RDP (Remote Desktop Protocol) is a protocol that allows communication in the execution of an application between a terminal and a Windows server. In this guide, we will protect RDP with IRONCHIP.
Requirements
- Have a functional Active Directory
- Have DHCP and DNS services active.
- Have RDP installed on the server
- Have NPS protected by IRONCHIP
- Have an MFA application created on the IRONCHIP platform
RD Gateway
The first step will be to configure and implement the RD Gateway, for this we will go to remote desktop services in the server manager,
And click on the Remote Desktop Gateway button.
Select the server to which we will install this service and in the next screen, write the full domain name.
Click on next and then on add.
When the process finishes, it will ask us to configure a certificate. In my case, it will be self-signed.
If you don't have a certificate, proceed to create one by clicking on Create new certificate.
All you have to do is enter the full domain name, a password, a path to save it, and check the box at the end. Once you have done this, click on accept and then apply.
Add that same certificate to all the services on the list by selecting certificate.
The certificate should now be installed on the machine. To do this, follow the steps below:
- Right-click on the certificate.
- Select Install Certificate.
- Select Local Machine and then Next.
- Select Place all certificates in the following store and Browse….
- In the window that opens next, select the Trusted Root Certification Authorities folder and OK.
- Finally, click Next and Finish.
The certificate will be placed on all machines and the same process will be performed on all machines.
Once this step is complete, we will create the RD CAP and RD RAP. To do this, go to the remote desktop gateway manager, select your server, and finally create a new policy by right-clicking on policies.
First, select create both, RD CAP and RAP.
Give it an identifying name. It is important that the name we assign to the RD CAP policy in this case (IronchipCAP) is the same as the one that will appear in the “External ID” of the service created in the Ironchip dashboard.
Add the user groups to which the policy will apply.
In this tab, select the first option, and enable the box at the end. The following options are not necessary, so click next until the Resource Authorization Policy.
Give it an identifying name.
Add the user groups to which the policy will apply.
Select the last option that says: Allow users to connect to any network resource. The following option is not necessary, so click next until the configuration is complete.
Finally, we will create a group policy. To do this, go to the Group Policy Management and right-click on your server to select the option Create a GPO in this domain, and Link it here.
-
Enter a name; for example, Ironchip.
-
Right-click on the created GPO and select Edit.
-
The Group Policy Management Editor program will have opened. In this program, select User Configuration, Policies, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Gateway.
-
In this section, select RD Gateway Authentication Method and enable it by clicking on Enabled and selecting Prompt for credentials, use smart card or username and password.
-
In the RD Gateway section, select Enable connection through RD Gateway and enable it by clicking Enabled.
-
In the RD Gateway Server Address section, select Set RD Gateway server address and enable it by pressing Enabled and enter the address of your server, for example, 10.0.0.2.
-
Finally, run the gpupdate command in PowerShell on all related machines.
Don't forget to add the policies created to the Ironchip plugin. To do this, run the installer, click on change, and add the newly created policy and RDCAP (separated by comma and space)
Restart the NPS and RDP services.
Plugin
To install the plugin, you need the IRONCHIP Windows NPS file, which can be downloaded from the Add-ons section on the Ironchip Dashboard.
After downloading the add-on, proceed to install it.
Click Next, on the next screen, accept the terms of use and then click Next again.
In the next screen, you will need to complete it with the following information:
- Your Ironchip host. If you use our cloud solution, it will be api.ironchip.com. Otherwise, provide your custom host.
- Your company's API key obtained when creating the service.
- The name of the network policy you want to protect with Ironchip NPS. In the example, the created policy, IronchipProtected, will be used (if you want to add more than one, put the names separated by comma and space).
- Then click Next to continue.
Once on the next screen and with all the parameters correctly configured, click on Install
If everything has been correctly configured and the installation has been successful, you will see the following screen. Finally, to finish the installation, click on the Finish button.
You also have to create the application in the IRONCHIP panel that refers to the MFA application, in this case, the external ID will be the name of the RD CAP that you configured earlier.
Finally, add users to that application. (Use the format Domain\Username)
Check its operation
To check its operation, we will need a client computer connected to the domain, and follow the steps in the following video.
Video Tutorial
RDP only Gateway
Configuration
The first step is to enter the tool “Windows Defender Firewall with advanced security”.
The next step is to access 'Inbound Rules' and look for the options 'Remote Desktop — User Mode (TCP Inbound)' and 'Remote Desktop — User Mode (UDP Inbound)’
Select TCP and follow the next steps. Both configurations are exactly the same.
1- In the general tab, activate the Block connection option.
2 — In the scope tab, add your server's IP in Local IP Address.
3 — Apply the changes and do it again with the UDP option.