLock desktop agent is installed on the target machines.