Deploying Multi-factor Authentication for Microsoft RDP
Note: this page is concerned with configuring multi-factor authentication to protect a server and is targeted towards IT staff. Multi-factor authentication is also available to all campus users to protect email and access.caltech accounts. For more information about multi-factor authentication for all campus users, see Multi-factor Authentication.
This page contains instructions for configuring a system to require Multi-factor Authentication using Duo in order to connect via RDP.
- If you don't need to access a system remotely, remote access should be disabled
- If you need to allow remote access to a system, you should place network level restrictions on remote access, regardless of whether or not you require multi-factor
- Do not allow more than one method of remote access. This page concerns Microsoft RDP, following these instructions will result in multi-factor being required for RDP, not other methods of remote access
- RDP users need to be added as users in Duo, if they haven't been already. Contact the Help Desk for Duo user management requests.
- The system on which Duo will be added must allow network traffic to Duo's servers
Email email@example.com with the following information:
- Server name
- Integration type (the service to be protected, e.g. SSH, Microsoft RDP, etc.)
We will respond with a GPG encrypted file (or password protected zip file) containing a set of Duo API keys. The secret key must remain confidential. If you ever have any doubts about the confidentiality of your Duo secret key, tell us immediately and we can easily generate a new key for you. Use the Duo keys when following the service specific instructions to configure your system to require multi-factor authentication.
At this point, you should have already received a set of Duo API keys from Information Security including: API Hostname, Integration Key, and Secret Key
- Download the Duo for RDP installer here. Run the installer with administrative privileges.
- When prompted, enter your API Hostname as provided by Information Security, and click Next. The installer will check for connectivity at this point. If the check fails, ensure that the Windows firewall and any applicable hardware firewall is allowing traffic to Duo.
- Enter your integration key and secret key as provided by Information Security, and click Next again.
- Consider the integration options on this page.
- Bypass Duo authentication when offline: FailClosed (unchecked) is more secure, but could potentially result in loss of RDP access in the event of a connectivity issue. However, in the unlikely event of an extended outage, an admin with console access could reconfigure Duo.
- Use auto push to authenticate if available: if the majority of the users will be using the smartphone app push authentication method, this option is adds convenience. If more users will be using a hardware token, you should disable auto push.
- Only prompt for Duo authentication when logging in via RDP: will allow local users to continue logging in using username and password only, without requiring Duo. Depending on your preference and the workstation's physical location, this may be an appropriate choice.
- Click next through the remaining screens to complete the process. If you selected "Only prompt for Duo authentication when logging in via RDP", you should be prompted for Duo next time you log in via RDP. Otherwise, you should be prompted for Duo for any log in to the system.