Prior to Remote Desktop, we used PCAnywhere to remotely connect to computers but it was a pay product and typically reserved for just the one server or just the one computer.  Then Remote Desktop came along and changed everything.  We were able to connect to almost any computer -- anywhere, as long as we had a static IP address and we opened port 3389 to the Internet.  Obviously, this was prior to the proliferation of the Virtual Private Network (VPN) and opening a port directly on the Internet was how it was done.  

But we can't have nice things. 

People started poking at our public facing resources and we were forced to move them to another port .  That worked for a brief time but then our resources were once again found.  When firewalls became sophisticated enough, we eventually moved them behind the firewall with rules to allow for specific access.  Then VPN's came along which changed everything.  And that seemed to hold us for a while.  Eventually, the attack model changed and bad actors stopped coming through the front door.  

If an attacker can get on the network through other means, we are now faced with the same situation we had previously.  An attacker has direct access to the RDP port and can attempt to bruteforce the login.  Now we can talk about lockout policies, complex passwords, and various other methods of prevention but these methods are no guarantee which is why we are now seeing the expansion of Two-Factor and Multi-Factor Authentication (2FA & MFA).  

When we suggest products, like 2FA, for clients, we want to cause the least amount of disruption to the work process and Duo is simple and near seamless. 

The rest of this post is about the installation of Duo specifically for Remote Desktop.  It assumes you have a Duo account already and it also assumes the client has already been enrolled.  

From the management interface, we select Applications:





We search for RDP:

We get our Integration key, Secret key, and API hostname:

On the Remote Desktop resource, we download the installation software:

We find our download in the Downloads folder:

Prior to installation, we want to verify that SHA-256 hash:

Above we have the hash they've provided.  Below, we're going to generate a hash from the download:

certutil -hashfile duo-win-login-4.0.2.exe SHA256

Our hashes match, now were are free to start the installation.  We select Yes:

Next:

We enter the API Hostname and select Next:

We enter the Integration Key, the Secret Key, and we select Next:

We choose our options and select Next:

We choose whether or not we want to enable Smart Card support and then we select Next:

And finally, we select Install:

We select Finish:

Now when we attempt to access Remote Desktop, we are not only prompted for our username and password, we are also greeted by:

At the same time, when we open the Duo application on our phone, we are presented with:

Assuming you're the one causing this prompt to appear in the application,  we select Approve and we are granted Remote Desktop access to this resource.