"New Security flaw exposed in Microsoft’s remote desktop"SecurEnvoy 21/11/2014, Archive
Many companies use Microsoft Remote Desktop Web (RD Web) in order to manage their access to server resources. Two-factor authentication (2FA) is recommended to secure this access. This usually consists of the conventional username and password components plus an additional passcode component. However, there has recently been an increase in cases of third parties obtaining access to web applications in RD Web environments without needing to enter the additional passcode. How have the third parties been able to get past the usually highly secure 2FA and how should RD Web users protect themselves in the future?
Let's take a look at everyday business activities and how an RD Web login process normally runs. First, a user must authenticate themselves via 2FA in a Microsoft RD Web interface in order to access a website. Then there is a second authentication normally via Single Sign On (SSO) to RD Gateway which is the main VPN that all remote data sent from the RDP client uses. Next something known as an RD Connection Broker comes into play and this connects the user to a backend RD Session Host. Application access is then enabled.
However, the interaction between RD Web and traditional 2FA servers has resulted in the appearance of major vulnerabilities. The reason for this is the lack of a connection between the 2FA server and the Microsoft RD Gateway server. Users can easily create a remote desktop protocol (RDP) file or just request full desktop access directly to the RD Gateway without needing to visit the RD Web first. This allows third parties to bypass the 2FA check required at the RD website and access the gateway directly. To login, one simply has to enter a username and a password here. As the RD Gateway does not have any 2FA integration, this constitutes a major security risk for companies and organisations.
Where the Microsoft protection stops
In order to prevent such bypassing of 2FA, companies are recommended to install a Windows Logon Agent (2FA) on each RD Session Host. But this theoretically beneficial security step actually creates another big problem: Each backend RD Session Host will require a separate 2FA authentication so each time a user reconnects or starts a different application the RD Connection Broker will probably select a different Session Host. In other words, users would be forced to authenticate themselves countless times via 2FA in their daily work. This would lead not only to frustration but also a reduction in workflow and productivity. It is also a poor security design as it’s like trying to lock all internal doors after leaving your front door open!
SecurEnvoy is the first 2FA company to add true RD Gateway integration. They are the only provider of a solution that restores the security of 2FA and overcomes the aforementioned problems with Microsoft RD Gateway. When companies install a SecurEnvoy solution in the RD Web and on the RD Gateway, all communication through both the RD Web and the RD Gateway is routed and simultaneously checked by the SecurEnvoy agent. This is possible because the SecurEnvoy solution is directly connected to the RD Gateway and Active Directory server and the security mechanisms can now be applied to the whole system. This allows every user to again make unrestricted use of 2FA for all remote desktop web sessions. The system is 100% secure and can never be bypassed using just a conventional login process (username and password).