Adding MFA to RDP Access

Written by Zach DeMeyer on April 3, 2020

Share This Article

As organizations hurry to move their employees to a fully remote work model, many IT departments are relying on the Windows Remote Desktop Protocol (RDP) to enable access to remote and/or virtual systems and servers. Although effective for remote resource access, RDP is incredibly vulnerable to attack if left exposed to the internet. IT admins need to leverage VPNs and enforce multi-factor authentication (MFA) on both their VPNs and RDP ports to prevent unauthorized RDP access.

The Problems of Exposed RDP

Unlike other network connectivity ports that are used for hosting websites or similar purposes, RDP ports provide access to an entire system. But just as they make on-premises systems more accessible for end users, internet-exposed RDP ports let virtually anyone try to authenticate to them — most often, bad actors looking to worm into your network. In fact, many recent cybersecurity breaches were due to unprotected RDP ports.

In a recent study, Shodan found that, since the beginning of 2020, RDP exposure rates to the internet have increased significantly, going up nearly 30% in February alone. The uptick both makes a lot of sense and no sense at all. Current events have made a fully remote workforce a necessity, so it tracks that overall RDP usage has increased in response. What doesn’t make sense, however, is that organizations are still exposing their RDP ports to the internet, despite the obvious risks. 

It’s a widely known best practice among IT professionals that all RDP ports should be protected by a VPN (virtual private network) to limit who can authenticate to RDP endpoints. Organizations can also implement MFA to bolster their security even further.

Why VPN and MFA?

A VPN is an encrypted tunnel between remote systems and network resources, and it can also be used to create private internet connections over public networks. When used for remote resource access, a VPN’s encryption blocks most external attempts to track or change internet traffic, meaning a more secure experience.

By implementing a VPN on RDP ports, IT admins can ensure that access to the resources tied in to each port is not freely given: Anyone who wishes to access the RDP-gated resource will need to authenticate with the right set of credentials. 

Unfortunately, this means that VPNs can possibly be cracked through brute-force or credential-stuffing attacks that are usually carried out by bots. Additionally, if a VPN has a single shared credential, then if one end user exposes the identity through phishing or other means, the VPN is compromised for everyone. 

IT organizations can implement RADIUS authentication on their VPN endpoints to require unique credentials for access. RADIUS is significantly more secure than using a shared set of credentials, but if a user’s credentials are compromised, then IT organizations need an additional safeguard to protect their VPNs.

That’s where MFA comes in. Requiring additional authentication factors at VPN and RDP system login creates a more secure login process. MFA has shown to be virtually 100% effective at blocking brute-force bot attempts and almost as effective for targeted attacks, depending on the type of MFA utilized.

By pairing both a VPN and MFA, IT admins ensure that their end users have access to the resources they need from wherever they find themselves while maintaining the utmost possible security as well. The challenge for IT admins then becomes how to implement VPNs and MFA across their user base.


Enable Secure Hybrid Work Anywhere, Anytime

Identity, access, and device management from a single cloud-based console

Securing RDP Access with a Cloud Directory Service

With a cloud directory service like JumpCloud Open Directory, IT organizations can integrate their VPNs with a core directory, meaning end users leverage a unique identity for all of their VPN connections. That identity also propagates out to their devices and other IT resources, also known as True Single Sign-On™. Because it’s cloud based, admins can use JumpCloud to manage access to endpoints and other resources from wherever they find themselves — with all updates pushing to end users remotely as well.

Admins can then lock down access to Windows, Mac, and Linux virtual machines connected to RDP ports, as well as the VPNs used to access them through JumpCloud’s MFA offering. JumpCloud MFA applies to devices, applications, and infrastructure as well.

Learn More

If you need to enable secure remote access for your end users as they work from home, learn more by checking out our Remote Work Solutions page for guides and other resources on how to shift your organization to a fully remote work model. You can also learn more about using MFA with RADIUS in How to Maintain Network Security For Remote Workers with RADIUS MFA.

Zach DeMeyer

Zach is a Product Marketing Specialist at JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, music, and soccer.

Continue Learning with our Newsletter