What is remote desktop protocol and why should you secure it?
RDP (Remote Desktop Protocol) is one of the most used technologies for access to server based applications or desktops and to enable remote user access. Remote Desktop Web Access is a secure network communications protocol developed by Microsoft that provides access to applications (RemoteApp) running on a Terminal Server without any VPN connection.
Unfortunately, using RDP in its simplest forms is a huge security risk. The UK NCSC (National Cyber Security Centre) has identified unprotected RDP to be the #1 reason for ransomware attacks. And these antics take can take place really, really fast when just using passwords without any more security measurements…
A “honeypot” experiment from Unit 42 in the summer of 2021 found that 80% (!) of its unprotected remote desktop setups was hacked within 24 hours. Ouch. And these attacks are not isolated: on average, the honeypot RDP environments are attacked every 11 hours.
It’s clear that the need to create more security measurements is high, without complicating the settings for admins and the login experience for end users.
What is Multi-factor authentication and how does it work?
One of the recommendations to protect the Remote Desktop environment from getting hacked and guarantee maximum security is to add multi factor authentication (MFA). Note that this is one of but far from the only recommendation. However, it is one that should be in fact in every company’s global policy.
Multi factor authentication is a secure authentication method that, instead of just asking for a username and a password, requires the users to provide more verification factors like a security key. Only then the users can login and get access to the resources they want to use.
An example is using something you know (password) and something you have (one time passcode generated in an authentication application on your mobile phone as a security key) to login. Another verification could be using something you ‘are’, like your fingerprint or face.
In the case of multi factor authentication the users need to verify themselves with credentials from at least two or more of three different factors, whereas we speak of two factor authentication (2FA) when the users need only two credentials to get access.
We can only emphasize that it’s really important to have at least two factor authentication configured, as only using passwords can make your company network vulnerable.
How to enable MFA for RDP?
You‘d think the fact that many businesses are not using multi factor authentication as an extra layer on top of the RDP today is because there is a lack of solutions. However, the opposite is true: the number of options in the MFA space to secure your access are as plenty as there are fish in the ocean. At Awingu, we also provided built-in two factor authentication capabilities as part of the product since day 1.
The purpose of this post is to bring some structure into your mfa solution options. We’ll add some specific vendor solutions, but keep in mind that there are many players in this domain. Rather than comparing vendors, we will take a look into the architecture, the complexity of setup and the cost elements in play.
We’re not making any analysis (or judgement) on which MFA token generation is better than other in this blog: e.g. is SMS as a token as secure as a time-based token generated on a phone?, etc.
What are the options for MFA?
On the highest level, multi factor authentication can be added on top of RDP by using:
A multi factor authentication vendor/product such as Duo Security, OKTA MFA, … and many more;
Using an external Identity Provider (IdP) and the MFA services linked to this IdP. Specifically we look at Microsoft’s Azure Active Directory and the linked Azure MFA service;
Using a VPN (let’s assume with an MFA-based authentication) before enabling access to the RDP service. It would still be best practice to add at least two factor authentication on top of the remote desktop connection additionally;
Certificate-based authentication where the certificate sort-of takes the role of the second factor;
Awingu, a browser based remote access solution that makes RDP-based apps/desktops available in HTML5 (on any browser). Awingu comes built-in with MFA options and enables combinations with (1) third-party multi factor authentication products and (2) Identity Providers (IdP).
In this comparison, we have made a distinction between (a) Remote desktop deployments that leverage the RDP client to launch RDP services and (b) deployments with Remote Desktop Gateway. The latter is a web application that enables launching RDP services from the browser and from there opening a config. file that will push the locally installed RDP client on the device to open. The benefit of using a Remote Desktop Gateway is that only port 443 (https) is open. Option (a) requires opening port 3389 for external use, which is a no-go from a security point-of-view.
For completeness sake: Awingu does not require the use of Remote Desktop Gateway. It connects over Remote Desktop Protocol to RD Session hosts (server of desktop) and then acts as an HTML5 Gateway, making all sessions available in https in the browser (using just port 443). RDP as such is not made available externally. While Awingu replaces the need for RD Gateway, it actually offers tons more.
How to compare multi factor authentication solutions?
Dare to compare… even if it feels a bit like comparing apples with oranges. We’ve tried to come with a perspective on:
Complexity: the more complex the settings, the more room for failure and the more time-consuming;
Cost: what are the different elements that need to be purchased or installed (e.g. consuming infrastructure)?;
Any device access: this could be relevant when you, for example, allow BYOD for your users, or when you have external users (such as contractors) that need to connect to your company network to access your remote desktops protocol services;
Relative Risk Assessment: the most tricky of them all. For one, because the (correctness of the) deployment itself plays a big role. And for two, because there are differences within each category (for which we’re making full abstraction).
How to enable MFA with RDP using Awingu?
What is Awingu?
Awingu is not an two factor authentication product. If you ask Gartner, Awingu is a Unified Workspace that you can use to give users secure remote access. It aggregates different applications, desktops and file servers and makes them available (with the possibility of single sign on) for users in the browser via its ‘RDP-to-HTML5’ gateway.
These can be Remote Desktop services, but could also be web applications (that leverage the Awingu Reverse Proxy). Having all applications available in a browser is really convenient: there is no local data on the device, and users can work from any device (whatever the formfactor).
This means you can easily setup and use Awingu to provide secure access for your employees and external contractors, so that they are able to access all business resources to work from anywhere. Of course, you can enable extra security capabilities to restrict this access in certain context when needed for example. This can easily be configured in the settings.
Can I add multi factor authentication to RDP with Awingu?
Yes, because next to offering a secure ‘gateway’, Awingu really adds a lot of ‘Zero Trust‘ security capabilities available for the admin in the advanced settings.
Especially on top of typically vulnerable remote desktop protocol environments, these are very interesting because all security features are part of the same product. They can be activated and managed by the it team from the same Awingu management console (via the Awingu System Settings).
One of the built-in features is indeed Multi factor authentication. Awingu will enable Time-based (TOTP) as well as Counter-Based (HOTP) token generation. This means you don’t have to buy another mfa solution to ensure secure authentication for the users when they need access.
Do you want that end-users connecting to the workspace use two factor authentication before they access? This is easily configured for the admins in the settings. For the users security and simplicity are key, so they don’t have to worry about difficult steps. They can simply install an authenticator application on their phones such as Microsoft Authenticator or Google Authenticator. After verifying their devices with the verification code, these can be seen as remembered devices. When the users want to login to the workspace later again, they simply can use their phone to get one time passwords for the authentication.
If you desire more token options for secure access, then Awingu can enable using other systems as well (such as RADIUS based services, or DUO security, or IdP based services such as Azure Multi Factor Authentication or IdenProtect.) for secure authentication.
Other security capabilities you can enable as an admin to secure the access are session recording, granular usage control, context awareness (on geo location or ip address), …
Is Awingu a simple solution?
Curious to know what the one thing is that all Awingu customers and partners like? Well, it’s the fact that Awingu is so simple to set up and manage for remote access. This simplicity is driven by the architecture: a simple virtual appliance that can be installed in your cloud (infrastructure) of choice.
The Awingu Virtual Appliance will then act as a gateway and will connect using standard protocols to your back-end: Remote Desktop Protocol (RDP), WebDAV, CiFS, … Awingu doesn’t have any build-in user database and falls back to the Active Directory or an external IDP for this.
This means you don’t need to install (or manage) anything extra in the back-end. And also towards the end-user device there is nothing to install. (*) The only thing users need is a browser – (be it on a Chromebook, iPad, Windows computer, …) to access everything they need to work. So there is no direct connection or tunnel to the corporate network.
(*) It is possible to work with smart cards in Awingu, but in this case the user will have to install the Awingu Remote Application Helper, but this is the only exception.
Once authenticated into the workspace, no more need to add login & password credentials to access connected applications, desktops or file servers because Awingu takes care of the ‘Single Sign On’ in full security.
Want to learn more about how Awingu adds security layers on top of your RDP?
Download our whitepaper: “Above and beyond RDP”