Duo integrates with RDP to add two-factor authentication to Remote Desktop logins.
What login interfaces can be protected by Duo?
The Duo integration for RDP can provide two-factor authentication for RDP and local console logins. It will not add a secondary authentication prompt to the following logon types:
- Right-click “Run as administrator”
- Shift + right-click “Run as different user”
- PowerShell “Enter-PsSession” or “Invoke-Command” cmdlets
- Non-interactive logins (i.e. Log on as a Service, Log on as Batch, Scheduled Tasks, drive mappings, etc.)
I just set up a trial account, installed and configured Duo RDP, and now I can’t login to Windows. Help!
In order for the Duo service to properly authenticate a Windows user account the username in Windows must match the username in the Duo account.
- Log in to the Duo administrative interface and make sure that you’ve added a user with a username that matches the Windows username.
- You will also need to manually enroll this user’s phone number so that the user can receive passcodes or phone calls, which are needed in order to authenticate.
- Once the user’s phone number has been added you may optionally install and enroll the Duo Mobile smartphone app, which will enable the “push” functionality for an RDP login.
- Now try to log in to Windows RDP again.
How can I configure the fail mode for RDP?
By default, the RDP integration will “fail open” if it is unable to contact the Duo service.
You can set the fail mode during installation to “fail close” by deselecting the “Bypass Duo authentication when offline” box in the Duo installer, or modify the setting after installation by changing the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\FailOpen from 1 to 0 to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service.
When modifying the FailOpen registry value on a Windows 2003 or XP system a reboot is required to make the change effective.
How can I configure auto push for RDP?
When auto push is enabled, the Duo RDP login will automatically send a push notification to the Duo Mobile application after the user enters username and password. This is the installation default.
You can choose to disable auto push by deselecting the “Use auto-push to authenticate if available” box in the Duo installer, or modify the setting after installation by changing the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\AutoPush from 1 to 0.
When auto push is disabled, the user is presented with a dialog for entering another authentication factor, such as sms or passcode after Windows username and password are entered.
Can Duo protect local console logins in Windows?
Yes, the Duo RDP integration does enable two-factor authentication for local console logins. However, it can be difficult to prevent an attacker with physical access to a system from compromising it. In particular, there are two significant threats you should take care to address:
- The Duo RDP integration can be bypassed by rebooting a Windows system into Safe Mode. To limit the effect of this, you should prevent all but a select group of users logging in while Windows is running in Safe Mode. (See, for example, http://support.microsoft.com/kb/977542.)
- By default, the RDP integration will “fail open” if it is unable to contact the Duo service. A user with local console access might be able to disrupt a machine’s network connectivity (e.g. by unplugging an ethernet cord), thereby bypassing Duo authentication.
- You can set the fail mode during installation to “fail close” by deselecting the “Bypass Duo authentication when offline” box in the Duo installer, or modify the setting after installation by changing the Registry DWORD value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\FailOpen from 1 to 0 to “fail closed.” This will deny all login attempts if there is a problem contacting the Duo service.
It is also possible to only enable Duo authentication for RDP sessions (and not local console logins). This can be set during the installation by checking the “Only prompt for Duo authentication when logging in via RDP” box, or changed manually after installation by setting the Registry value HKEY_LOCAL_MACHINE\Software\Duo Security\DuoCredProv\RdpOnly to a value of 1.
When modifying the RdpOnly registry value on a Windows 2003 or XP system a reboot may be required to make the change effective.
How does Duo RDP work with NLA (Network Level Authentication)
Network Level Authentication (NLA) for Remote Desktop Connection is an optional security feature available in Windows Vista and later. When NLA is enabled, remote connections pre-authenticate to the remote system when the RDP client connects before displaying a full remote session. When NLA is disabled, the Windows username and password is entered within the RDP client session after connecting.
When the Duo RDP integration is installed on a system where NLA is enabled the RDP client will prompt for the Windows username and password in a local system dialog. That information is used to connect to the remote system and passed through to the Remote Desktop manager. Once the RDP client has completed primary authentication the full Remote Desktop session is displayed, and the Duo Security pop-up dialog will prompt to complete two-factor authentication.
When the Duo RDP integration is installed on a system where NLA is not required a full Remote Desktop session is displayed when the RDP client connects to the remote system. The Windows username and password are entered in the Remote Desktop window, and after the logon information is accepted the Duo Security pop-up dialog will prompt to complete two-factor authentication.
There are some security advantages to enabling NLA, but one of the drawbacks is that users with expired passwords are prevented from logging on. More information about NLA and RDP can be found at the Microsoft site and on Wikipedia.
How do I disable Duo RDP in Safe Mode
Duo RDP can’t be uninstalled in Safe Mode, however it can be disabled.
For Windows Vista, Windows 7, Server 2008, or Windows 8 run the following from an elevated command prompt:
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredProv.dll" regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoCredFilter.dll"
For Windows Server 2003 run the following in the command prompt:
regsvr32 /u "C:\Program Files\Duo Security\DuoCredProv\DuoGina.dll"
Does Duo Security’s RDP integration support a web proxy?
Starting with version 1.0.7, the RDP integration will use the HTTPS proxy server configured in your system-wide WinHTTP settings.
You can configure the proxy server(s) used by WinHTTP with the netsh command.
Can I blindly install Duo Security’s RDP integration with PowerShell?
Yes, first download the appropriate msi install file for your system using the links below. Next, enter the following command into PowerShell to silently install Duo Security with auto push off and automatically restart the server if required:
cmd.exe /c C:\duo-install-file.msi ikey="Integration Key" skey="Secret Key" host="API Hostname" autopush="#0" /quiet
You can also choose to change the default settings for fail mode (failopen=”#0”) and whether local console logins require two-factor (rdponly=”#1”).
MSI Download links
- Credential Provider for Windows Vista and later 32-bit
- Credential Provider for Windows Vista and later 64-bit
- GINA for Windows 2003 32-bit
- GINA for Windows 2003 64-bit
These MSI installers and properties can also be used to create a transform file for use with with Active Directory Group Policy Software Publishing or other automated software deployment utilities.
I am using Internet Explorer, why I am unable to download the RDP installers?
Check your Internet Explorer options and uncheck the “Do not save encrypted pages to disk” option on the Advanced tab if it is selected. See this blog post for additional information.
How do I enable debug logging?
As an administrator, use the Registry Editor (regedit.exe) to create a new REG_DWORD value called Debug at HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv with the value set to 1. The log file location is %ProgramFiles%\Duo Security\DuoCredProv\duo.log. Please note that these paths apply to both the Credential Provider and GINA Duo installations.