You can protect your Windows server with an extra layer of security to avoid bad actors from getting their hands on your data. To set up 2FA in the Windows server, we will be using DUO. Duo is the leading authentication service provider on the market. Due to its wide range of free commercial services and reliable security features, it is used by many organizations. In this article, we will go over how to set up two factor authentication (2FA) for Windows server using DUO.
If you would like to further secure your server, check out our article on how to change your RDP port.
Configure Application in DUO
1. First, register yourself using: https://signup.duo.com/
2. On the left menu click Protect an Application and search RDP, then click Protect for Microsoft RDP.
3. Duo will generate the Integration key, Secret key, and API hostname which is needed later.
Install Duo 2FA on Windows Server
Now, you need to install the Duo on the Windows server and set up the 2FA on the Windows server.
On your Windows Server, download the installer from: https://dl.duosecurity.com/duo-win-login-latest.exe
1. Open the DUO installer and click Next.
2. Enter the API Hostname we received earlier in the text field under API Hostname and click Next.
3. On the next page, we will need the Integration Key and Secret Key that we received earlier and enter them in their respective text fields. Click Next once done.
4. Check the required options from the below list,
Bypass Duo authentication when offline: Check this option to allow users to log in without completing two-factor authentication.
If available, use auto push to authenticate: Check this option to send Duo push or phone call once credentials are validated automatically.
Only prompt for Duo authentication when logging in via RDP: Leave this option unchecked to require Duo two-factor authentication for local logon and RDP sessions.
For this article, we will just prompt 2FA at the time of RDP login. Hence we will go ahead with Only prompt for Duo authentication when logging in via RDP. You can choose the options as per your requirements.
5. (Optional) On the next step, you have the option to Enable Smart Card support if your needs require this you can set it up. In this guide, we will not be enabling this option.
6. (Optional) You can enable Elevation protection to protect password protected UAC prompts. In the case of this guide, we will not be enabling this option click Next to move on.
7. Now Duo Authentication is ready to begin installing, click Install to initiate the installation.
8. Congratulations! You have successfully installed Duo Two Factor Authentication application on windows server. You can click Finish to close out of the window
Enroll Users In Duo
The Duo works on the user configuration and its enrollment in the Duo dashboard. Every RDP server comes with the default user administrator. Here, in this article, we also need to create an administrator user in the Duo and enroll it into the Duo system. If you don’t perform this action, you will end up encountering the following error at the time of RDP login,
USER IS NOT ENROLLED IN DUO SECURITY. CONTACT YOUR LOCAL SYSTEM ADMINISTRATOR.
1. In the DUO dashboard, click Users from the menu on the left side and click Add User.
2. Then enter the username which you use to log in to the Windows VPS with, for Hyonix clients the default is Administrator. Once you have entered the username, click Add User to move forward.
3. Next, enter the required information as seen below and once you are done click Save Changes. And then click Send Enrollment Email.
4. Now go to the email you listed on the previous step and find the Duo Security Enrollment email and follow the instructions.
5. Once you have completed setting up Duo on your mobile device, you will be prompted to do the two-factor authentication whenever logging into your Windows server. We have now successfully setup two-factor authentication (2FA) for Windows Server using DUO.
