Knowledge Base Article

Remote Desktop Services MFA Setup

Prevent Remote Desktop Server ransomware and brute force password attacks.


Last Review: February 4, 2020

Product(s): Windows Server 2019, Azure

Author(s): John Whinery


A cyberist created this article using the patented Delta Method by modernizing a typical approach.


Remote Desktop Services with Multi-Factor Authentication (MFA) is the recommended prevention against ransomware. The attack port changes to 443 HTTPS from 3389 RDP and the MFA prevents brute force password attacks.

Simply changing the communication port to a custom port number is not an effective defense against a port scan. A Virtual Private Network (VPN) is also susceptible to port scan and brute force password attacks and should also be secured with MFA.


  • Internet connectivity and perimeter firewall address and administrator credentials
  • Domain administrator and Azure portal global administrator credentials
  • Windows Server 2019 and Remote Desktop User CAL licenses
  • Enterprise Mobility Suite subscription providing Azure AD Premium for MFA must be assigned to each remote user and MFA enabled for a phone call
  • Public SSL certificate purchased separately with FQDN like
  • FQDN for the remote desktop gateway must resolve via NSLOOKUP in DNS on the Internet and inside the network
  • Install Remote Desktop Licensing Manger on a domain controller prior to setup of the Remote Desktop Gateway on the remote desktop server
  • Network Policy Server role and NPS extension must be installed on a domain controller and a restart will be required
  • Windows Server 2019 on a Domain Controller has a known flaw where a custom Radius firewall rule must be added inbound with UDP for ports 1812, 1813, 1645, 1646
  • All networking with firewall enabled and storage must be configured before installing the Remote Desktop Server role
  • For Installation Type of Remote Desktop Services, DO NOT select Role-based or feature-based installation
  • Installing Remote Desktop Services on the remote desktop gateway server will require a restart
  • Server name for remote desktop gateway CANNOT be changed after installation without uninstalling and reinstalling remote desktop services and related components
  • For troubleshooting, enable logging on the Advanced Settings of the Windows Defender Firewall on both the domain controller and remote desktop server
  • The following should be recorded in the System Plan: Windows Server and Remote Desktop User CALs keys, SSL and NPS shared secret passwords, remote desktop deployment options, Azure GUID, and NPS settings
  • Setup and testing of Remote Desktop Services with MFA will require a minimum of 2-4 hours

1) Activate Remote Desktop Licensing on a Domain Controller

  • Open Server Manage, click Manage, and select Add Roles and Features
  • Select Role-based or Feature-based installation
  • Select the domain controller computer as the destination server
  • On the Select Server Roles page, select Remote Desktop Services and Remote Desktop Licensing
  • Continue the installation selecting default values for the remaining settings
  • Open Server Manager > Tools > Remote Desktop Services > Remote Desktop Licensing Manager
  • Right-click the license server, then click Activate Server and then Next
  • For the Connection Method, select Automatic Connection (recommended), and then click Next
  • Enter your company information (contact name, company name, geographic region), and then click Next
  • Start Install Wizard now and select Open License, then Authorization Number and License Number, and quantity
  • Click Finish to complete the process

2) Configure Network Policy Server on a Domain Controller

  • Log into the domain controller and select Server Manager > Manage > Add Roles and Features. (Click Next on each selection to move to the next screen)
  • Choose Role-based or Feature-Based Installation for Installation Type
  • Select the domain controller from the server pool
  • Select Network Policy and Access Services
  • Confirm installation options and choose Restart the Destination Server Automatically if Required option
  • After restart and login, select Server Manager > Tools > Network Policy Server and configure the settings below
Setting Value
Radius Client
Friendly Name Gateway
Address Remote Desktop Gateway IP Address
Shared Secret Password1
Remote RADIUS Server Group
Group Name N/A
Server N/A
Shared Secret N/A
Load Balancing / Advanced N/A
Connection Request Policy
Policy Name Use Windows authentication all users
Type of network access Remote Desktop Gateway
Conditions Day and time restrictions
Settings / Authentication Authenticate requests on this server
Network Policies
Policy Name RDG_CAP
Ignore user account dial-in Check
Type of network access Remote Desktop Gateway
Conditions Day and time restrictions
Constraints / Authentication Allow Clients to connect without negotiating an authentication method
Settings / IP Settings Server settings determine IP address assignment

3) Create Radius Firewall Rule on Domain Controller

  • Open Control Panel and Windows Defender Firewall
  • Select Advanced Settings, right-click Inbound Rules, and New
  • Create a rule called Radius Inbound by port, UDP, and 1812, 1813, 1645, 1646

4) Installing NPS Extension for MFA on Domain Controller

  • Sign into the Azure Portal as a global admin
  • Select Azure Active Directory and select Properties
  • In the Properties blade, beside the Directory ID, click on the Copy icon to get the Azure GUID for the tenant to be used later
  • You will need to download the NPS Extension for MFA file from this location:
  • Copy this file to the domain controller where NPS has been installed. Double-click the file to run it. Agree to the license terms and click Install
  • After the NPS Extension has been installed, configure by opening Windows PowerShell as an admin
  • Enter cd “c:\Program Files\Microsoft\AzureMfa\Config”
  • Enter .\AzureMfaNpsExtnConfigSetup.ps1
  • Enter your Azure AD admin credentials and click Sign In
  • When prompted, paste the Directory ID you copied to the clipboard earlier from Azure AD, and press ENTER.
  • The script creates a self-signed certificate and performs other configuration changes. You will know it has completed when the script presents the message “Successfully Granted to Network Service”, then stops and restarts NPS, ending with a message to Press Any Key to Close

5) Setup Remote Desktop Server

  • Log on to the RD server, select Server Manager > Manage > Add Servers to add the domain controller running RD Licensing and NPS
  • Click Manage, then Add Roles & Features and then Next
  • Select Remote Desktop Services installation for Install Type
  • Select Standard Deployment and then Session-Based Desktop Deployment
  • For Deployment Scenario, select Session-Based Desktop Deployment
  • Review and deploy Remote Desktop Connection Broker, Remote Desktop Web Access, Remote Desktop Session Host, and add Remote Desktop Gateway from Remote Desktop Services in Server Manager
  • Reboot the RD server even if it does not reboot automatically
  • Once logged back into the server, return to Server Manager, click Remote Desktop Services and Edit Deployment Properties under Tasks.
Setting Value
RD Gateway
Logon method Password Authentication
Use RD Gateway credentials for remote computers Check
Bypass RD Gateway server for local addresses Check
RD Licensing
Licensing Mode Per User
Licensing Server Domain controller name
RD Web Access
Collection “Company Name”
General Show session collection in RD Web Access
User Groups Domain Users
End a disconnected session Never
Active session limit Never
Idle session limit Never
When a session limit is reached or broken Disconnect session / Enable auto-reconnect
Security Layer Negotiate
Encryption Level Client Compatible
Allow only RD connection with Network Auth Enabled
Load Balancing Weight 100 / Session Limit 999999
Client Settings Redirect all devices / printers / 16 monitors
User Profile Disks None / Disable

6) Configure Network Policy Server on Remote Desktop Server

Select Server Manager > Manage > Add Roles and Features > Network Policy and Access Services.

Setting Value
Radius Client
Friendly Name N/A
Address N/A
Shared Secret N/A
Remote RADIUS Server Group
Server Domain Controller IP Address
Shared Secret Password1
Load Balancing / Advanced 60, 5, 60
Connection Request Policy
Policy Name TS GATEWAY AUTHORIZATION / Use Windows Authentication
Type of network access Remote Desktop Gateway
Conditions Day and time restrictions
Settings / Authentication Forward requests to TSGATEWAY SERVER GROUP
Network Policies
Policy Name RDG_CAP_AllUsers
Ignore user account dial-in Check
Type of network access Remote Desktop Gateway
Conditions User Groups \ Domain Users
Constraints / Authentication Allow Clients to connect without negotiating an authentication method
Settings / IP Settings Server settings determine IP address assignment

7) Change Perimeter Firewall Remote Desktop Inbound Rule

  • Open a browser and enter the IP Address of your default gateway
  • Change the port from RDP (3389) to HTTPS (443) on the inbound Remote Desktop rule or create a new inbound rule from the WAN to the IP address of the Remote Desktop Server using HTTPS
  • Restart of the firewall appliance is generally recommended

Follow-up and Testing

  1. Verify that MFA is configured with a regular user and an administrator account, EMS subscription is assigned, and test MFA login at
  2. Verify FQDN server name like resolves using NSLOOKUP for both internal and external DNS as well as matching the purchased certificate
  3. Open a browser, go to and run Shields Up scan to verify port 443 in open
  4. Use the Remote Desktop Connection and verify you can logon to the RD Server inside the network using the FQDN for the computer name
  5. Use the Remote Desktop Connection and verify you can logon to the RD Server outside the network adding the FQDN to Advanced / Settings / Server Name
  6. Using a browser, logon inside the network and then outside with MFA at example https://
  7. Review the Windows Defender Firewall logs or enter NETSTAT -AN at a Command Prompt to verify open ports
  8. For mufti-homed servers, it may be necessary to bind specific IP addresses to RDP, NPS, and IIS ports