Skip to content

Enforce MFA for remote Windows servers access.

Motivation

According to OWASP "The most common way that user accounts get compromised on applications is through weak, re-used or stolen passwords. Despite any technical security controls implemented on the application, users are liable to choose weak passwords, or to use the same password on different applications. As developers or system administrators, it should be assumed that users' passwords will be compromised at some point, and the system should be designed in order to defend against this."

MFA is by far the best defense against the majority of password-related attacks, including brute-force, credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises.

Remote access to Windows servers is especially vulnerable to compromised passwords because remote access significantly expands the network's attack surface. As a result, it relies on robust software controls and, particularly, MFA.

12Port Solution

12Port offers several solutions to enable MFA for Windows servers access:

  • MFA for native RDP clients
  • 12Port WEB RDP client
MFA for native RDP clients

12Port gateway acts as a man-in-the-middle network component accepting connections using native RDP protocol from desktop and mobile RDP clients built by Microsoft or 3rd party vendors.

After accepting the client connection, the gateway interrupts the protocol flow with authentication step before resuming the session with the remote Windows server. Users interact with 12Port server to provide second authentication factor using the RDP client streaming the interactive screen prior to switching the stream to the destination endpoint.

Besides native RDP client there are no agents or WEB Browser required to run on both client and server devices.

The authentication step involves several phases.

  • User is authenticated and authorized in one of the integrated user directories such as Microsoft Active Directory or Microsoft Entra ID.

  • User is double authenticated using one of several MFA providers such as Entra ID, RSA/SecureID, Google or Microsoft TOTP, HOTP (such as Yubikey), Duo Security or MFA code sent to email.

  • After multiple authentication and authorization verifications the gateway resumes the access to the remote Windows Server.

The diagram below depicts the software architecture to inject MFA into the native RDP protocol.

MFA for native RDP clients

12Port WEB RDP client

In addition to injecting MFA controls into the native protocol described in the previous chapter, 12Port provides a WEB RDP client to remote Windows servers. WEB client has advantages of better security when accessing server side infrastructure over the public networks as well as no requirements to deploy even native RDP client to the client endpoint simplifying the access from 3rd party infrastructure.

WEB RDP client enforces MFA in two distinct places

  • WEB client requires MFA authentication when user logs in to the WEB application. Once logged in, the user might access several remote Windows servers avoiding additional authentication.

  • WEB client might optionally require additional authentication to access selected remote Windows servers ensuring the user identity to connect to most critical infrastructure.

The diagram below depicts the software architecture of the WEB RDP client.

MFA for WEB RDP client

12Port Advantage

In addition to enforcing MFA for Windows server access, 12Port provides several useful adjacent options to increase network security.

  • Session recording allows to record, play back and convert to video complete session.

  • Session events recording captures keystrokes, files and clipboard transfers happened in the session.

  • Granular access control allows to grant or revoke permissions to selected users to connect to selected remote Windows servers, to upload or download files and clipboard.

  • Optional access approval process enables multi-level interactive or automatic access approval selected depending on the day of the week or time of the day.

  • Comprehensive event log reports access and activity inside the session.