Summary

Remote Desktop Services with Multi-Factor Authentication (MFA) is the recommended prevention against ransomware. The attack port changes to 443 HTTPS from 3389 RDP and the MFA prevents brute force password attacks.

Simply changing the communication port to a custom port number is not an effective defense against a port scan. A Virtual Private Network (VPN) is also susceptible to port scan and brute force password attacks and should also be secured with MFA.

Requirements

  • Internet connectivity and perimeter firewall address and administrator credentials
  • Domain administrator and Azure portal global administrator credentials
  • Windows Server 2019 and Remote Desktop User CAL licenses
  • Enterprise Mobility Suite subscription providing Azure AD Premium for MFA must be assigned to each remote user and MFA enabled for a phone call
  • Public SSL certificate purchased separately with FQDN like remote.domain.com
  • FQDN for the remote desktop gateway must resolve via NSLOOKUP in DNS on the Internet and inside the network
  • Install Remote Desktop Licensing Manger on a domain controller prior to setup of the Remote Desktop Gateway on the remote desktop server
  • Network Policy Server role and NPS extension must be installed on a domain controller and a restart will be required
  • Windows Server 2019 on a Domain Controller has a known flaw where a custom Radius firewall rule must be added inbound with UDP for ports 1812, 1813, 1645, 1646
  • All networking with firewall enabled and storage must be configured before installing the Remote Desktop Server role
  • For Installation Type of Remote Desktop Services, DO NOT select Role-based or feature-based installation
  • Installing Remote Desktop Services on the remote desktop gateway server will require a restart
  • Server name for remote desktop gateway CANNOT be changed after installation without uninstalling and reinstalling remote desktop services and related components
  • For troubleshooting, enable logging on the Advanced Settings of the Windows Defender Firewall on both the domain controller and remote desktop server
  • The following should be recorded in the System Plan: Windows Server and Remote Desktop User CALs keys, SSL and NPS shared secret passwords, remote desktop deployment options, Azure GUID, and NPS settings
  • Setup and testing of Remote Desktop Services with MFA will require a minimum of 2-4 hours

1) Activate Remote Desktop Licensing on a Domain Controller

  • Open Server Manage, click Manage, and select Add Roles and Features
  • Select Role-based or Feature-based installation
  • Select the domain controller computer as the destination server
  • On the Select Server Roles page, select Remote Desktop Services and Remote Desktop Licensing
  • Continue the installation selecting default values for the remaining settings
  • Open Server Manager > Tools > Remote Desktop Services > Remote Desktop Licensing Manager
  • Right-click the license server, then click Activate Server and then Next
  • For the Connection Method, select Automatic Connection (recommended), and then click Next
  • Enter your company information (contact name, company name, geographic region), and then click Next
  • Start Install Wizard now and select Open License, then Authorization Number and License Number, and quantity
  • Click Finish to complete the process

2) Configure Network Policy Server on a Domain Controller

  • Log into the domain controller and select Server Manager > Manage > Add Roles and Features. (Click Next on each selection to move to the next screen)
  • Choose Role-based or Feature-Based Installation for Installation Type
  • Select the domain controller from the server pool
  • Select Network Policy and Access Services
  • Confirm installation options and choose Restart the Destination Server Automatically if Required option
  • After restart and login, select Server Manager > Tools > Network Policy Server and configure the settings below
SettingValue
Radius Client
Friendly NameGateway
AddressRemote Desktop Gateway IP Address
Shared SecretPassword1
Remote RADIUS Server Group
Group NameN/A
ServerN/A
Shared SecretN/A
Load Balancing / AdvancedN/A
Connection Request Policy
Policy NameUse Windows authentication all users
Type of network accessRemote Desktop Gateway
ConditionsDay and time restrictions
Settings / AuthenticationAuthenticate requests on this server
Network Policies
Policy NameRDG_CAP
Ignore user account dial-inCheck
Type of network accessRemote Desktop Gateway
ConditionsDay and time restrictions
Constraints / AuthenticationAllow Clients to connect without negotiating an authentication method
Settings / IP SettingsServer settings determine IP address assignment

3) Create Radius Firewall Rule on Domain Controller

  • Open Control Panel and Windows Defender Firewall
  • Select Advanced Settings, right-click Inbound Rules, and New
  • Create a rule called Radius Inbound by port, UDP, and 1812, 1813, 1645, 1646

4) Installing NPS Extension for MFA on Domain Controller

  • Sign into the Azure Portal as a global admin
  • Select Azure Active Directory and select Properties
  • In the Properties blade, beside the Directory ID, click on the Copy icon to get the Azure GUID for the tenant to be used later
  • You will need to download the NPS Extension for MFA file from this location: https://www.microsoft.com/en-us/download/details.aspx?id=54688
  • Copy this file to the domain controller where NPS has been installed. Double-click the file to run it. Agree to the license terms and click Install
  • After the NPS Extension has been installed, configure by opening Windows PowerShell as an admin
  • Enter cd “c:\Program Files\Microsoft\AzureMfa\Config”
  • Enter .\AzureMfaNpsExtnConfigSetup.ps1
  • Enter your Azure AD admin credentials and click Sign In
  • When prompted, paste the Directory ID you copied to the clipboard earlier from Azure AD, and press ENTER.
  • The script creates a self-signed certificate and performs other configuration changes. You will know it has completed when the script presents the message “Successfully Granted to Network Service”, then stops and restarts NPS, ending with a message to Press Any Key to Close

5) Setup Remote Desktop Server

  • Log on to the RD server, select Server Manager > Manage > Add Servers to add the domain controller running RD Licensing and NPS
  • Click Manage, then Add Roles & Features and then Next
  • Select Remote Desktop Services installation for Install Type
  • Select Standard Deployment and then Session-Based Desktop Deployment
  • For Deployment Scenario, select Session-Based Desktop Deployment
  • Review and deploy Remote Desktop Connection BrokerRemote Desktop Web AccessRemote Desktop Session Host, and add Remote Desktop Gateway from Remote Desktop Services in Server Manager
  • Reboot the RD server even if it does not reboot automatically
  • Once logged back into the server, return to Server Manager, click Remote Desktop Services and Edit Deployment Properties under Tasks.
SettingValue
RD Gateway
Logon methodPassword Authentication
Use RD Gateway credentials for remote computersCheck
Bypass RD Gateway server for local addressesCheck
RD Licensing
Licensing ModePer User
Licensing ServerDomain controller name
RD Web Accesshttps://remote.company.net/rdweb
Certificatesremote.example.net
Collection“Company Name”
GeneralShow session collection in RD Web Access
User GroupsDomain Users
Session
End a disconnected sessionNever
Active session limitNever
Idle session limitNever
When a session limit is reached or brokenDisconnect session / Enable auto-reconnect
Security
Security LayerNegotiate
Encryption LevelClient Compatible
Allow only RD connection with Network AuthEnabled
Load BalancingWeight 100 / Session Limit 999999
Client SettingsRedirect all devices / printers / 16 monitors
User Profile DisksNone / Disable

6) Configure Network Policy Server on Remote Desktop Server

Select Server Manager > Manage > Add Roles and Features > Network Policy and Access Services.

SettingValue
Radius Client
Friendly NameN/A
AddressN/A
Shared SecretN/A
Remote RADIUS Server Group
Group NameTS GATEWAY SERVER GROUP
ServerDomain Controller IP Address
Shared SecretPassword1
Load Balancing / Advanced60, 5, 60
Connection Request Policy
Policy NameTS GATEWAY AUTHORIZATION / Use Windows Authentication
Type of network accessRemote Desktop Gateway
ConditionsDay and time restrictions
Settings / AuthenticationForward requests to TSGATEWAY SERVER GROUP
Network Policies
Policy NameRDG_CAP_AllUsers
Ignore user account dial-inCheck
Type of network accessRemote Desktop Gateway
ConditionsUser Groups \ Domain Users
Constraints / AuthenticationAllow Clients to connect without negotiating an authentication method
Settings / IP SettingsServer settings determine IP address assignment

7) Change Perimeter Firewall Remote Desktop Inbound Rule

  • Open a browser and enter the IP Address of your default gateway
  • Change the port from RDP (3389) to HTTPS (443) on the inbound Remote Desktop rule or create a new inbound rule from the WAN to the IP address of the Remote Desktop Server using HTTPS
  • Restart of the firewall appliance is generally recommended

Follow-up and Testing

  1. Verify that MFA is configured with a regular user and an administrator account https://aka.ms/mfasetup, EMS subscription is assigned, and test MFA login at https://portal.office.com
  2. Verify FQDN server name like remote.company.net resolves using NSLOOKUP for both internal and external DNS as well as matching the purchased certificate
  3. Open a browser, go to grc.com and run Shields Up scan to verify port 443 in open
  4. Use the Remote Desktop Connection and verify you can logon to the RD Server inside the network using the FQDN for the computer name
  5. Use the Remote Desktop Connection and verify you can logon to the RD Server outside the network adding the FQDN to Advanced / Settings / Server Name
  6. Using a browser, logon inside the network and then outside with MFA at example https:// remote.company.net/rdweb
  7. Review the Windows Defender Firewall logs or enter NETSTAT -AN at a Command Prompt to verify open ports
  8. For mufti-homed servers, it may be necessary to bind specific IP addresses to RDP, NPS, and IIS ports

Azure MFA NPS extension health check script

Script to run against Azure MFA NPS Extension servers to perform some basic checks to detect any issues. The output will be in HTML format.

Script requirements

The script needs to be run as a user with local admin privilege on the server, and will ask for global admin on the tenant to be run against.

How to run the script

Download mfa nps health check script and run the MFA_NPS_Troubleshooter.ps1 script from this GitHub repo.

What tests the script performs

The script performs the following test against MFA Extension Server:

  1. Check accessibility to https://login.microsoftonline.com
  2. Check accessibility to https://adnotifications.windowsazure.com
  3. Check accessibility to https://strongauthenticationservice.auth.microsoft.com
  4. Check MFA version.
  5. Check if the NPS Service is Running.
  6. Check if the SPN for Azure MFA Exists and is Enabled.
  7. Check if Authorization and Extension registry keys have the right values.
  8. Check other Azure MFA related registry keys have the right values.
  9. Check if there is a valid certificated matched with the certificates stored in Azure AD.

How the results will be displayed

In PowerShell console it will only display the tests name, then it will convert the result to HTML file located at C:\AzureMFAReport.html.

Example console output:

Example PowerShell output

Example HTML output:

Example HTML output

Contact us for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.