This article will show you how to Enable Multi-Factor Authentication on RDP with DUO, for free. This doesn’t apply only to RDP, in fact you can secure many other applications with DUO.
Based on DUO’s current pricing (20190523), this is free for the first 10 users. Here, you can have a look at the pricing section.
- First of all, register for free on https://duo.com. The registration will also let you download and setup the DUO Mobile application on your mobile which will be used for accessing the DUO Admin panel. The same app/setup can be used to setup the first user of the application you want to protect.
- In order to protect RDP with MFA, DUO has a pretty good and simple documentation which can be found here, you can also keep reading this post as I’ll go through the steps.
Setup a new user in DUO
The user we’re setting up, is the user who will be used to RDP on the server you want to protect.
- Log in to the Duo Admin Panel.
- Click Users on the left pane.
- Click Add User.
- This is just a sample, so I’m setting this up for Administrator, you can choose the actual user you want to allow RDP for. The cool thing is that 1 user can have up to 4 aliases. This means that with the same user setup, you can control multiple Windows Users. Imagine if you have a small environment, where you have 3 different users accounts, all managed by the same person. You can setup an alias for each Windows user on the same DUO User account.
- Let’s start by typing the primary username.
- Now fill in the email address and “Require” MFA.
- Once you’ve filled in all of the fields, you can Send an Enrollment Email to the user you’re setting up.
- You can also add other aliases from the same page:
- The user will receive an email similar to the below. Let the user follow the steps on his/her smartphone.
Generate secrets to protect a specific Application (RDP in our case)
This step will setup a unique set of secretes that are linked to your DUO account.
- Log in to the Duo Admin Panel and navigate to Applications.
- Click Protect an Application and locate Microsoft RDP in the applications list.
- Click Protect this Application to get your integration key, secret key, and API hostname.
Install DUO Authentication on the server(s) and client(s) you want to protect
In this step we’ll install an application that will be configured to use the secrets above and that will protect RDP connections with DUO’s MFA.
- Download the Duo Authentication for Windows Logon installer package. Note, the link will bring you to DUO’s latest application. It is not stored on itdroplets.com.
- Screenshots of the installation (use the secrets you gathered at the previous section):
- Now you can also setup Offline access if you want. Refer to the official documentation.
Trying to RDP to a protected server/client
Now that we’re finally done with the configuration, let’s test it out. As soon as you try to RDP with the user you’ve added in the first section (or one of its aliases), you’ll be seeing the following and you’ll also receive a push notification on your mobile.
This is what happens when you try to RDP with an account that is not in the list of users/aliases in DUO: