Overview

Microsoft Remote Desktop Protocol (RDP) sessions facilitate seamless connections between remote users and Windows computers, allowing for remote desktop interaction, application access, and file sharing. Users can remotely control Windows desktops or servers from any location, enhancing productivity and collaboration across distributed teams. RDP is a prime target for malicious actors seeking unauthorized entry into systems, as the traditional user name and password authentication mechanism is prone to brute force and credential theft attacks. By implementing MFA, organizations add an extra layer of security and significantly reduce the risk of unauthorized access, even in the event of password compromise.

Architecture Overview

CyLock MFA for RDP serves as a crucial defence mechanism for organizations to mitigate risks, enhance security posture and secure the remote access against unauthorized infiltration and potential breaches in an increasingly interconnected digital environment.

CyLock MFA steps up as a vital solution, demanding users to confirm their identity through multiple distinct methods. This fortifies the login access to Linux Servers, marking an indispensable measure essential for combating the dangers of password compromise, ensuring adherence to industry regulations, and, above all, safeguarding sensitive data.

CyLock MFA supports the following scenarios during logon via RDP to Windows desktop or Server through CyLock CP, a custom credential provider built for enabling MFA:

• Local or domain login for incoming Remote Desktop (RDP) connections
• Logins for incoming Remote Desktop (RDP) connections


Figure 1- Deployment Architecture diagram for RDP

Prerequisites

1. Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA”to start using CyLock MFA to protect your applications).
2. Login to “CyLock MFA Portal”
3. Navigate to Application menu in the left menu panel
4. Click “Add Application” button to secure an application. Locate and select “Desktop Authentication” from the list of application names. Click “+Secure” button to configure CyLock MFA for Desktop Authentication. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA Credential Provider component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
5. To install the CyLock Credentials Provider, ensure your Windows system patches are up to date.
6. Download the CyLock MFA Credential Provider component from the URL https://downloads.cybernexa.com/downloads/CyLock-Desktop-RDP.exe .
7. Follow the instructions in “CyLock MFA Credential Provider Installation”section to enable Multi-Factor Authentication (MFA) for Windows Desktop login
8. Download CyLock MFA Mobile App from Android or iOS store.
9. Register Windows Desktop user using CyLock MFA Mobile app.

CyLock MFA Credential Provider Installation

The CyLock MFA Credential Provider can be installed on a physical Windows Server. We recommend a system with at least 4 vCPU, 200 MB disk space, and 8 GB RAM. Windows Credential Provider supports the following operating systems:

•  Windows 2012 R2, 2016, 2019 and 2022

Configuring CyLock Credential Provider component

Download the CyLock MFA Credential Provider component. Refer Prerequisites section above. After downloading, copy/move the Credential Provider Component to the respective system.

1. Run the CyLock-Desktop.exe file with administrator privileges.

   Figure 2 – Executing the Credential Provider

2. Enter your recovery password. This password is used for the Fallback Logon when the Authentication Server is unreachable.

   Note:

   1. The recovery password cannot be changed after the installation
   2. If you are giving different recovery password for each system, ensure you note it down or manage them to have business continuity
   

   Figure 3 – Entering Recovery Password

3. Enter the Server URL as (https://authv2.cybernexa.com/api/v2/srv/). Refer Point #4 in Prerequisites section above to get the Authorization Key and Customer ID.

   Figure 4 – Entering Auth Server URL, API Key and IDSP Key

4. Select the "I accept the agreement" option, then click Next.

   Figure 5 – Accepting License Agreement

5. Click on Install Button.

   Figure 6 - Clicking on Install

6. The CyLock Credential Provider will now install in your Windows System.

   Figure 7 - Installing CyLock Credential Provider

7. After the installation is complete, click the Finish button to complete the process, then restart the system.

   Figure 8 - Completing the Installation

Test the Set up

1. To connect to your Windows server using Remote Desktop Connection, follow these steps:
   •  Open the Remote Desktop Connection application.
   •  Enter your server's IP address in the "Computer" field.
   •  Click "Connect."
   

   Figure 9 – Entering Windows Server IP Address

2. Enter your login credentials and then click OK.

   Figure 10 – Entering Login Credentials

3. Once the user credentials are verified, MFA will be triggered based on your preferred authentication mode. Click the 'Authenticate' button to receive a push notification request on your registered mobile device.

   Figure 11 – Preferred Authentication Screen

4. For More Authentication Options Click on “Try Other Authentication”.

   Figure 12 – Try Other Authentication Page

5. You will get the Push Notification request as shown in the below Figure 13.

   Figure 13 – Push Notification Request

6. Click on ‘Accept’ to gain the access for Desktop Login.

   Figure 14 – Accepting Push Request

7. After the authentication is approved, you will be logged in.

   Figure 15 – Windows Desktop Screen