Securing a Remote Desktop Services (RDS) server using Duo Security

Outline of scenario

One of our clients was making the migration from on-premises servers to a cloud-based remote desktop services (RDS) based environment.

The challenge

To protect the user accounts whilst enabling connection from almost anywhere, allowing staff to connect when working from remote locations –e.g. home. We cannot leave the remote desktop port of the RDS server open to the public which would potentially lead to hack attempts and malware injections and therefore possible disruption and data breaches.

Options considered:

1) Leave remote desktop port open and hope for the best

Clearly not a true ‘option’! This is terrible practice and should never be implemented! An open remote desktop port is like leaving your front door open and hoping nobody tries to enter.

2) VPN 

One option considered was to force all users to connect the VPN to the office connection and allow-list the IP address of the office.

Potential problems/drawbacks

• Dictated by the reliability and speed of the office internet connection, power, and hardware infrastructure.
• Requires all connections to use forced-tunnel VPN (to pick up the shared IP), potentially creating heavy traffic through the office connection and slowing down all connected devices.
• Regularly having to setup VPN on new devices for users
• Dealing with instances where a user is unable to connect VPN (e.g. public hotspot not allowing VPN traffic).
• If a hacker gained access to the central network (IP address) they could have easy access to the cloud-based servers and data.

3) Allow-listing specific IP addresses only

This would have involved compiling a list of all trusted IP addresses which would need to access the cloud-based servers and opening the remote desktop to these IP addresses but blocking all others.

Potential problems/drawbacks

• Heavy on maintenance/management - keeping a list of trusted IPs could become a headache
• Most home users do not have a fixed IP address and entries would need to be regularly updated, with the user having to wait until this has been done. This is a complete headache!
• What happens if a hacker gains access to a computer that is found on a network behind one of the trusted IPs? From that point onwards it's like an open door.

4) Duo Security (the chosen solution)

Qdos recommended using Duo Security. By opening the RDP port on the server, we could then lock down all access attempts to force the user to authenticate a second factor of authentication (the Duo Mobile app) which can push a verification request to the user’s mobile phone. As well as the mobile app we can provide users with temporary bypass codes (where needed) as well as physical security tokens. Where necessary other authentications like SMS code are also available to users, offering a wide variety of options when roaming around. 

The app is easy to setup and use and removes the requirement to connect a VPN to the organisation’s office, freeing up bandwidth and improving the overall experience for all users.

The Duo mobile app can be used to authenticate all devices for a user, meaning it is not necessary to reinstall/configure VPN connections on all devices.

Feedback from users

• Simple to setup and use
• Fast - less disruption to work
• Less support needed, less frustration
• Low-cost choice – always favourable!

Summary

Duo is a two-factor authentication solution, helping organisations to improve security by verifying their login identity. It provides a secure connection to company networks, servers, and applications.

Competitively priced we have found it results in significant improvements to businesses by protecting their data and reducing login complexity.