Protecting your Remote Desktop connections is crucial in today's cybersecurity landscape. One effective way to enhance security is by using Azure MFA (Multi-Factor Authentication) in conjunction with the Azure MFA NPS (Network Policy Server) extension. This setup ensures that even if an attacker obtains a user's credentials, they still need a second form of authentication to gain access, significantly reducing the risk of unauthorized access.
You can follow along Microsoft's documentation to implement this at your company and follow the summary below, if you already fill the prerequisites:
There needs to be a new server for RADIUS authentication in your environment, solely for MFA prompts. Generally, you don't want MFA for all your RADIUS authentication, so you'll need to create a new one, as it's not possible to have a single server with non-MFA and MFA in it. Once the extension is installed, it's going to analyza every request.
If users are already registered for MFA in your tenant, then this will work. If not, you need to register them for MFA and ensure it works before proceeding.
This entails running the .exe from Microsoft and running a PowerShell script to connect it to your Azure tenant.
You can configure advanced options at this stage and what happens with users that are not enrolled for MFA.
If necessary, Microsoft provides scripts and tools to check if your extension is working correctly. You should expect an MFA prompt on your phone every time you connect to a server if this setup was successful.
Finally, implementing Azure MFA for your Remote Desktop connections significantly enhances your security posture. By following the steps above, you can ensure that your remote access solutions are protected against unauthorized access, providing peace of mind and compliance with industry standards.