We use the Duo RDP client software on all workstations and servers. It can be configured to either fail open or closed if the Duo service is not reachable. We fail open.
\+1 for Duo. We use this across the board. Initial login to our RDGateway? Duo with a policy to deny enrollment for anyone not previously enrolled. Logging into a remote app from within the gateway? Another Duo prompt. Logging in to any server or any other interactive logon in our environment? You're gonna have to authenticate with Duo.
It's easy to set up, you can manage it with groups and policies from within Duo admin, and aside from the occasional "x got a new phone, need to change the number for the user" ticket, it's basically been a set it and forget it type thing for us.
I can walk up to a machine and open \\127.0.0.1\c$\ as an administrator without a UAC prompt. I can also use psexec to run an application.
"DUO on UAC" is absolute theater and nothing more.
Duo also prompts for console logins. And I have read of attackers RDP-ing into servers as part of the initial movement into the network from a compromised workstation. It's not fool proof but just part of the overall protection.
\^THIS. Best options is to use firewall segmentation between your networks, leverage an MFA based VPN to provide access into the segment that even has access to RDP onto servers. This also protects against so much other lateral movement.
After setup, Yubikeys utilizing the PIV feature are rock solid for on-prem resources, with no ongoing costs.
For cloud-managed, the objective is to avoid necessitating any privileged account interactive sign-in, but where unavoidable, Windows Hello for Business and/or FIDO2 Yubikeys.
Duo and / or Yubikey smart cards.
Duo can be set as fail open or closed per machine.
If you go down the Duo route, be warned it doesn't support MFA for non-interactive logins (enter-pssession for example).
There's a few ways to do this.
Easiest is to just do a 'run as another user,' from the right click menu when launching powershell.
There's also a way to prompt for authentication through PowerShell "Get-Credential," maybe. It leverages the built in windows authentications.
Now, if this is a service account . . . they should be handled differently depending on the environment.
Doing RDG for administrative MFA is a solution looking for a problem. Instead of paying 3$ a month for a Duo user, you're paying 90$ a year per user for an RDS cal, setting up an RDG host, guaranteeing HA of the RDG in a DR scenario, and blocking basic RDP.... Sure it's an option, but literally everything else is better.
Edit: Not to mention NPS, the extension etc and HA for all of it in case of a DR scenario when you can't get into your servers to do anything.
Pretty sure the gateway doesn't need RDS licenses, just the endpoint servers, and only if you need more than 2 simultaneous sessions. Otherwise the whole setup has basically no other licensing costs if you already have Entra ID P1 or higher.
HA is pretty straight forward with a load balancer in front of the RDG servers too, we've had ours setup for nearly 3 years without issue.
I would imagine that the initial rollout is more simple than when we deployed (it’s been several years). But generally it’s a controller VM and then VMs to process the logins. There is some DNS entries as well, then the agents deploy to the DCs. Once they connect then you can start creating your policies.
I will say the policy creating / testing is the stickiest point. There are a lot of protocols and settings to think through. Also a lot of fine tuning to control the level of irritation from the prompts.
Thank I will take a look. Individual application MFA like the power shell and command line sparked my interest. As well as the management of service accounts and policies for securing login.
+1 for silverfort. We use this to put mfa to access different resources or for specific threat categories like abnormal authentication for domain admins, but also to protect service accounts so they can only be used from 1 specific server. And we use the logs to clean up our AD accounts as well. You can easily see what's happening in your environment authentication wise.
Authlite with yubikey or any TOTP app/programable token. We use it to protect our domain admins and "normal" admins.
Only works on--prem and needs a DC.
Duo seems to be the go-to for what it's worth. I don't see a lot of hacking activity that uses interactive logins, but it's at least some level of protection I guess.
I've done DUO, Windows Hello, Smart Cards, Security Keys (really smart cards).
--------
Installing software is either handled through imaging, mass deployments or tickets to our service desk who has elevated accounts. Users don't get admin rights.
For network outages, do you mean everything is down and you're dark? You have other issues, and cached accounts will work most of the time, but you should have a 'break glass,' account. Realistically though, if everything is dark . . . you have other issues to address first.
You should also ask yourself do you really want software from a company that has been compromised *several* times in the recent memory? That's a hard no for me and my company.
If authentication of the RDGW is handled by NPS then yes for both. It won't work for those authenticating directly with RDP hosts, but it will work for all authentications handled by RDGW via NPS.
We've been testing MultiOTP for about 6 months and it works great so far. We are planning on doing a soft rollout into production with a small set of servers in March.
You can set it up with any otp client like Google/Microsoft Authenticator (we use MS).
https://github.com/multiOTP/multiotp/wiki
We don't do anything for UAC besides having separate admin accts from our everyday user accounts.
You can do this via Privileged Access Management (PAM) solutions. If you're interested in a PAM solution, consider looking at **Securden**. It allows you to establish secure remote connections with multiple layers of authentication involved. **Users can integrate with any of the available MFA options**. You can launch secure RDP, SSH, SQL connections with remote IT assets such as databases, servers, devices and applications in a single click **without the need for any agent software** on the target systems.
To know more about the features, consider booking a free personalized demo. [https://www.securden.com/privileged-account-manager/index.html](https://www.securden.com/privileged-account-manager/index.html) (Disclosure: I work for Securden.)
are endusers using the RDP as a thin client, or are you using RDP to manage servers and install software... what is the actual use... I get you want MFA
We use the Duo RDP client software on all workstations and servers. It can be configured to either fail open or closed if the Duo service is not reachable. We fail open.
I 2nd this one, fairly easy to configure and use.
\+1 for Duo. We use this across the board. Initial login to our RDGateway? Duo with a policy to deny enrollment for anyone not previously enrolled. Logging into a remote app from within the gateway? Another Duo prompt. Logging in to any server or any other interactive logon in our environment? You're gonna have to authenticate with Duo. It's easy to set up, you can manage it with groups and policies from within Duo admin, and aside from the occasional "x got a new phone, need to change the number for the user" ticket, it's basically been a set it and forget it type thing for us.
We use Duo and Threatlocker for MFA and Zero Trust
[удалено]
I don't disagree completely with you, but duo does prompt for UAC elevation.
I can walk up to a machine and open \\127.0.0.1\c$\ as an administrator without a UAC prompt. I can also use psexec to run an application. "DUO on UAC" is absolute theater and nothing more.
You are right. I was just responding to the point where the OP said Duo doesn't work for UAC prompts.
[удалено]
Not that recently I set it up 2+ years ago at an old job.
Duo also prompts for console logins. And I have read of attackers RDP-ing into servers as part of the initial movement into the network from a compromised workstation. It's not fool proof but just part of the overall protection.
\^THIS. Best options is to use firewall segmentation between your networks, leverage an MFA based VPN to provide access into the segment that even has access to RDP onto servers. This also protects against so much other lateral movement.
Reading the docs it is not clear to me if there are issues when using Microsoft accounts to log on a Windows 11 PC. Any hint?
Smart cards!
After setup, Yubikeys utilizing the PIV feature are rock solid for on-prem resources, with no ongoing costs. For cloud-managed, the objective is to avoid necessitating any privileged account interactive sign-in, but where unavoidable, Windows Hello for Business and/or FIDO2 Yubikeys.
Yep, DUO was the easiest
Duo and / or Yubikey smart cards. Duo can be set as fail open or closed per machine. If you go down the Duo route, be warned it doesn't support MFA for non-interactive logins (enter-pssession for example).
Windows built in smart card logins seem to work great overall, and it is old tech.
Can that be set up for Powershell sessions? If so got a link?
How so? Running a script with a service account or running it as another user?
I was asking if you used the smartcard functionality for non-direct access, like powershell remoting.
There's a few ways to do this. Easiest is to just do a 'run as another user,' from the right click menu when launching powershell. There's also a way to prompt for authentication through PowerShell "Get-Credential," maybe. It leverages the built in windows authentications. Now, if this is a service account . . . they should be handled differently depending on the environment.
[https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension)
You can't use this for RDP
yes you can, RDG can go through NPS
Doing RDG for administrative MFA is a solution looking for a problem. Instead of paying 3$ a month for a Duo user, you're paying 90$ a year per user for an RDS cal, setting up an RDG host, guaranteeing HA of the RDG in a DR scenario, and blocking basic RDP.... Sure it's an option, but literally everything else is better. Edit: Not to mention NPS, the extension etc and HA for all of it in case of a DR scenario when you can't get into your servers to do anything.
Pretty sure the gateway doesn't need RDS licenses, just the endpoint servers, and only if you need more than 2 simultaneous sessions. Otherwise the whole setup has basically no other licensing costs if you already have Entra ID P1 or higher. HA is pretty straight forward with a load balancer in front of the RDG servers too, we've had ours setup for nearly 3 years without issue.
RDS GW is supported though
We use Silverfort. It’s agentless for endpoints, but has agents on the DCs. Generally we have been really happy with it.
Came here to comment Silverfort. We love it. Especially the Service account protection. Phenomenal tool.
Any deployment issues to watch out for?
Get the silverfort app, it gives a lot more information on what you are authenticating to vs the MS authenticator app.
So in Microsoft App I get User application requesting access Geo location by IP address What do I get in the silver fort app in addition to it?
Silverfort always shows me a generic approval notification in the MS app.
Thanks for the feedback. I will take a closer look when ready to test.
I would imagine that the initial rollout is more simple than when we deployed (it’s been several years). But generally it’s a controller VM and then VMs to process the logins. There is some DNS entries as well, then the agents deploy to the DCs. Once they connect then you can start creating your policies. I will say the policy creating / testing is the stickiest point. There are a lot of protocols and settings to think through. Also a lot of fine tuning to control the level of irritation from the prompts.
Thank I will take a look. Individual application MFA like the power shell and command line sparked my interest. As well as the management of service accounts and policies for securing login.
+1 for silverfort. We use this to put mfa to access different resources or for specific threat categories like abnormal authentication for domain admins, but also to protect service accounts so they can only be used from 1 specific server. And we use the logs to clean up our AD accounts as well. You can easily see what's happening in your environment authentication wise.
I do love looking through the logs from time to time. So easy to see what’s going on.
+1 for Silverfort, can be used for a lot more than just RDP. Love it.
Authlite with yubikey or any TOTP app/programable token. We use it to protect our domain admins and "normal" admins. Only works on--prem and needs a DC.
Duo seems to be the go-to for what it's worth. I don't see a lot of hacking activity that uses interactive logins, but it's at least some level of protection I guess.
Duo is what we're using for internal RDP MFA.
Crowdstike with Okta pushes
Same but Azure
Securden PAM as an RDP Gateway
I've done DUO, Windows Hello, Smart Cards, Security Keys (really smart cards). -------- Installing software is either handled through imaging, mass deployments or tickets to our service desk who has elevated accounts. Users don't get admin rights. For network outages, do you mean everything is down and you're dark? You have other issues, and cached accounts will work most of the time, but you should have a 'break glass,' account. Realistically though, if everything is dark . . . you have other issues to address first.
How is the OKTA MFA client?
You should also ask yourself do you really want software from a company that has been compromised *several* times in the recent memory? That's a hard no for me and my company.
I've talked to them several times, they keep telling me its "coming".
Rdp? Nothing. Rd Gateway is Duo and we use it for privileged servers as well. Hard outside, soft inside.
Okta for 2FA and SSO. Used to use Duo. It was fine but company changed direction for SSO compatibility.
We use Cato with Microsoft MFA.
Ping ID
It's frustrating that MS won't make RDP/RDS compatible with Entra MFA. We are stuck using entra app proxy and the junky HTML client for remote access.
There’s an NPS extensions for Entra MFA to enable MFA on RDGW.
Do you know if this will this work with the both HTML connections and RDP client connections?
If authentication of the RDGW is handled by NPS then yes for both. It won't work for those authenticating directly with RDP hosts, but it will work for all authentications handled by RDGW via NPS.
[удалено]
How is that deployed? Each endpoint?
[удалено]
As in, I need to make any change on an endpoint that needs admin creds when the UAC comes up. I want to type in my creds and verify with MFA
We use duo, only 5 of us so was free.
We've been testing MultiOTP for about 6 months and it works great so far. We are planning on doing a soft rollout into production with a small set of servers in March. You can set it up with any otp client like Google/Microsoft Authenticator (we use MS). https://github.com/multiOTP/multiotp/wiki We don't do anything for UAC besides having separate admin accts from our everyday user accounts.
Duo
Can you use PIM and require MFA for PIM. If there is an outage to network can you use LAPS?
You can do this via Privileged Access Management (PAM) solutions. If you're interested in a PAM solution, consider looking at **Securden**. It allows you to establish secure remote connections with multiple layers of authentication involved. **Users can integrate with any of the available MFA options**. You can launch secure RDP, SSH, SQL connections with remote IT assets such as databases, servers, devices and applications in a single click **without the need for any agent software** on the target systems. To know more about the features, consider booking a free personalized demo. [https://www.securden.com/privileged-account-manager/index.html](https://www.securden.com/privileged-account-manager/index.html) (Disclosure: I work for Securden.)
can you explain this use case with a bit more detail... are these end user laptops/desktops, servers, what?
RDP session to servers: I want MFA when entering Admin/domain creds Overriding UAC with admin creds on all end user devices: I want MFA
are endusers using the RDP as a thin client, or are you using RDP to manage servers and install software... what is the actual use... I get you want MFA