I'm looking to add Multi-Factor Authentication (MFA) for Remote Desktop Protocol (RDP) access in our organization. I've researched several options, including Duo, miniOrange, Microsoft Entra MFA (through NPS/RD Gateway), and Okta. I'm seeking recommendations for reliable solutions that are easy to deploy and manage, along with any real-world experiences you've had with these options.
7 Answers
I set up Duo for the RD Gateway recently, and it was surprisingly straightforward. Highly recommend giving it a shot if you're looking for something simple.
If security is your top priority, consider looking into Privileged Access Management (PAM) solutions. They can enforce MFA along with detailed access controls. Although they can sometimes be tricky to deploy, Unified PAM has a reputation for being a bit easier.
Jumpserver is a neat solution too. It supports Microsoft Active Directory for authentication and includes an MFA option for the login portal. You can also set rules in the firewall to only allow RDP access from the Jumpserver's IP.
Skip miniOrange; I've heard it's not worth the hassle. Just a heads-up!
If you're okay with an HTML5 RDP session, Guacamole with the Microsoft 365 authentication plugin is a solid choice. It works really well and is free!
I’ve had good experiences using Teleport for MFA, but keep in mind its free tier doesn't include OIDC.
Duo is super easy to set up! Just a tip: don't focus too much on RD Gateway. You can install Duo on any server or endpoint, even standalone machines. The best part is that the licensing is per user, not per endpoint, so you can implement MFA for all local and remote logins, protecting endpoints and servers alike. Plus, Duo can connect to multiple authentication sources, so if an account is disabled anywhere, it'll deny access across the board. They're versatile too—you can even use Duo for UAC prompts!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures