- Free Edition
- Quick Links
- Multi-factor authentication
- Active Directory MFA
- Endpoint MFA
- Windows login MFA
- Two-factor authentication
- Conditional access
- Offline MFA
- FIDO2 MFA
- Passwordless authentication
- MFA for VPN logons
- MFA for OWA logons
- MFA for Microsoft 365 users
- MFA for UAC
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for Windows servers
- MFA for RDP
- Device-based MFA
- MFA for cloud apps
- Phishing-resistant MFA
- Adaptive MFA
- Password management
- Self-service password reset
- Self-service account unlock
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Web-based domain password change
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Password management and security
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
The need to protect RDP-based access
Remote Desktop Protocol (RDP) has become a commonly utilized method for remotely accessing systems, making it a prime target for threat actors. Unprotected RDP access can expose organizations to various cyberthreats, such as brute-force attacks and ransomware. A compromised RDP session could lead to data theft and disruptions to business operations. Implementing multi-factor authentication (MFA) for RDP-based logins enhances security by adding an additional layer of verification, making it much more difficult for threat actors to gain unauthorized access and ensuring that only trusted users can connect to critical systems.
Secure your RDP-based access with ADSelfService Plus
ManageEngine ADSelfService Plus, an identity security solution, helps secure RDP-based access to your organization’s computer systems by using adaptive MFA. This includes implementing authentication methods such as biometric authentication and one-time passwords during RDP logins in addition to traditional passwords. ADSelfService Plus ensures that exposed credentials become useless for unauthorized RDP access, providing an extra layer of security. It supports MFA for RDP-based access in Microsoft Windows systems.
For the detailed configuration steps, refer to the MFA for RDP knowledge base article.
How does MFA for RDP logins work?
To configure MFA for RDP logins, the ADSelfService Plus login agent must be installed on the machines that are going to be secured via RDP MFA. The agent acts as the intermediary between the RDP machine and ADSelfService Plus to enable MFA during RDP logins. Once these requirements are fulfilled, the process shown below takes place:
- The user initiates an RDP connection to the RDP machine.
- The system checks the user's credentials (password) against the local security system.
- After successful primary authentication, the system moves to secondary authentication (MFA), handled by the ADSelfService Plus login agent.
- The ADSelfService Plus login agent sends the MFA request to the ADSelfService Plus server for verification.
- If the user completes the required authentication levels successfully, they are logged in to the machine.
Supported authentication methods
ADSelfService Plus supports a wide range of authenticators. Those that can be configured for RDP are listed here:
- Biometric authentication (fingerprint/facial recognition)
- Push notification authentication
- Duo Security
- Microsoft Authenticator
- Google Authenticator
- YubiKey authentication
- RSA SecurID
- RADIUS
- Time-based one-time passwords (TOTPs)
- Custom TOTP authenticators
- Zoho OneAuth TOTPs
- QR-code-based authentication
- Security questions and answers
- SMS and email verification
Why should you choose ADSelfService Plus?
Employing ADSelfService Plus' MFA for RDP logins delivers the following benefits:
- Customizable, granular configuration: Enforce specific authentication methods and the number of authentication factors for users belonging to certain domains, groups, and organizational units.
- Real-time audit reports: View detailed reports on RDP login attempts with information like the time of the login, the authentication methods used, and the authentication success or failure status.
- Ensured user adoption: Automate user enrollment in MFA for RDP by importing the domain information of users through CSV files or by forcing enrollment using login scripts.
- Simplified authentication: Use authentication techniques like fingerprint, push notification, YubiKey, and QR-code-based authentication to help users complete the RDP MFA process with minimal effort.
FAQs
RDP supports MFA, but not natively. You'll need to implement it through a third-party solution like ADSelfService Plus.
Normally, when connecting to RDP machines, users are authenticated using only a password. MFA for RDP ensures that users verify their identities with multiple authenticators along with their password while logging in to RDP machines.
By using ADSelfService Plus to secure RDP logins, you can choose your preferred methods from a range of authenticators like biometrics (fingerprint/facial recognition), Duo Security, push notification authentication, Microsoft Authenticator, Google Authenticator, YubiKeys, and email verification.
Yes, it is essential to safeguard all the RDP logins in your organization using MFA. To prevent breaches, it is recommended to use strong identity verification measures like biometrics instead of the traditional password-only method. By enabling MFA for RDP machines, you can prevent RDP machines from being compromised even if their passwords are compromised.
You can easily deploy MFA for RDP machines in a few simple steps using ADSelfService Plus. ADSelfService Plus allows you to enable more than two authenticators during logins and includes strong authenticators such as biometrics and YubiKeys.
Check out this detailed walk-through on how you can set up MFA for RDP machines in your organization using ADSelfService Plus. You can also schedule a personalized web demo with our product experts, get in touch with our Sales team at +1.312.528.3085, or contact sales@manageengine.com for any further assistance.
Highlights of ADSelfService Plus
Password self-service
Unburden Windows AD users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
Multi-factor authentication
Enable context-based MFA with 20 different authentication factors for endpoint, application, VPN, OWA, and RDP logins.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on (SSO), users can access all their cloud applications using their Windows AD credentials.
Password and account expiry notifications
Notify Windows AD users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows AD user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.
Password policy enforcer
Strong passwords resist various hacking threats. Enforce Windows AD users to adhere to compliant passwords by displaying password complexity requirements.
