Two factor authentication for RDP?

shawnstugard9871 · 2012-08-02T05:57:13.000Z

Due to new PCI compliance standards we are forced to implement two factor authentication for our RDP connections. We have a fairly small IT footprint with myself and 2 others that would be using RDP to access our servers. This is my first brush with 2FA and I’d like to draw on the experience of others.

What I’m looking for:

Seemless integration with the standard windows RDP (hopefully easy)
Low cost
Smart phone options so we don’t have to purchase or carry key-fobs

What I’ve been looking at:

http://www.duosecurity.com/
https://www.phonefactor.com/
https://www.trustwave.com/two-factor-authentication.php#overview (they do PCI compliance for us, so I’m looking at them, but they do seem expensive. Also looks suspiciously like duosecurity’s product)

Any comments or suggestions are welcome.

Thanks spicecrew!

scottlewis3575 · 2012-08-02T06:11:46.000Z

Would logging into a TS gateway and then RDP from there be considered 2 form authentication?

Steve9603 · 2012-08-02T06:12:04.000Z

Have you considered setting up a CA infrastructure and requiring those as well as username/password? You could go as far as tying them to usernames as well as devices.

molan · 2012-08-02T06:16:52.000Z

Keep in mind that anything software based is has inherent security risks with it. Because if it is in software it can be hacked or duplicated fairly easily. this is why hardware devices like key-fobs are more secure. But if software based meets you needs go for it.

Have you though about smart cards?

shawnstugard9871 · 2012-08-02T06:38:39.000Z

scott1196 wrote:

Would logging into a TS gateway and then RDP from there be considered 2 form authentication?

No, they need to be two different methods, two separate passwords unfortunately do not qualify.

shawnstugard9871 · 2012-08-02T06:42:56.000Z

Steve9603 wrote:

Have you considered setting up a CA infrastructure and requiring those as well as username/password? You could go as far as tying them to usernames as well as devices.

I like the idea, but I’d need to be able to login from anywhere, not just where I have the cert installed.

shawnstugard9871 · 2012-08-02T06:48:16.000Z

molan wrote:

Keep in mind that anything software based is has inherent security risks with it. Because if it is in software it can be hacked or duplicated fairly easily. this is why hardware devices like key-fobs are more secure. But if software based meets you needs go for it.

Have you though about smart cards?

For our uses we really don’t feel we need 2FA, we are doing it only to be PCI compliant. We use a web-based CC system and so no cardholder data is stored on-site. Smart cards require a reader wherever you want to login from and that just won’t cut it for us.

jasondarmanovich2693 · 2012-08-02T07:03:24.000Z

you could use a usb token like a gemalto to store your cert on plug it in and you put in a pin for the device and it allows access to the installed cert ,

jasondarmanovich2693 · 2012-08-02T07:07:22.000Z

look at Secure envoys BYOT ( bring your own token ) solution http://www.securenvoy.com/products/softtoken/overview.shtm

amitu0399 · 2012-08-20T10:10:55.000Z

Have a look at

ww38.ds3global.com

ds3global.com

This domain may be for sale!

might just solve all your authentication requirements.

nickjames · 2016-04-25T08:22:29.000Z

I understand this is a dead discussion, however I just wonder what your final decision was Shawn, as my company finds itself in the exact situation you described.

Thanks

brainman5 · 2017-07-26T18:48:15.000Z

We use Duo - it works.

port16 · 2017-08-14T18:02:32.000Z

Another_IT_Guy:

I understand this is a dead discussion, however I just wonder what your final decision was Shawn, as my company finds itself in the exact situation you described.

Thanks

No discussion is truly dead, this is the internet after all

I just ran across it looking for a solution. OP, what was the final decision Shawn9726?

@shawnstugard9871