How to Secure Remote Desktop Services: Install Duo MFA and RD Web RD Gateway

| Author: | How Tos

Cybersecurity Duo MFA Infrastructure Microsoft

Organizations must secure remote desktop services to prevent credential theft, ransomware entry points, and unauthorized system access. Microsoft Remote Desktop Services (RDS) environments exposed to the internet are a frequent target for brute-force attacks and lateral movement.

One of the most effective ways to secure Remote Desktop Services is by implementing multi-factor authentication (MFA). In this guide, we’ll walk through how to deploy Duo Multi-Factor Authentication on RD Web Access and RD Gateway to protect RDP sessions, RemoteApps, and remote infrastructure.

This step-by-step implementation helps organizations secure remote desktop services without major infrastructure changes while significantly reducing risk.

Why Secure Remote Desktop Services with MFA?

By default, Remote Desktop Services rely on Active Directory credentials. If passwords are compromised, attackers can gain direct network access. MFA adds a second verification factor, blocking unauthorized access even when credentials are stolen.

  • Prevents unauthorized RDP access
  • Secures RD Web portal logins
  • Protects RemoteApp and full desktop sessions
  • Reduces ransomware attack surface
  • Supports compliance requirements (HIPAA, SOC2, NIST)

Security Best Practice: To fully secure remote desktop services, all remote connections should route through RD Web Access and RD Gateway. Direct RDP connections to session hosts should be forbidden.

Architecture Overview

To secure remote desktop services, Duo should protect multiple RDS entry points:

  • RD Web Access only — protects browser login
  • RD Gateway only — protects RDP connections

When both are deployed:

  1. User logs into RD Web → Duo MFA challenge
  2. User launches RemoteApp or desktop → RD Gateway triggers MFA

Security Best Practice: This layered approach provides stronger protection and prevents common MFA bypass scenarios. Note, user’s will receive two distinct MFA prompts, however, this is necessary to prevent a potential brute force of either service.

Security Best Practice: When possible, separate the RD Web Access and RD Gateway. Attackers often probe the internet for RD Web Access portals. If one is found, a malicious RDP files can be used to attempt to bypass the gateway’s security config. Example proof-of-concept.

Prerequisites

Infrastructure Requirements

  • Windows Server 2016 or later
  • RD Web Access and/or RD Gateway roles installed
  • Valid HTTPS certificate
  • .NET Framework 4.7.1 or later
  • Outbound HTTPS (TCP 443) to Duo cloud services

Security Best Practice: Force IIS to use advanced cipher suites over. Otherwise, Duo MFA will prompt with IIS errors. Link to resource.

Duo Requirements

  • Duo administrator account
  • Duo applications created for Microsoft RD Web and RD Gateway
  • Integration Key
  • Secret Key
  • API Hostname

Create these in the Duo Admin Panel before installation.

Step 1 — Configure Duo in the Duo Admin Portal

  1. Log into the Duo Admin Panel.
  2. Navigate to Applications → Protect an Application.
  3. Add:
    • Microsoft RD Web
    • Microsoft RD Gateway
  4. Record the Integration Key, Secret Key, and API Hostname.
  5. Allow access for a pilot group during testing.

After validation, enforce MFA enrollment for all users.

Step 2 — Install Duo MFA for RD Web Access

This step secures the RD Web portal login experience.

Installation Steps

  1. Download Duo Authentication for RD Web.
  2. Sign into your RD Web server.
  3. Run the installer as Administrator.
  4. Enter the Integration Key, Secret Key, and API Hostname.
  5. Complete installation.

After installation, users logging into the RD Web portal will authenticate with Active Directory credentials followed by a Duo MFA challenge.

Test RD Web MFA

  1. Browse to the RD Web portal.
  2. Enter credentials.
  3. Approve the Duo push notification.
  4. Verify access to published resources.

Step 3 — Install Duo MFA for RD Gateway

This step protects RDP and RemoteApp connections that traverse the gateway.

Installation Steps

  1. Download Duo Authentication for RD Gateway.
  2. Log into the RD Gateway server.
  3. Run the installer as Administrator.
  4. Enter the Integration Key, Secret Key, and API Hostname.
  5. Complete installation.

How RD Gateway MFA Works

  1. User initiates RDP connection.
  2. Primary authentication occurs.
  3. Duo sends MFA challenge.
  4. Connection proceeds only after approval.

Step 4 — Validate End-to-End Protection

After deployment, verify that you have successfully secured remote desktop services:

  • RD Web login triggers MFA
  • RemoteApp launch triggers MFA
  • Direct RDP to session hosts is blocked
  • All external access routes through RD Gateway

Additional Security Hardening Recommendations

  • Block direct RDP (TCP 3389) from the internet
  • Require RD Gateway for all remote connections
  • Enforce Duo enrollment policies
  • Enable TLS 1.2 or higher
  • Monitor authentication and RDS logs
  • Restrict gateway access by IP where possible

Final Thoughts

Organizations looking to secure remote desktop services should prioritize strong authentication controls. Deploying Duo MFA on RD Web Access and RD Gateway provides layered security that significantly reduces unauthorized access risk and strengthens overall RDS posture.

With minimal configuration changes, administrators can secure remote desktop services against modern threats while maintaining a seamless user experience.

Security Services | Securing RDP with Duo MFA | Duo for RDP Delay during Login

Related Posts