Virtual smart cards are nice. We use it here but only two of us as you need the server to support it (not all our servers are modern enough) and the client too. AFAIK you need a minimum of Windows 8. We have 3 or so Windows 8 deployments currently, we haven't looked at it too much since it's mostly IT that uses RDP and we have two of the three Windows 8 machines. Haven't looked either at ONLY allowing MFA but it sounds like it would be an option. >From an implementation standpoint it's pretty easy, you'll just need a manual >step to set the user's PIN - or have a scripted one and force them to change >it. It's nice being able to log on to my Surface Pro 2 and log on to most servers (from the SP2) with just a 12 digit numeric PIN rather than need my full 20+ char alphasymbonumeric password every time.
Freddy From: [email protected] [mailto:[email protected]] On Behalf Of Mote, Todd Sent: Thursday, 18 June 2015 2:30 AM To: '[email protected]' Subject: RE: [mssms] OT: MFA with RDP Yea, they come up when you search for anything close to RDP and multi-factor. It costs money though. Just thought I'd see if there was something else. On the ActiveDir list someone suggested virtual smart cards in conjunction with TPMs on rdp client endpoints to access servers. Turning the computer itself into the smartcard. Dunno how viable or easy that might be, but I'm looking into it. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Orlebeck, Geoffrey Sent: Wednesday, June 17, 2015 11:19 AM To: '[email protected]' Subject: RE: [mssms] OT: MFA with RDP Not sure your scope, but I've heard numerous users successfully implementing this (albeit in small shops with <250 users). https://www.duosecurity.com/docs/rdp From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Atkinson, Matt T Sent: Wednesday, June 17, 2015 9:11 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] OT: MFA with RDP Guessing Multi-Factor Authentication? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marable, Mike Sent: Wednesday, June 17, 2015 9:05 AM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] OT: MFA with RDP Not to sound too dense, but what is "MFA"? I'm sure as soon as I hit send it'll hit me and I'll feel foolish. :) Mike From: Todd Mote <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, June 17, 2015 at 11:46 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [mssms] OT: MFA with RDP Cross posting this because everybody here is really smart. :) I'm pretty sure I know the answer to this, but is there any way to natively do MFA with Remote Desktop. I mean with certificates or something else that doesn't cost a bunch of money? Todd ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ________________________________ This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message. Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you.
