Rohos Logon Key provides secure 2-factor authentication for Windows Remote Desktop by using Mobile Phone or One-Time-Password tokens.
2-factor authentication variety:
- By using a smartphone with Google Authenticator application;
- When One-Time-Password is delivered to any mobile phone by SMS or Email;
- Allows to integrate 3rd party OTP code delivery service or devices like GSM modems;
- By using a hardware OTP generator like Yubikey/SecureID/SafeNet/Feitian;
- Each user account can be configured with any type of 2-factor authentication means;
The benefits of 2-factor authentication for Remote Desktop:
- User must provide new OTP code each time for login;
- Each generated OTP code is unique and cannot be duplicated by user;
- Allows to restrict Remote Desktop access by user list or user group;
- You dont need to install Rohos on a client PC/device you log in from;
- 2-factor authentication applied by the List of users / Active Directory group membership / IP address filter;
- Review and include 2FA audit log into any existing SIEM;
Rohos Logon Key allows to access Windows Remote Desktop in a secure way by using the popular and secure One-Time-Password authentication technology replacing weak password based login.
- How to enable 2-factor authentication for user account
- How to register multiple users with Google Authenticator
How it works
Rohos Logon Key integrates or replaces Windows Terminal Services authentication provider. It works by adding two-factor authentication level to existing authentication infrastructure. After deployment users can log into remote session only by using 2-factor authentication: OTP code and regular login data.
Rohos Logon Key message requiring 2-factor authentication :
User entering OTP code to continue login into Remote Desktop :
Read next to find out how to configure it.
Installing Rohos Logon Key on Terminal Server
1. Install Rohos Logon Key on the Windows 2008/2012 Terminal Server :
2. Enable 2-factor authentication by using One-Time-Passwords. Open Options and select “Google Authenticator (OATH) ” as the active 2-FA authentication means:
3. Choose a 2-factor authentication policy:
- For a listed users
Only configured users will be required to use 2-factor authentication for login. Any other users will be able to login by a password as usually. The user list is created automatically by “Setup a Key” dialog box. To review the list open “Users and Key” dialog box.
- For 2FA user group in Active Directory
Each user from a special designated user AD group (default name is ‘Rohos’) will be forced to pass 2-factor authentication during Remote Desktop login.
Please note: ‘rohos’ user group should be created by an Active Directory Administrator ;
- For Remote Desktop login
All Remote Desktop sessions will be required to pass 2-factor authentication;
- For Remote desktop users
Only users, who came through the dial-up, DSL connection, and from other networks, will be required to pass 2-factor authentication.
- For Remote desktop users from 2FA AD group
Only users, who came through outside networks and belongs to 2FA group will be required to pass 2-factor authentication.
You should have Windows 2008 R2/ 2012 / 2016 Server as your Terminal Server computer to try it.
4. Setup Emergency Login
In order to prevent Terminal Server login lockout due to 2-factor authentication policy we recommend to setup Emergency Login option. This will allows Administrator to login into Terminal Server console/remote desktop by using: UserName, Q&A entry and password. Emergency Login does not require 2-factor authentication. Emergency Login is not required if you have Server Console access possibility.
2-factor authentication is applied individually for each user account. Automated setup is possible only by using “OTP delivery by SMS” option.
In order to setup a 2-factor authentication for a user account open Rohos Logon Key > Setup a Key:
- Select user account;
- Choose the type of One-Time-Password generator user will use;
- Leave password field blank
- Click “Enable OTP login” to apply configuration.
Click “Display QR-Code” and “Copy code” to configure Google Authenticator or send Google Authenticator configuration by email to the user.
When using “OTP by Email/SMS” option:
– Enter mobile phone or ensure there is a mobile phone field in AD User Account properties is filled in.
– Or enter user email;
– Ensure to properly setup OTP delivery method in Rohos Logon > Options > Google Authenticator options.
Rohos Management Tools provides a secure, transparent and customizable way to setup multiple users with Google Authenticator 2FA and deliver 2FA configuration by email or SMS.
Rohos Management Tools allows to :
– Configure a group of users with Google Authenticator 2FA;
– Deliver Google Authenticator configuration to the user by Email;
– Setup a custom delivery method like SMS / Text File / Web server publishing.
– Resend or Delete 2FA Configuration for the already registered 2FA users.
Enabling automated 2-factor authentication by SMS / Email
Rohos Logon Key allows to use automated 2-factor authentication for Remote Desktop users. Rohos will automatically sent One-Time-Password code by SMS to user account telephone number or email during login into Remote Desktop.
Your Terminal Server must meet the following requirement:
- Telephone/mobile number field contains user mobile number of the user; Or Email field is filled in;
- Rohos Logon Key is configured with SMS-gateway support or Email credentials;
Setting up SMS-gateway or another OTP-delivery method
- PowerShell v.3 and higher (Windows 2012 R2 and higher has it by default);
- Script execution policy is enabled;
In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell. You need to run both PowerShell and PowerShell (x86) as Admin and execute this command; See the screenshot.
Open Rohos Logon Key > Options > Google Authenticator option.
- Click Edit to open OtpDeliveryScript.ps1 file and edit Email options such as smtp server, email and password credentials for the mailbox that will be used to send emails:
To setup SMS delivery:
$SmsGatewayUrl = “https://api.clickatell.com/http/sendmsg?api_id=xxxx&user=xxxx&password=xxxx&to=$($AdUserName.telephoneNumber)&text=$($SmsNotificationText)”
And customize URL so that it should be your SMS provider HTTP API url;
Both $($AdUserName.telephoneNumber) and $($AdUserName.telephoneNumber) are script variables and you should not touch them;
You may select user from Left or enter Email/Phone and click “test delivery” button to sent OTP code by using configured delivery method.
Remote Desktop login with SMS authentication enabled:
How to disable or reset 2-factor authentication
There are few ways to disable or reset 2-factor authentication for entire Server or selected User account.
To disable 2-factor authentication policy:
- Uninstalling Rohos Logon Key will restore default password based or pass-thought authentication.
- Setting to “none” option of “Allows to login by USB key” will temporarily disable 2-factor authentication requirement for all users.
To reset/change or disable 2-factor authentication for a user account:
- Removing user account from Rohos AD group may disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for Rohos group”)
- Open Rohos > Setup a Key dialog box > choose user account > and click disable OTP login. This will reset 2-FA configuration for the user. OTP generator used by the user (Google Authenticator, Yubikey) will became invalid.
- Open Rohos > User and Keys dialog box > find user and delete it from the list. This will disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for the List of users”)
Enabling 2-FA by using client IP filter
Rohos Logon Key experimental feature allows to filter Remote Desktop connections by client IP address and require 2-FA by IP mask.
How to try 2-FA for Remote Desktop by using IP filter:
- In a Remote Desktop session open Rohos Logon Key > Options.
- Set option “Allow to login only by USB Key” to “For Remote Desktop users outside LAN”.
- By clicking on [?] you can check if Rohos was able to identify your client WAN IP address.
- Specify “LAN IP Filter:” , this should be a prefix of your local LAN. By using this prefix Rohos will be able to differentiate between LAN and WAN connections, and require 2-factor authentication for client with WAN IP.
Licensing Rohos Logon Key
- Rohos Logon Key Server license is required for each Terminal Server host with Rohos Logon Key; Allows to protect unlimited users and have unlimited authentication keys;
- Rohos Logon Key Small Server license allows to protect up to 15 users;
Please note authentication by SMS requires 3rd party SMS gateway service that is not included into Rohos Logon Key.