- Free Edition
- Quick Links
- Multi-factor authentication
- Adaptive MFA
- Active Directory MFA
- Conditional access
- Passwordless authentication
- Endpoint MFA
- MFA for remote and local Windows logons
- MFA for Windows servers
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for VPN logons
- MFA for OWA logons
- MFA for RDP
- Offline MFA
- MFA for UAC
- Device-based MFA
- MFA for cloud apps
- MFA for Microsoft 365 users
- Phishing-resistant MFA
- Password management
- Password management and security
- Self-service password reset
- Self-service account unlock
- Web-based domain password change
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
The need to protect RDP-based access
Remote Desktop Protocol (RDP) has become a commonly utilized method for remotely accessing systems, making it a prime target for threat actors. Unprotected RDP access can expose organizations to various cyberthreats, such as brute-force attacks and ransomware. A compromised RDP session could lead to data theft and disruptions to business operations. Implementing multi-factor authentication (MFA) for RDP-based logins enhances security by adding an additional layer of verification, making it much more difficult for threat actors to gain unauthorized access and ensuring that only trusted users can connect to critical systems.
Secure your RDP-based access with ADSelfService Plus
ManageEngine ADSelfService Plus, an identity security solution, helps secure RDP-based access to your organization’s computer systems by using adaptive MFA. This includes implementing authentication methods such as biometric authentication and one-time passwords during RDP logins in addition to traditional passwords. ADSelfService Plus ensures that exposed credentials become useless for unauthorized RDP access, providing an extra layer of security. It supports MFA for RDP-based access in Microsoft Windows systems.
For the detailed configuration steps, refer to the MFA for RDP knowledge base article.
How does MFA for RDP logins work?
To configure MFA for RDP logins, the ADSelfService Plus login agent must be installed on the machines that are going to be secured via RDP MFA. The agent acts as the intermediary between the RDP machine and ADSelfService Plus to enable MFA during RDP logins. Once these requirements are fulfilled, the process shown below takes place:
- The user initiates an RDP connection to the RDP machine.
- The system checks the user's credentials (password) against the local security system.
- After successful primary authentication, the system moves to secondary authentication (MFA), handled by the ADSelfService Plus login agent.
- The ADSelfService Plus login agent sends the MFA request to the ADSelfService Plus server for verification.
- If the user completes the required authentication levels successfully, they are logged in to the machine.
Supported authentication methods
ADSelfService Plus supports a wide range of authenticators. Those that can be configured for RDP are listed here:
- Biometric authentication (fingerprint/facial recognition)
- Push notification authentication
- Duo Security
- Microsoft Authenticator
- Google Authenticator
- YubiKey authentication
- RSA SecurID
- RADIUS
- Time-based one-time passwords (TOTPs)
- Custom TOTP authenticators
- Zoho OneAuth TOTPs
- QR-code-based authentication
- Security questions and answers
- SMS and email verification
Why should you choose ADSelfService Plus?
Employing ADSelfService Plus' MFA for RDP logins delivers the following benefits:
- Customizable, granular configuration: Enforce specific authentication methods and the number of authentication factors for users belonging to certain domains, groups, and organizational units.
- Real-time audit reports: View detailed reports on RDP login attempts with information like the time of the login, the authentication methods used, and the authentication success or failure status.
- Ensured user adoption: Automate user enrollment in MFA for RDP by importing the domain information of users through CSV files or by forcing enrollment using login scripts.
- Simplified authentication: Use authentication techniques like fingerprint, push notification, YubiKey, and QR-code-based authentication to help users complete the RDP MFA process with minimal effort.
Highlights
Password self-service
Unburden AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
One identity with single sign-on
Get seamless, one-click access to more than 100 cloud applications. With enterprise single sign-on, users can access all their cloud applications using their AD credentials.
Password and account expiration notifications
Notify AD users of their impending password and account expirations via email and SMS notifications.
Password synchronization
Synchronize AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, and IBM iSeries, and more.
Password Policy Enforcer
Strong passwords resist various hacking threats. Require AD users to adhere to password policies by displaying password complexity requirements.
Directory self-updates and corporate searches
Enable AD users to update their information by themselves. Quick search features help admins scout for information on peers using search keys like contact numbers.
FAQs
RDP supports MFA, but not natively. You'll need to implement it through a third-party solution like ADSelfService Plus.
Normally, when connecting to RDP machines, users are authenticated using only a password. MFA for RDP ensures that users verify their identities with multiple authenticators along with their password while logging in to RDP machines.
By using ADSelfService Plus to secure RDP logins, you can choose your preferred methods from a range of authenticators like biometrics (fingerprint/facial recognition), Duo Security, push notification authentication, Microsoft Authenticator, Google Authenticator, YubiKeys, and email verification.
Yes, it is essential to safeguard all the RDP logins in your organization using MFA. To prevent breaches, it is recommended to use strong identity verification measures like biometrics instead of the traditional password-only method. By enabling MFA for RDP machines, you can prevent RDP machines from being compromised even if their passwords are compromised.
You can easily deploy MFA for RDP machines in a few simple steps using ADSelfService Plus. ADSelfService Plus allows you to enable more than two authenticators during logins and includes strong authenticators such as biometrics and YubiKeys.
Check out this detailed walk-through on how you can set up MFA for RDP machines in your organization using ADSelfService Plus. You can also schedule a personalized web demo with our product experts, get in touch with our Sales team at +1.312.528.3085, or contact sales@manageengine.com for any further assistance.
