Microsoft Remote Desktop and Terminal Services (RDP) provide an easy way for users to connect enterprise systems and use shared applications from remote locations. 

“Yet username/and password-based authentication is not enough now to be security compliant in some companies and in general.”

This article shows what RDP is, how to protect it, and what are the main features to look at before opting for any service.

Where can I deploy? 

• On-premises 
• Microsoft Azure
• Amazon AWS
• Google Cloud

What is RDP?

The Microsoft Windows Remote Desktop Protocol, or RDP, is widely and securely used on private networks to enable users to log into remote computers. Once logged in through RDP, the screen of the remote system is displayed on the local system giving the local user control. RDP is commonly used in enterprise environments to empower system administrators to manage servers and workstations in remote locations, or by the employees, while away from their offices and desks. Increasingly, RDP is used to access virtual desktops. Users can log in using single sign-on, for example, Windows Kerberos within a domain, or with user credentials, usually, a domain username and password, to access an account on the remote system.

A Microsoft Study Warns of Dangers

Hackers begin using brute-force attacks once an open RDP port is identified on the Internet. They use automated tools that do permutation and combination of username and password to crack the target computer’s login credential. Attacks are metered, often lasting for days to prevent firewall/IDS (Intrusion detection systems) detection that might result in source IP address blockage. 

After a months-long study into the impact of RDP brute-force attacks on the enterprise, Microsoft reported that attacks last two to three days on average, with about 90% of cases lasting for one week or less, and less than 5% lasting for two weeks or more. 

According to Microsoft’s research, the one simple action you can take to prevent 99.9% of the attacks on your accounts is to use multi-factor authentication (MFA).

Before going for any solution, always check if it provides Two-Factor with all OpenOTP One-Time Password methods and FIDO like:

• Software Tokens (OpenOTP Token which support Push logins, Google Authenticator)
• Hardware Tokens (all OATH compliant tokens are supported)
• Mobile-based SMS OTP (became deprecated in some scenario like for banks)
• Voice Biometrics (New authentication method) 
• Mailbox
• Yubikey Token 

Also, some of the major features to look at is:

1. Supports NT Domain-style login names like ‘Domain\Username’
2. Supports User Principal Names (UPN), implicit and explicit.
3. Supports LDAP and LDAP+OTP login modes.
4. Support of Users, groups, clients policies that allow you to design your authentication workflow based on many inputs. 
5. Enterprise deployment with AD automated software deployment tools.
6. Supports Normal (3 fields presented to the user on the login screen) and Simple login (2 fields presented on the login screen and if an OTP is required, then the third field is displayed on another page)

Simple Login : 

Normal Login : 

RCDevs

RCDevs provides a Windows Credential Provider (CP) for Windows integrations. There are 2 scenarios to secure your RDP.

1)RCDevs’ OpenOTP CP is your additional layer of protection for Windows login and remote access with Remote Desktop (RDP) and Terminal Services.This is one of the supported scenarios for RDP logins. It is the most common one and it involves protecting and installing the OpenOTP CP for each session host (windows machines).

2)Protecting a central point (named RDGateway) where every connection to any session hosts will pass through the RDGateway servers. Then you don’t need to protect each host because the MFA login is played on the RDGateway. In that scenario, only push login is supported.    

Understand how to configure MS Remote Desktop Services and RDWeb portal with OpenOTP.