Implementing Microsoft RDP Two-Factor
If you’re like me, chances are you have a server environment at home for testing and for learning. I have a physic dedicated server at my house running Server 2012 and hosting a Hyper-V environment. The server, for the most part, is headless, no keyboard, mouse or monitor hooked to it normally. Remote Desktop is essential to being able to manage the server. Since much of my testing and tinkering is done from outside of my home network, I reluctantly have the RDP service open to the outside world. Granted, I have changed the default port and I use a Yubikey to input my super-long password to access the server, there was still something about having it accessible from online that left me uneasy.
Last year at GrrCON InfoSec conference, I spoke with a couple of people at the Duo Security booth about their two-factor authentication system, as two-factor was something that was peaking my interest at the time. They seemed to have a solid system, but unfortunately it wasn’t until just last week that the company pop’d back up on my radar, after seeing them as a sponsor for GrrCON again this year.
I signed up for an account at their website, duosecurity.com, which was quick, easy, and free. After signing up, I looked through their list of services, two of them caught my eye, Microsoft RDP and WordPress.
A little information about the Duo Security service, at least my understanding of it. Much like most other Two-Factor authentication systems today, Duo relies on the use of a cell phone for authentication, via an installed app, call or text. Use of the App is free, calling and texting require “credits” which can be purchased. You get 100 credits with your account. I decided to install the Duo Security Android app, which also allows the user to add Microsoft, Dropbox, Facebook, Google and other services that use Two-Factor into it. It basically replaced my Google Authenticator on my phone. When you log into the services configured with Duo, you input the code from the app along with your normal credentials and your in! There is also a Duo Push feature for some services, such as WordPress, that I might do a separate blog post about.
Setting up Duo Security for Microsoft RDP took a total of about 5 minutes, including the required reboot. To create a new Integration, log into your Duo Security administrative panel and under the Integration menu item, click New Integration. This will allow you to select the Microsoft RDP service, note the numerous other possibilities available as well! Give the integration a name and click the Create button. Keep the next window open, as you will use this information while installing the RDP Integration software on the server. The software download as well as detailed information on installing the service can be found HERE.
After installing the software and rebooting, you will notice at login a new field, for the Duo Passcode. This is the code that will be generated by the App (or phone). Putting your username, password and the correct code from Duo will allow you to login to the server.
I have been using the service for about a week now and I have yet to have any issues logging into my server via RDP. The Duo Administration page give me additional logging and alerts, which is nice in-case anyone tries to access my server. The fact that I no longer need to rely on the idea of a single password gives me a sense of security and piece of mind, knowing that my system is that much more secure.
If your looking at a two-factor system for your environment, give Duo Security a serious consideration. If your going to be at GrrCON this year, stop by their booth and chat a bit, they are a wealth of knowledge and willing to share (and thank them for the beer!).