How to Add MFA to RDP: Everything you should know

The Remote Desktop Protocol (RDP) is a primary target for cyberattacks, from brute-force attempts to credential stuffing. Relying on passwords to protect these connections is a failed security strategy. Implementing Multi-Factor Authentication (MFA) is the single most effective step to secure these critical access points, transforming a vulnerable entry point into a fortified gateway.

While Windows offers native capabilities, they are often complex and limited. This guide explores the practical methods for adding an MFA layer to your RDP sessions, from leveraging Network Policy Server (NPS) to deploying a dedicated MFA provider for granular control.

Why Securing RDP with MFA is Important

The Rising Threat of RDP-Based Attacks

Publicly exposed RDP remains a primary vector for ransomware and lateral movement. Attackers relentlessly scan for open ports and deploy automated tools to brute-force weak or reused passwords. An MFA challenge effectively neutralizes these common attacks, as an automated script cannot provide the required second factor. This hardens your most critical entry point against unauthorized access attempts at the source.

Meeting Compliance and Cyber Insurance Requirements (PCI DSS, HIPAA)

Regulatory frameworks like PCI DSS and HIPAA mandate strong authentication controls for any remote access to systems handling sensitive data. Furthermore, cyber insurance providers now frequently require MFA for RDP as a non-negotiable prerequisite for policy underwriting. Deploying a robust MFA solution is necessary for meeting these standards and securing coverage.

The Limitations of Passwords Alone

A password is a single, fragile point of failure. It provides inadequate security because it can be:

• Stolen in third-party data breaches and reused.

• Phished from users through sophisticated social engineering.

• Guessed or cracked by brute-force tools in minutes.

Understanding the Core Technologies: RDP vs. RDS

What is Remote Desktop Protocol (RDP)?

Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that provides a user with a graphical interface to another computer over a network. It is the fundamental technology enabling remote control and access within the Windows ecosystem.

What are Remote Desktop Services (RDS)?

Remote Desktop Services (RDS), formerly Terminal Services, is a Windows Server role that leverages RDP to build a complete remote access platform. It allows administrators to publish full desktops or individual applications to users, centralizing management. In short: RDP is the protocol; RDS is the infrastructure that uses it.

Key Architectural Components for MFA (RD Gateway, NPS)

Implementing robust MFA for RDS often hinges on two core components. The RD Gateway serves as a secure entry point, encrypting all RDP traffic over HTTPS. The Network Policy Server (NPS) acts as a RADIUS server, centralizing authentication policies. It is the critical integration point where many MFA solutions connect to intercept the login request and trigger the secondary challenge.

Exploring the Main Implementation Methods

Method 1: Native Integration with Microsoft Entra ID & NPS Extension

This native Microsoft approach uses Entra ID for authentication but requires an on-premises Network Policy Server (NPS) with an extension to proxy requests. While it avoids third-party costs, it is known for its complex configuration, reliance on legacy components, and significant infrastructure overhead, making it unsuitable for agile environments.

Method 2: Third-Party Credential Provider Agents (Duo, Hideez, etc.)

Software agents from identity providers are installed directly on each server or workstation. These agents intercept the Windows login process to enforce MFA. While effective, this method can introduce operational friction, requiring agent deployment, updates, and troubleshooting across the entire fleet of RDP hosts.

Method 3: Agentless and Network-Level Solutions

This modern approach secures RDP at the network level, requiring zero agents on target servers. It intercepts the RDP connection to enforce MFA before the user reaches the Windows login screen. It provides security but can be complex to deploy and may not offer granular, post-authentication controls.

Method 4: Securing the Entry Point with a VPN + MFA

This strategy applies MFA at the network perimeter by requiring it for VPN access. While it secures the initial entry point, the RDP protocol itself remains unprotected internally. This leaves a critical security gap for lateral movement if an attacker ever gains a foothold inside the network.

Step-by-Step Guide: Implementing MFA with Entra ID

Implementing MFA for RDP with native Microsoft tools is a multi-stage process requiring both cloud and on-premises configuration.

Prerequisites: Licensing and Directory Sync

First, ensure you have the correct Microsoft Entra ID P1 or P2 licenses for your users. Your on-premises Active Directory must be synchronized with Entra ID using the Entra Connect tool, a foundational requirement for hybrid identity.

Configuring Entra ID MFA and Conditional Access Policies

In the Entra ID portal, configure your organization's accepted MFA methods (e.g., authenticator app, phone call). You must then create specific Conditional Access policies designed to trigger an MFA challenge for connections authenticating against the RD Gateway application.

Installing and Configuring the Network Policy Server (NPS) Extension

The critical link is the NPS extension for Microsoft Entra ID, which must be installed on an on-premises Network Policy Server. This component acts as a bridge, forwarding authentication requests from your local network to the Entra ID cloud for MFA validation.

Configuring the RD Gateway to Use the NPS Server

Your Remote Desktop Gateway must be reconfigured to use your NPS server as its central RADIUS server for connection authorization requests, effectively outsourcing the decision to the NPS/Entra ID chain.

Testing and Verification

Finally, conduct thorough end-to-end testing to ensure users are correctly prompted for MFA and that access is granted or denied according to your Conditional Access policies. This manual setup is powerful but notoriously complex and prone to misconfiguration.

Step-by-Step Guide: Implementing MFA with a Third-Party Agent

Implementing MFA for RDP using a third-party agent bypasses the complexities of configuring RADIUS servers. This approach is faster, more flexible, and provides a superior user experience by integrating directly into the Windows login credential provider.

Choosing a Third-Party Provider

Choosing a modern provider means prioritizing ease of deployment and user experience over complex, legacy RADIUS setups. The key is finding a solution that enhances security without creating friction.

Typical Workflow: From Admin Panel to Installation

The workflow with a modern agent is direct and can be completed in under an hour.

• Configure authentication policies in the cloud-based admin console.

• Define which user groups require MFA for RDP access.

• Download the lightweight agent installer package.

Installation is a simple identity provider (IdP) deployed to any Windows/Linux machine accepting RDP connections. The authentication service, like the one provided by Hideez, hooks directly into the Windows logon UI, requiring no network changes or complex GPO deployments. This ensures a minimal footprint and rapid rollout.

Meanwhile, users are prompted to enroll their MFA method (e.g., FIDO2 key or the Hideez Authenticator app) on their next login. This self-service enrollment removes the administrative burden. The final login flow feels native to the Windows experience, presenting the MFA challenge immediately after password validation.

Comparing Top MFA Solutions for RDP

Choosing the right MFA solution for RDP is about finding a tool that fits your existing infrastructure, budget, and operational reality.

Microsoft Entra ID (Native)

For organizations deep in the Microsoft ecosystem, Entra ID seems like a natural choice. However, extending its MFA to on-premises RDP requires deploying a Network Policy Server (NPS) with the Azure MFA extension. This architecture introduces complexity, additional points of failure, and offers limited capabilities for offline access.

Duo Security

Duo provides an agent that is installed directly on the target machine or gateway. This approach is effective and simpler than the NPS method. The main considerations are cost and scope. For organizations whose primary need is securing on-prem logins, a full Duo license might include features that go unused.

Okta

A leader in IDaaS, Okta secures on-prem RDP using a RADIUS agent installed on your network. This proxies RDP authentication requests to the Okta cloud, introducing dependencies on both the on-prem agent and constant cloud connectivity. It can be an unnecessarily complex layer for companies that view Active Directory as their identity source of truth.

Specialized Solutions: Hideez

Beyond the major IDaaS platforms, specialized solutions exist to solve the MFA challenge for on-prem and hybrid infrastructures. Hideez is built from the ground up to enhance, not replace, Active Directory. Instead of relying on complex proxy or RADIUS setups, it installs a lightweight agent directly on the machines you need to protect. This approach offers significant advantages:

• Direct AD Integration: It works with your existing Active Directory identities and groups without requiring synchronization to a cloud platform.

• Comprehensive On-Prem Protection: It secures not just RDP, but also interactive workstation and server logins, providing consistent security.

• Offline Access: A critical feature for business continuity. Users can still access their machines with MFA even if the network connection to the central server is down.

• Passwordless-Ready: The platform is designed to eliminate passwords entirely using FIDO2 hardware keys, offering the highest level of phishing-resistant security.

Feature Comparison Table

Essential Features to Consider in an RDP MFA Solution

Supported Authentication Methods (Push, TOTP, FIDO2, SMS)

Flexibility is paramount. Your solution must support a range of methods, from user-friendly push notifications to phishing-resistant FIDO2 hardware keys.

Offline Access for Mobile Users and Laptops

Your MFA must enable mobile workforces with offline access. This ensures productivity is never hindered by a lack of connectivity, a critical feature for any modern enterprise solution.

Passwordless Logon Capabilities

The ultimate goal is to eliminate the primary attack vector. A modern solution like Hideez enables true passwordless RDP logon using FIDO2 keys or biometrics, drastically improving security and streamlining the user experience.

UAC Elevation Protection

Login is only half the battle. Enforce MFA during User Account Control (UAC) elevation prompts to prevent unauthorized privilege escalation by an attacker who has already gained initial access.

Centralized Policy Management and Reporting

Administration requires centralized control. Look for a unified platform for deploying policies, real-time logging for compliance, and simplified user onboarding.

Security Best Practices for Your RDP Deployment

MFA is the cornerstone of RDP security, but it functions best as part of a layered defense strategy.

• Principle of Least Privilege for RDP Access. Users should only have the absolute minimum permissions required. Restrict RDP access to a dedicated security group in Active Directory and avoid using administrative accounts for routine sessions.

• Keeping All Components Updated and Patched. Unpatched systems are open invitations for attackers. Ensure that all components of your RDP infrastructure—servers, clients, and gateways—are running the latest software versions and have all security patches applied promptly.

• Implementing Network Level Authentication (NLA). NLA is a crucial security feature that requires users to authenticate before a full RDP session is established. This mitigates Denial-of-Service (DoS) attacks. While strong, NLA still relies on the user's password; integrating it with MFA creates an airtight defense.

• Monitoring and Auditing RDP Logs. You cannot stop threats you cannot see. Actively monitor Windows Event Viewer logs for successful and failed logon attempts (Event ID 4624, 4625), especially from unusual IP addresses or at odd hours.

Troubleshooting Common RDP MFA Issues

Even a well-planned deployment can hit snags. Most issues stem from network connectivity, legacy configurations, or directory sync problems.

Firewall and Network Connectivity Problems (Port 443)

The most frequent culprit is a network block. Ensure your corporate firewall allows outbound HTTPS traffic on TCP port 443 from the server running the MFA agent to your MFA service's specific IP ranges or FQDNs.

RADIUS Timeouts and Configuration Errors

Legacy RADIUS setups are notoriously brittle. Common failures include mismatched shared secrets and timeout values set too low for a user to respond to a push notification. Increase the timeout on your RD Gateway to at least 60 seconds.

Directory Synchronization Issues

If an MFA prompt never appears for a user, check your directory synchronization agent for errors. The user may be in an Organizational Unit that isn't synced, or a required attribute may be missing.

Certificate and TLS Version Mismatches

Ensure the certificate on your RD Gateway is valid and trusted. Your servers must also support TLS 1.2 or higher, as most secure cloud services have deprecated older, insecure protocols.

Tired of chasing down RADIUS timeouts and managing complex proxy servers? The vulnerabilities of password-based RDP are not going away, and brittle workarounds are no longer enough.

Hideez delivers a pragmatic solution designed for on-premise and hybrid environments. Go truly passwordless with FIDO2 security keys and secure your RDP access without the complexity. Schedule a demo to get a personalized strategy that fits your specific MFA requirements.

Written by:

Denis Zaliznyak

Chief Technology Officer, Hideez