Summary
Remote Desktop Services with Multi-Factor Authentication (MFA) is the recommended prevention against ransomware. The attack port changes to 443 HTTPS from 3389 RDP and the MFA prevents brute force password attacks.
Simply changing the communication port to a custom port number is not an effective defense against a port scan. A Virtual Private Network (VPN) is also susceptible to port scan and brute force password attacks and should also be secured with MFA.
Requirements
- Internet connectivity and perimeter firewall address and administrator credentials
- Domain administrator and Azure portal global administrator credentials
- Windows Server 2019 and Remote Desktop User CAL licenses
- Enterprise Mobility Suite subscription providing Azure AD Premium for MFA must be assigned to each remote user and MFA enabled for a phone call
- Public SSL certificate purchased separately with FQDN like remote.domain.com
- FQDN for the remote desktop gateway must resolve via NSLOOKUP in DNS on the Internet and inside the network
- Install Remote Desktop Licensing Manger on a domain controller prior to setup of the Remote Desktop Gateway on the remote desktop server
- Network Policy Server role and NPS extension must be installed on a domain controller and a restart will be required
- Windows Server 2019 on a Domain Controller has a known flaw where a custom Radius firewall rule must be added inbound with UDP for ports 1812, 1813, 1645, 1646
- All networking with firewall enabled and storage must be configured before installing the Remote Desktop Server role
- For Installation Type of Remote Desktop Services, DO NOT select Role-based or feature-based installation
- Installing Remote Desktop Services on the remote desktop gateway server will require a restart
- Server name for remote desktop gateway CANNOT be changed after installation without uninstalling and reinstalling remote desktop services and related components
- For troubleshooting, enable logging on the Advanced Settings of the Windows Defender Firewall on both the domain controller and remote desktop server
- The following should be recorded in the System Plan: Windows Server and Remote Desktop User CALs keys, SSL and NPS shared secret passwords, remote desktop deployment options, Azure GUID, and NPS settings
- Setup and testing of Remote Desktop Services with MFA will require a minimum of 2-4 hours
1) Activate Remote Desktop Licensing on a Domain Controller
- Open Server Manage, click Manage, and select Add Roles and Features
- Select Role-based or Feature-based installation
- Select the domain controller computer as the destination server
- On the Select Server Roles page, select Remote Desktop Services and Remote Desktop Licensing
- Continue the installation selecting default values for the remaining settings
- Open Server Manager > Tools > Remote Desktop Services > Remote Desktop Licensing Manager
- Right-click the license server, then click Activate Server and then Next
- For the Connection Method, select Automatic Connection (recommended), and then click Next
- Enter your company information (contact name, company name, geographic region), and then click Next
- Start Install Wizard now and select Open License, then Authorization Number and License Number, and quantity
- Click Finish to complete the process
2) Configure Network Policy Server on a Domain Controller
- Log into the domain controller and select Server Manager > Manage > Add Roles and Features. (Click Next on each selection to move to the next screen)
- Choose Role-based or Feature-Based Installation for Installation Type
- Select the domain controller from the server pool
- Select Network Policy and Access Services
- Confirm installation options and choose Restart the Destination Server Automatically if Required option
- After restart and login, select Server Manager > Tools > Network Policy Server and configure the settings below
| Setting | Value |
|---|---|
| Radius Client | |
| Friendly Name | Gateway |
| Address | Remote Desktop Gateway IP Address |
| Shared Secret | Password1 |
| Remote RADIUS Server Group | |
| Group Name | N/A |
| Server | N/A |
| Shared Secret | N/A |
| Load Balancing / Advanced | N/A |
| Connection Request Policy | |
| Policy Name | Use Windows authentication all users |
| Type of network access | Remote Desktop Gateway |
| Conditions | Day and time restrictions |
| Settings / Authentication | Authenticate requests on this server |
| Network Policies | |
| Policy Name | RDG_CAP |
| Ignore user account dial-in | Check |
| Type of network access | Remote Desktop Gateway |
| Conditions | Day and time restrictions |
| Constraints / Authentication | Allow Clients to connect without negotiating an authentication method |
| Settings / IP Settings | Server settings determine IP address assignment |
3) Create Radius Firewall Rule on Domain Controller
- Open Control Panel and Windows Defender Firewall
- Select Advanced Settings, right-click Inbound Rules, and New
- Create a rule called Radius Inbound by port, UDP, and 1812, 1813, 1645, 1646
4) Installing NPS Extension for MFA on Domain Controller
- Sign into the Azure Portal as a global admin
- Select Azure Active Directory and select Properties
- In the Properties blade, beside the Directory ID, click on the Copy icon to get the Azure GUID for the tenant to be used later
- You will need to download the NPS Extension for MFA file from this location: https://www.microsoft.com/en-us/download/details.aspx?id=54688
- Copy this file to the domain controller where NPS has been installed. Double-click the file to run it. Agree to the license terms and click Install
- After the NPS Extension has been installed, configure by opening Windows PowerShell as an admin
- Enter cd “c:\Program Files\Microsoft\AzureMfa\Config”
- Enter .\AzureMfaNpsExtnConfigSetup.ps1
- Enter your Azure AD admin credentials and click Sign In
- When prompted, paste the Directory ID you copied to the clipboard earlier from Azure AD, and press ENTER.
- The script creates a self-signed certificate and performs other configuration changes. You will know it has completed when the script presents the message “Successfully Granted to Network Service”, then stops and restarts NPS, ending with a message to Press Any Key to Close
5) Setup Remote Desktop Server
- Log on to the RD server, select Server Manager > Manage > Add Servers to add the domain controller running RD Licensing and NPS
- Click Manage, then Add Roles & Features and then Next
- Select Remote Desktop Services installation for Install Type
- Select Standard Deployment and then Session-Based Desktop Deployment
- For Deployment Scenario, select Session-Based Desktop Deployment
- Review and deploy Remote Desktop Connection Broker, Remote Desktop Web Access, Remote Desktop Session Host, and add Remote Desktop Gateway from Remote Desktop Services in Server Manager
- Reboot the RD server even if it does not reboot automatically
- Once logged back into the server, return to Server Manager, click Remote Desktop Services and Edit Deployment Properties under Tasks.
| Setting | Value |
|---|---|
| RD Gateway | |
| Logon method | Password Authentication |
| Use RD Gateway credentials for remote computers | Check |
| Bypass RD Gateway server for local addresses | Check |
| RD Licensing | |
| Licensing Mode | Per User |
| Licensing Server | Domain controller name |
| RD Web Access | https://remote.company.net/rdweb |
| Certificates | remote.example.net |
| Collection | “Company Name” |
| General | Show session collection in RD Web Access |
| User Groups | Domain Users |
| Session | |
| End a disconnected session | Never |
| Active session limit | Never |
| Idle session limit | Never |
| When a session limit is reached or broken | Disconnect session / Enable auto-reconnect |
| Security | |
| Security Layer | Negotiate |
| Encryption Level | Client Compatible |
| Allow only RD connection with Network Auth | Enabled |
| Load Balancing | Weight 100 / Session Limit 999999 |
| Client Settings | Redirect all devices / printers / 16 monitors |
| User Profile Disks | None / Disable |
6) Configure Network Policy Server on Remote Desktop Server
Select Server Manager > Manage > Add Roles and Features > Network Policy and Access Services.
| Setting | Value |
|---|---|
| Radius Client | |
| Friendly Name | N/A |
| Address | N/A |
| Shared Secret | N/A |
| Remote RADIUS Server Group | |
| Group Name | TS GATEWAY SERVER GROUP |
| Server | Domain Controller IP Address |
| Shared Secret | Password1 |
| Load Balancing / Advanced | 60, 5, 60 |
| Connection Request Policy | |
| Policy Name | TS GATEWAY AUTHORIZATION / Use Windows Authentication |
| Type of network access | Remote Desktop Gateway |
| Conditions | Day and time restrictions |
| Settings / Authentication | Forward requests to TSGATEWAY SERVER GROUP |
| Network Policies | |
| Policy Name | RDG_CAP_AllUsers |
| Ignore user account dial-in | Check |
| Type of network access | Remote Desktop Gateway |
| Conditions | User Groups \ Domain Users |
| Constraints / Authentication | Allow Clients to connect without negotiating an authentication method |
| Settings / IP Settings | Server settings determine IP address assignment |
7) Change Perimeter Firewall Remote Desktop Inbound Rule
- Open a browser and enter the IP Address of your default gateway
- Change the port from RDP (3389) to HTTPS (443) on the inbound Remote Desktop rule or create a new inbound rule from the WAN to the IP address of the Remote Desktop Server using HTTPS
- Restart of the firewall appliance is generally recommended
Follow-up and Testing
- Verify that MFA is configured with a regular user and an administrator account https://aka.ms/mfasetup, EMS subscription is assigned, and test MFA login at https://portal.office.com
- Verify FQDN server name like remote.company.net resolves using NSLOOKUP for both internal and external DNS as well as matching the purchased certificate
- Open a browser, go to grc.com and run Shields Up scan to verify port 443 in open
- Use the Remote Desktop Connection and verify you can logon to the RD Server inside the network using the FQDN for the computer name
- Use the Remote Desktop Connection and verify you can logon to the RD Server outside the network adding the FQDN to Advanced / Settings / Server Name
- Using a browser, logon inside the network and then outside with MFA at example https:// remote.company.net/rdweb
- Review the Windows Defender Firewall logs or enter NETSTAT -AN at a Command Prompt to verify open ports
- For mufti-homed servers, it may be necessary to bind specific IP addresses to RDP, NPS, and IIS ports
Azure MFA NPS extension health check script
Script to run against Azure MFA NPS Extension servers to perform some basic checks to detect any issues. The output will be in HTML format.
Script requirements
The script needs to be run as a user with local admin privilege on the server, and will ask for global admin on the tenant to be run against.
How to run the script
Download mfa nps health check script and run the MFA_NPS_Troubleshooter.ps1 script from this GitHub repo.
What tests the script performs
The script performs the following test against MFA Extension Server:
- Check accessibility to https://login.microsoftonline.com
- Check accessibility to https://adnotifications.windowsazure.com
- Check accessibility to https://strongauthenticationservice.auth.microsoft.com
- Check MFA version.
- Check if the NPS Service is Running.
- Check if the SPN for Azure MFA Exists and is Enabled.
- Check if Authorization and Extension registry keys have the right values.
- Check other Azure MFA related registry keys have the right values.
- Check if there is a valid certificated matched with the certificates stored in Azure AD.
How the results will be displayed
In PowerShell console it will only display the tests name, then it will convert the result to HTML file located at C:\AzureMFAReport.html.
Example console output:
Example HTML output:
Contact us for more information.