MFA for RDP

  • 103 Views
  • Last Post 17 June 2015
moter posted this 17 June 2015

Pretty sure I know the answer to this, but is there any native way like certificates, i.e. a way that doesn’t cost money, to do MFA with Remote Desktop? Todd

Order By: Standard | Newest | Votes
bpffa posted this 17 June 2015

The absolute no money option is to use internal PKI and provision virtual smart cards to TPM enabled workstations.

 

Brendan

 

show

moter posted this 17 June 2015

Right now this is for servers, desktops are out of scope at the moment. Servers don’t typically have TPMs and VM’s definitely don’t.  L We have an internal PKI, I’ll research virtual smart cards some and see what they’re about.  Is a TPM required? Todd 

show

BrianB posted this 17 June 2015

TPM would be on the workstation accessing the RDP session on the server. That is where you would need a traditional smartcard and a virtual smartcard anyway to access the protected server.



 

Brian Britt.

 

show

BrianB posted this 17 June 2015

One problem with V-Smartcards is that the user is tied to the workstation as oppose to a traditional SC which moves with you from station to station as long as the proper software is installed.



 

brian

 

show

moter posted this 17 June 2015

Ah.  I see, so the computer becomes the “smart card”, i.e. the “something I have” and the pin for that virtual smartcard becomes the “something I know”?  Thus satisfying multi-factor?  Because this is tied to my domain account I wouldn’t use my domain creds anymore but the VSC to log in?    

show

BrianB posted this 17 June 2015

Your VSC is tied to your domain account. For those servers “Requiring” smartcard auth you will be able to choose that logon type and for those server that don’t require smart card auth you can use you primary

auth (Username/pass). You will be given a choice in the logon box that appears when you connect to the RDP since the system will detect that you have primary auth creds and a smartcard. Choose one and proceed.



 

brian

 

show

bpffa posted this 17 June 2015

Brian is correct; you are tied to that workstation with that virtual smart card.



 

For relatively low cost, you can look into Yubikey Neo’s in CCID mode with PIV; still use your existing internal PKI and setup an enrollment station for provisioning. You can now take your smartcard with you.



 

Brendan

 

show

Close