How to enable multi-factor authentication for RDP

How to enable multi-factor authentication for RDP

Generally, remote employees use Microsoft Remote Desktop Protocol (RDP) to connect to their work devices from an external network, using only a password to authenticate their devices. This makes RDP-based access highly vulnerable to password-based attacks like brute-force attacks.

Implementing multi-factor authentication (MFA) helps thwart unauthorized remote access attempts to employee devices. ADSelfService Plus' MFA feature can secure local and remote access to Windows, macOS, and Linux machines and help secure logins via RDP.

How to enable MFA for RDP using ADSelfService Plus

Prerequisites:

  1. ADSelfService with Endpoint MFA is required to configure this feature. Visit the store to purchase Endpoint MFA.
  2. SSL must be enabled in ADSelfService Plus.
  3. The Windows logon agent that comes bundled with ADSelfService Plus must be installed on the machines that are going to be secured via RDP MFA.
  4. Access URL must be set to HTTPS: Navigate to Admin > Product Settings > Connection > Connection Settings > Configure Access URL and set the Protocol option to HTTPS.

Steps involved:

  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Multi-factor Authentication > Authenticators Setup.
  3. Click the Choose the Policy drop-down, and select the policy for which you wish to enable MFA. This policy will determine which users will have MFA for RDP logins enabled.
    Note: ADSelfService Plus allows you to create OU- and group-based policies. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy. Click Select OUs/Groups, and make the selection based on your requirements. You need to select at least one self-service feature. Finally, click Save Policy.
  4. Configure any of the authenticators present according to organizational preference. ADSelfService Plus supports 19 authentication methods.

    authenticators-setup

  5. Navigate to Configuration > Multi-factor Authentication > MFA for Endpoints.
  6. In the MFA for Machine Login section, check the box next to Enable _ factor authentication for machine login, and choose the number of authentication factors you'd like to implement.
  7. Choose the authentication methods you would like to implement.
  8. Click Save Settings.

    enable-mfa-for-machine-login

Benefits of using MFA for RDP logins using ADSelfService Plus

  • Customized configuration: Enforce MFA for RDP and use different sets of authentication techniques for different users based on domain, OU, and group memberships.
  • Ensure user adoption: Automate user enrollment for MFA for RDP by importing domain information of users through CSV files or force enrollment using login scripts.
  • Get detailed reports: Gain comprehensive insights on user activities such as identity verification failures and login attempts, and find users with weak passwords.
  • Simplify authentication: Use authentication techniques like fingerprint authentication, push notification authentication, YubiKey, and QR-code-based authentication to help users complete the RDP MFA process with minimal effort.



                    New to ADSelfService Plus?

                      • Related Articles

                      • How to enable offline MFA in ADSelfService Plus

                        ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                      • How to enable Zoho OneAuth TOTP for MFA?

                        In enterprise networks, user identity verification is no longer carried out simply through usernames and passwords. This is because without additional authentication layers, i.e., multi-factor authentication, enterprise networks and resources become ...
                      • How to enable Partial Enrollment for Active Directory users in ADSelfService Plus

                        Active Directory domain users need to complete enrollment with ADSelfService Plus before they can use the below listed features: Self-service password reset Self-service account unlock Endpoint multi-factor authentication ADSelfService Plus' logon ...
                      • Streamline the MFA process using backup verification codes

                        What are backup verification codes? ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, offers MFA for logins into multiple enterprise ...
                      • How to remove CAPTCHA from the ADSelfService Plus portal?

                        ADSelfService Plus supports CAPTCHA for securing access to the product portal from automated bots. To disable CAPTCHA from the ADSelfService Plus in the login page: Login to the ADSelfService Plus portal with admin credentials. Navigate to Admin > ...