MFA on RDP: what are the options?

RDP (Remote Desktop Protocol) is one of the most used technologies for access to server based applications or desktops and to enable remote user access. Unfortunately, using RDP in its simplest forms is a huge security risk. The UK NCSC (National Cyber Security Centre) has identified unprotected RDP to be the #1 reason for ransomware attacks (more on this topic). And these antics take can take place really, really fast…

A “honeypot” experiment from Unit 42 in the summer of 2021 found that 80% (!) of its unprotected RDP setups was hacked within 24 hours. Ouch. And these attacks are not isolated: on average, the honeypot RDP environments are attacked every 11 hours.

Multi-factor authentication

One of the recommendations to protect RDP environment from getting hacked is to add MFA (Multi-Factor Authentication). Note that this is one of but far from the only recommendation.

You‘d think the fact that many businesses are not using MFA on top of the RDP today is because there is a lack of solutions. However, the opposite is true: the number of options in the MFA space are as plenty as there are fish in the ocean. At Awingu, we also provided built-in MFA capabilities as part of the product since day 1.

The purpose of this post is to bring some structure into your options. We’ll add some specific vendor solutions, but keep in mind that there are many players in this domain. Rather than comparing vendors, let’s look into the architecture, the complexity of setup and the cost elements in play. We’re not making any analysis (or judgement) on which MFA token generation is better than other in this blog: e.g. is SMS as a token as secure as a time-based token generated on a phone?, etc.

The high-level options of MFA

On the highest level, MFA can be added on top of RDP by using:

• An MFA vendor/product such as Duo Security, OKTA MFA, … and many more;
• Using an external Identity Provider (IdP) and the MFA services linked to this IdP. Specifically we look at Microsofts Azure AD and the linked Azure MFA service. (more on the setup and requirements);
• Using a VPN (let’s assume with an MFA-based authentication) before enabling access to the RDP service. It would still be best practice to add MFA on top of the RDP service additionally;
• Certificate-based authentication where the certificate sort-of takes the role of the second factor;
• Awingu, a browser based remote access solution that makes RDP-based apps/desktops available in HTML5 (on any browser). Awingu comes built-in with MFA options and enables combinations with (1) third-party MFA products and (2) Identity Providers (IdP).

MFA solutions comparison chart

In this comparison, we have made a distinction between (a) Remote desktop deployments that leverage the RDP client to launch RDP services and (b) deployments with Remote Desktop Gateway. The latter is a web application that enables launching RDP services from the browser and from there opening a config file that will push the locally installed RDP client on the device to open. The benefit of using a Remote Desktop Gateway is that only port 443 (https) is open. Option (a) requires opening port 3389 for external use, which is a no-go from a security point-of-view.

For completeness sake: Awingu does not require the use of RD Gateway. It connects over RDP to RD Session hosts (server of desktop) and then acts as an HTML5 Gateway, making all sessions available in https in the browser (using just port 443). RDP as such is not made available externally. While Awingu replaces the need for RD Gateway, it actually offers tons more.

Comparing the MFA options

Dare to compare… even if it feels a bit like comparing apples with oranges. We’ve tried to come with a perspective on:

• Complexity: the more complex, the more room for failure and the more time-consuming;
• Cost: what are the different elements that need to be purchased or installed (e.g. consuming infrastructure)?;
• Any device access: this could be relevant when you, for example, allow BYOD for your employees, or when you have external users (such as contractors) that access your RDP services;
• Relative Risk Assessment: the most tricky of them all. For one, because the (correctness of the) deployment itself plays a big role. And for two, because there are differences within each category (for which we’re making full abstraction).

MFA solutions comparison chart

How does Awingu fit the MFA list?

Awingu is not an MFA product. If you ask Gartner, Awingu is a Unified Workspace. It aggregates different applications (and desktops and file servers) and makes them available in the browser via its ‘RDP-to-HTML5’ gateway. These can be RDP-based services, but could also be web applications (that leverage the Awingu Reverse Proxy). Having all applications available in a browser is really convenient: there is no local data on the device, and I can work from any device (whatever the formfactor).

Awingu workspace

Next to offering a ‘workspace’, Awingu really adds a lot of ‘Zero Trust‘ security capabilities. Especially on top of typically vulnerable RDP environments, these are very interesting because all security features are part of the same product and they can be activated and managed from the same Awingu management console (via the Awingu System Settings).

Zero Trust features of Awingu

ne of the built-in features is… MFA. Awingu will enable Time-based (TOTP) as well as Counter-Based (HOTP) token generation. And end-users can just install an authenticator App on their phones such as Microsoft Authenticator or Google Authenticator. It is all part of the package. (How to install MFA in Awingu? Easy, take a look at our MFA technical session video.)

If you desire more token options, then Awingu can enable using other systems as well (such as RADIUS based services, or DUO security, or IdP based services such as Azure MFA or IdenProtect.)

Curious to know what the one thing is that all Awingu customers and partners like? Well, it’s the fact that Awingu is so simple to set up and manage. This simplicity is driven by the architecture: a simple virtual appliance that can be installed in your cloud (infrastructure) of choice. The Awingu Virtual Appliance will then act as a gateway and connect using standard protocols to your back-end: RDP, WebDAV, CiFS, …

Architecture of Awingu

This means you don’t need to install (or manage) anything extra in the back-end. And also towards the end-user device there is nothing to install. The only thing they need is a browser (be it on a Chromebook, iPad or Windows device…).

What is the cost of Awingu?

Our recommended end-user pricing is publicly available. The smallest deployment has 20 concurrent users. Other than the user-based Awingu licensing, the only extra cost that applies is one (or more) virtual machines (and RDS CALs, but for the sake of this blog post: all solutions will require RDS CALs).