[KB5880] How to allow Remote Desktop connection only if it is secured by Two-Factor Authentication (2FA)?

Issue

  • You wish to enable domain users to connect to Virtual Desktops Infrastructure clients (virtual machines) via RDP only if RDP is secured via Two-Factor Authentication

Solution

To protect the RDP connection of Virtual Desktops Infrastructure (VDI) clients with 2FA, so that access via RDP is not allowed without having to supply a One-Time Password (OTP) as a second authentication factor, there are 2 essential changes to be accomplished once the VDI template is installed and configured based on your requirements.
 
Install and preconfigure a VDI template (i.e. Windows 7), customize the system to meet your (or customers’) requirements and install the Remote Desktop Plugin of ESET Secure Authentication (ESA) - see the installation section of the product manual.
 
Before doing sysprep, there are 2 essential steps to be accomplished:
  1. Set dependency to Remote Desktop Service to start only in case ESA Credential Proxy Services service is up and running.
    In order to do so, press the Windows keyR key combination and into the Run dialog type (or copy&paste) the following command and press Enter:

    sc config TermService depend= EsaCpProxy/RpcSs
     
  2. Set the ESA Credential Proxy Services service to run under a domain account (i.e domain admin account) by executing the following command in the Run dialog:

    sc config EsaCpProxy obj= "domain\username" password= "password"

    while domain\username must be replaced with the domain name of your Active Directory domain and username of the desired domain user. Analogicaly, password must be replaced with the password of the particular domain user.

    In our example, we executed the following code:
    sc config EsaCpProxy obj= "acswin2012\administrator" password= "demo1234"
As a safety precaution, you can configure the ESA Credential Provider Proxy Services  (EsaCpProxy) service to be automatically restarted in case of failure. You can achieve it by executing the following command in the Run dialog:
 
sc failure EsaCpProxy actions= restart/60000/restart /60000// reset= 120
 
That command would ensure to restart the EsaCpProxy service in 60 seconds in case of a failure.
 
If the changes in steps no. 1 and 2 were successful, you can view the corresponding services in the list of Services:
  • Press the Ctrl + Shift + Esc  key combination to open Windows Task Manager
  • Switch to the Services tab and click the Services... button in the bottom right corner to open the Services window
  • Look up the ESA Credential Provider Proxy Services service, double click it and switch to the Log On tab - there you would see the This account option selected and the username of domain user you used in the script in step no. 2 above.

Figure 1-1
Click the image to view larger
 

  • Look up the Remote Desktop Services service, double click it and switch to the Dependencies tab - there you would see the ESA Credential Provider Proxy Services listed.

Figure 1-2
Click the image to view larger

English
Deutsch
Last Updated: Jul 24, 2023

Additional resources

User Guides

ESET Forum

YouTube videos

Need further assistance?

Contact ESET Technical Support

More Information

Support News
Customer Advisories