remote-desktop-2fa-authentication-google

Rohos Logon Key provides secure 2-factor authentication for Windows Remote Desktop by using Mobile Phone or One-Time-Password tokens.

2-factor authentication intelligence:

  • By using a smartphone with Google Authenticator application;
  • When One-Time-Password is delivered to any mobile phone by SMS or Email;
  • Allows to integrate 3rd party OTP code delivery service or devices like GSM modems;
  • By using a hardware OTP generator like Yubikey/SecureID/SafeNet/Feitian;
  • Each user account can be configured with any type of 2-factor authentication means: Google Auth / SMS or Email delivery or security devices like PKCS#11 tokens.

The benefits of 2-factor authentication for Remote Desktop:

  • User must provide new OTP code each time for login;
  • Each generated OTP code is unique and cannot be duplicated by user;
  • Allows to restrict Remote Desktop access by user list or user group;
  • You dont need to install Rohos on a client PC/device you log in from;
  • 2-factor authentication applied by the List of users / Active Directory group membership or IP address filter;
  • Review and include 2FA audit log into any existing SIEM;

Rohos Logon Key allows to access Windows Remote Desktop in a secure way by using the popular and secure One-Time-Password authentication technology replacing weak password based login.


How it works

Rohos Logon Key integrates or replaces Windows Terminal Services authentication provider. It works by adding two-factor authentication level to existing authentication infrastructure. After deployment users can log into remote session only by using 2-factor authentication: OTP code and regular login data.

Rohos Logon Key message requiring 2-factor authentication :

remote-desktop-login-otp-sms-2-authentication

 

User entering OTP code to continue login into Remote Desktop :

remote-desktop-login-otp-sms

Or when using web based access for Remote Applications (RDWeb) you just need to click “Show Details” button and enter OTP code to start using an application.

Read next to find out how to configure it.


Installing Rohos Logon Key on Terminal Server

1. Install Rohos Logon Key on the Windows 2008/2012 Terminal Server :

Download 15-day trial Rohos Logon Key.

 

2. Choose a 2-factor authentication policy:

  • For all users
    Any user account will be required to pass 2FA.
  • For a listed users
    Only configured users will be required to use 2-factor authentication for login. Any other users will be able to login by a password as usually. The user list is created automatically by “Setup a Key” dialog box. To review the list open “Users and Key” dialog box.
  • For 2FA user group in Active Directory
    Each user from a special designated user AD group (default name is ‘Rohos’) will be forced to pass 2-factor authentication during Remote Desktop login.
    Please note: ‘rohos’ user group should be created by an Active Directory Administrator ;
  • For Remote Desktop login
    All Remote Desktop sessions will be required to pass 2-factor authentication; You can set IP filter to specify LAN addresses that needs to bypass 2FA. Only users, who came through the dial-up, DSL connection, and from other networks, will be required to pass 2-factor authentication.
  • For Remote desktop users from 2FA AD group
    Only users, who came through outside networks and belongs to 2FA group will be required to pass 2-factor authentication.

You should have Windows 2008 R2/ 2012 / 2016 Server as your Terminal Server to try it.

4. Setup Emergency Login
In order to prevent Terminal Server login lockout due to 2-factor authentication policy we recommend to setup Emergency Login option. This will allows Administrator to login into Terminal Server console/remote desktop by using: UserName, Q&A entry and password. Emergency Login does not require 2-factor authentication. Emergency Login is not required if you have Server Console access possibility.

to top


How to setup a user account for 2-factor authentication

2-factor authentication is applied individually for each user account. Automated setup is possible only by using “OTP delivery by SMS” option.

In order to setup a 2-factor authentication for a user account open Rohos Logon Key > Setup OTP Token:

Setup One Time Password authentication dialog box:

  1. Select user account;
  2. Choose the type of One-Time-Password generator that user will use;
  3. Leave password field blank
  4. Click “Enable OTP login” to apply configuration.

Click “Display QR-Code” and “Copy code” to configure Google Authenticator or send Google Authenticator configuration by email to the user.

When using “OTP by Email/SMS” option:
– Enter mobile phone or ensure there is a mobile phone field in AD User Account properties is filled in.
– Or enter user email;
– Ensure to properly setup OTP delivery method by clicking on OTP Settings… link.

 

to top


How to register multiple users with Google Authenticator

Rohos Management Tools provides a secure and scriptable way to setup multiple users with Google Authenticator 2FA and deliver 2FA configuration by email or SMS.

Rohos Management Tools allows to :
– Configure a group of users with Google Authenticator 2FA;
– Deliver Google Authenticator configuration to the user by Email;
– Setup a custom delivery method like SMS / Text File / Web server publishing.
– Resend , Reset or Delete OTP configuration for the already registered 2FA users.

Learn More…

 

to top


Enabling automated 2-factor authentication by SMS / Email

Rohos Logon Key allows to use automated 2-factor authentication for Remote Desktop users. Rohos will automatically sent One-Time-Password code by SMS to user account mobile phone number or email during each login into Remote Desktop.

Your Terminal Server must meet the following requirement:

  • User account telephone/mobile number field are filled in with actual mobile number of the user; Or Email field is filled in;
  • Rohos Logon Key is configured with SMS-gateway support or Email credentials;

Setting up SMS-gateway for as OTP-delivery method:

Requirements:

  1. An account in 3rd party SMS gateway \ delivery service with HTTP API to send SMS messages.

Open Rohos Logon Key > Setup OTP Token > OTP Settings…

Select predefined HTTP service API or enter another HTTP API url, for example:

https://api.clickatell.com/http/sendmsg?api_id=xxxx&user=xxxx&password=xxxx&to=%phone%&text=%text%

where %phone% %text% variables will be replace with phone number of user and actual OTP code as text message.

Setting up Email based authentication

It is also possible to combine SMS with Email method to deliver OTP code for authentication. To archive this flexibility you need to choose “OtpDeliveryScript.ps1” option .

Requirements:

  1. PowerShell v.3 and higher (Windows 2012 R2 and higher has it by default);
    Or Windows 2008 with an update;
  2. Script execution policy is enabled;
    In order to enable it run “Set-ExecutionPolicy -ExecutionPolicy RemoteSigned” command in PowerShell ISE (x86). You need to run both PowerShell and PowerShell (x86) as Admin and execute this command; See the screenshot.

Click Edit to open OtpDeliveryScript.ps1 file and edit Email options such as smtp server, email and password credentials for the mailbox that will be used to send emails:

To setup SMS delivery Find string:

$SmsGatewayUrl = “https://api.clickatell.com/http/sendmsg?api_id=xxxx&user=xxxx&password=xxxx&to=$($AdUserName.telephoneNumber)&text=$($SmsNotificationText)”

And customize xxxx URL parameters so that it should be your SMS provider HTTP API url;
Both $($AdUserName.telephoneNumber) and $($AdUserName.telephoneNumber) are script variables and you should not touch them;

 

Here is an example for well known SMS delivery services:

$SmsGatewayUrl = “https://api.clickatell.com/http/sendmsg?api_id=xxxx&user=xxxx&password=xxxx&to=$($AdUserName.telephoneNumber)&text=$($SmsNotificationText)”

$SmsGatewayUrl = “https://api-mapper.clicksend.com/http/v2/send.php?method=http&username=xxxx&key=xxxx&to=$($AdUserName.mobile)&message=$($SmsNotificationText)”

 

You may select user from Left or enter Email/Phone and click “test delivery” button to sent OTP code by using configured delivery method. Please note: In order to use gmail as email delivery service you need to setup your gmail settings: “Allow less secure apps”
https://support.google.com/accounts/answer/6010255?hl=en

Learn More about setting up an OTP delivery method by Email>

 

Remote Desktop login with SMS authentication enabled:

remote-desktop-login-otp-sms-2-authentication-sms

 

to top


How to disable or reset 2-factor authentication

There are few ways to disable or reset 2-factor authentication for entire Server or selected User account.

To disable 2-factor authentication policy:

  • Uninstalling Rohos Logon Key will restore default password based or pass-thought authentication.
  • Setting to “none” option of “Allows to login by USB key” will temporarily disable 2-factor authentication requirement for all users.

To reset/change or disable 2-factor authentication for a user account:

  1. Removing user account from Rohos AD group may disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for Rohos group”)
  2. Open Rohos > Setup a Key dialog box > choose user account > and click disable OTP login. This will reset 2-FA configuration for the user. OTP generator used by the user (Google Authenticator, Yubikey) will became invalid.
  3. Open Rohos > User and Keys dialog box > find user and delete it from the list. This will disable 2-factor authentication requirement for the user (just in case of policy “require 2-FA for the List of users”)

 

to top


Registering multiple 2FA users with OTP configuration in automated way

Rohos provides an automated way to setup multiple users with Google Authenticator. The enrollment QR-code will be delivered securely via email or SMS right to user smartphone.

Learn more>>


Control 2-FA requirements by using an IP filter

Rohos Logon Key allows to filter Remote Desktop connections by client IP address and require 2-FA by IP mask.

How to try 2-FA for Remote Desktop by using IP filter:

  1. In a Remote Desktop session open Rohos Logon Key > Options.
  2. Set option “Allow to login only by USB Key” to “For Remote Desktop users outside LAN”.
  3. By clicking on [?] you can check if Rohos was able to identify your client WAN IP address.
  4. Specify “LAN IP Filter:” , this should be a prefix of your local LAN. By using this prefix Rohos will be able to differentiate between LAN and WAN connections, and require 2-factor authentication for client with WAN IP.

setup-windows-2fa-authentication-by-IP

 


Licensing Rohos Logon Key

  • Rohos Logon Key Server license is required for each Terminal Server host with Rohos Logon Key; Allows to protect unlimited users and have unlimited authentication keys;
  • Rohos Logon Key Small Server license allows to protect up to 15 users;

Please note authentication by SMS requires 3rd party SMS gateway service that is not included into Rohos Logon Key and should be configured and paid separately.

to top