Secure your business and enterprise IT systems with Multi Factor Authentication (MFA)

 Duo MFA, Linux, Remote Access, Remote Desktop Services (RDS), Security, VMware Horizon View  No Responses »
Jul 132020
 
Picture of the DUO Security Logo

When you’re looking for additional or enhanced options to secure you’re business and enterprise IT systems, MFA/2FA can help you achieve this. Get away from the traditional single password, and implement additional means of authentication! MFA provides a great compliment to your cyber-security policies.

My company, Digitally Accurate Inc, has been using the Duo Security‘s MFA product in our own infrastructure, as well as our customers environments for some time. Digitally Accurate is a DUO Partner and can provide DUO MFA Services including licensing/software and the hardware tokens (Duo D-100 Tokens using HOTP).

What is MFA/2FA

MFA is short for Multi Factor authentication, additionally 2FA is short for Two Factor Authentication. While they are somewhat the same, multi means many, and 2 means two. Additional security is provided with both, since it provides more means of authentication.

Traditionally, users authenticate with 1 (one) level of authentication: their password. In simple terms MFA/2FA in addition to a password, provides a 2nd method of authentication and identity validation. By requiring users to authentication with a 2nd mechanism, this provides enhanced security.

Why use MFA/2FA

In a large portion of security breaches, we see users passwords become compromised. This can happen during a phishing attack, virus, keylogger, or other ways. Once a malicious user or bot has a users credentials (username and password), they can access resources available to that user.

By implementing a 2nd level of authentication, even if a users password becomes compromised, the real (or malicious user) must pass a 2nd authentication check. While this is easy for the real user, in most cases it’s nearly impossible for a malicious user. If a password get’s compromised, nothing can be accessed as it requires a 2nd level of authentication. If this 2nd method is a cell phone or hardware token, a malicious user won’t be ale to access the users resources unless they steal the cell phone, or hardware token.

How does MFA/2FA work

When deploying MFA or 2FA you have the option of using an app, hardware token (fob), or phone verification to perform the additional authentication check.

After a user attempts to logs on to a computer or service with their username and password, the 2nd level of authentication will be presented, and must pass in order for the login request to succeed.

Please see below for an example of 2FA selection screen after a successful username and password:

Screenshot of Duo MFA 2FA Prompt on Windows Login
Duo Security Windows Login MFA 2FA Prompt

After selecting an authentication method for MFA or 2FA, you can use the following

2FA with App (Duo Push)

Duo Push sends an authentication challenge to your mobile device which a user can then approve or deny.

Please see below for an example of Duo Push:

Screenshot of Duo Push Notification to Mobile Android App
Duo Push to Mobile App on Android

Once the user selects to approve or deny the login request, the original login will either be approved or denied. We often see this as being the preferred MFA/2FA method.

2FA with phone verification (Call Me)

Duo phone verification (Call Me) will call you on your phone number (pre-configured by your IT staff) and challenge you to either hangup to deny the login request, or press a button on the keypad to accept the login request.

While we rarely use this option, it is handy to have as a backup method.

2FA with Hardware Token (Passcode)

Duo Passcode challenges are handled using a hardware token (or you can generate a passcode using the Duo App). Once you select this method, you will be prompted to enter the passcode to complete the 2FA authentication challenge. If you enter the correct passcode, the login will be accepted.

Here is a Duo D-100 Token that uses HOTP (HMAC-based One Time Password):

Picture of Duo D-100 HOTP Hardware Token
Duo D-100 HOTP Hardware Token

When you press the green button, a passcode will be temporarily displayed on the LCD display which you can use to complete the passcode challenge.

You can purchase Hardware Token’s directly from Digitally Accurate Inc by contacting us, your existing Duo Partner, or from Duo directly. Duo is also compatible with other 3rd party hardware tokens that use HOTP and TOTP.

2FA with U2F

While you can’t visibly see the option for U2F, you can use U2F as an MFA or 2FA authentication challenge. This includes devices like a Yubikey from Yubico, which plugs in to the USB port of your computer. You can attach a Yubikey to your key chain, and bring it around with you. The Yubikey simply plugs in to your USB port and has a button that you press when you want to authenticate.

When the 2FA window pops up, simply hit the button and your Yubikey will complete the MFA/2FA challange.

What can MFA/2FA protect

Duo MFA supports numerous cloud and on-premise applications, services, protocols, and technologies. While the list is very large (full list available at https://duo.com/product/every-application), we regularly deploy and use Duo Security for the following configurations.

Windows Logins (Server and Workstation Logon)

Duo MFA can be deployed to not only protect your Windows Servers and Workstations, but also your remote access system as well.

When logging on to a Windows Server or Windows Workstation, a user will be presented with the following screen for 2FA authentication:

Screenshot of Duo MFA 2FA Prompt on Windows Login
Duo Security Windows Login MFA 2FA Prompt

Below you can see a video demonstration of DUO on Windows Login.

DUO works with both Windows Logins and RDP (Remote Desktop Protocol) Logins.

VMWare Horizon View Clients (VMWare VDI Logon)

Duo MFA can be deployed to protect your VDI (Virtual Desktop Infrastructure) by requiring MFA or 2FA when users log in to access their desktops.

When logging on to the VMware Horizon Client, a user will be presented with the following screen for 2FA authentication:

Screenshot of Duo MFA 2FA Prompt on VMWare Horizon Client Login
Duo Security VMWare Horizon Client Login MFA 2FA Prompt

Below you can see a video demonstration of DUO on VMware Horizon View (VDI) Login.

Sophos UTM (Admin and User Portal Logon)

Duo MFA can be deployed to protect your Sophos UTM firewall. You can protect the admin account, as well as user accounts when accessing the user portal.

If you’re using the VPN functionality on the Sophos UTM, you can also protect VPN logins with Duo MFA.

Unix and Linux (Server and Workstation Logon)

Duo MFA can be deployed to protect your Unix and Linux Servers. You can protect all user accounts, including the root user.

We regularly deploy this with Fedora and CentOS (even FreePBX) and you can protect both SSH and/or console logins.

When logging on to a Unix or Linux server, a user will be presented with the following screen for 2FA authentication:

Screenshot of Duo MFA 2FA Prompt on CentOS Linux Login
Duo Security CentOS Linux login MFA 2FA Prompt

Below you can see a video demonstration of DUO on Linux.

WordPress Logon

Duo MFA can be deployed to protect your WordPress blog. You can protect your admin and other user accounts.

If you have a popular blog, you know how often bots are attempting to hack and brute force your passwords. If by chance your admin password becomes compromised, using MFA or 2FA can protect your site.

When logging on to a WordPress blog admin interface, a user will be presented with the following screen for 2FA authentication:

Screenshot of Duo MFA 2FA Prompt on WordPress Login
Duo Security WordPress Login MFA 2FA Prompt

Below you can see a video demonstration of DUO on a WordPress blog.

How easy is it to implement

Implementing Duo MFA is very easy and works with your existing IT Infrastructure. It can easily be setup, configured, and maintained on your existing servers, workstations, and network devices.

Duo offers numerous plugins (for windows), as well as options for RADIUS type authentication mechanisms, and other types of authentication.

How easy is it to manage

Duo is managed through the Duo Security web portal. Your IT admins can manage users, MFA devices, tokens, and secured applications via the web interface. You can also deploy appliances that allow users to manage, provision, and add their MFA devices and settings.

Duo also integrates with Active Directory to make managing and maintaining users easy and fairly automated.

Let’s get started with Duo MFA

Want to protect your business with MFA? Give me a call today!

VMware Horizon Blank Screen

 End User Computing, Remote Access, VDI, VMware, VMware Horizon View  19 Responses »
Apr 042020
 
VMware Horizon View Logo

In all my years assisting and providing support with VMware Horizon, one of the most common problems that customers report with their VDI implementations, is the VMware Horizon Blank Screen.

When a user is presented with a blank or black screen when using the VMware Horizon Client, the problem can be caused by a number of different things. In this post, I will address and provide solutions for some of the common issues that cause the VMware Horizon blank screen.

VMware Horizon Blank screen issue
VMware Horizon Blank screen issue

This troubleshooting guide applies to VMware Horizon 8, VMware Horizon 7, as well as earlier versions of VMware Horizon.

VMware Horizon Blank Screen Causes

There’s a number of different causes of a blank or black screen when connecting and establishing a VDI session to Horizon View. Click on the item below to jump to that section of the post:

Now that we have a list, let’s dive in to each of these individually. Some of these will require you to do your own research and will only guide you, while other sections will include the full fix for the issue.

VMware Tools and Horizon Agent Installation Order

When deploying the VMware Horizon View agent, you are required to install the agent, along with VMware tools in a specific order. Failing to do so can cause problems, including a blank screen screen.

The installation order:

  1. Install GPU/vGPU drivers (if needed)
  2. Install VMware Tools Agent
  3. Install the VMware Horizon Agent
  4. Install the VMware User Environment Manager Agent (if needed)
  5. Install the VMware App Volumes Agent (if needed)

It is important to also consider this when upgrading the agents as well. When upgrading VMware Tools, it is recommended to re-install the Horizon agent in versions up to and including Horizon 8 2103. As of Horizon 2106 and later, you no longer need to re-install the Horizon Agent when performing a VMware Tools upgrade.

For more information on the agent installation order for VMware Horizon, please visit: https://kb.vmware.com/s/article/2118048.

Network ports are blocked (Computer Firewall, Network Firewall)

For the VMware Horizon agent to function properly, ports must be accessible through your firewall, whether it’s the firewall on the VM guest, client computer, or network firewall.

The following ports are required for the VMware Horizon Agent when connecting directly to a View Connection Server.

DestinationNetwork ProtocolDestination PortDetails
Horizon Connection ServerTCP443Login, authentication, and connection to the VMware Connection Server.
Horizon AgentTCP22443Blast Extreme
UDP22443Blast Extreme
TCP4172PCoIP
UDP4172PCoIP
TCP3389RDP (Remote Desktop Protocol)
TCP9427Client Shared Drive redirection (CDR) and Multi-media redirection (MMR).
TCP32111USB Redirection (Optional), can be incorporated in to the Blast Extreme connection.
Network Ports Required for VMware Horizon View to View Connection Server

The following ports are required for the VMware Horizon Agent when connecting through a VMware Unified Access Gateway (UAG).

DestinationNetwork ProtocolDestination PortDetails
Unified Access GatewayTCP443Login, authentication, and connection to the Unified Access Gateway. This port/connection can also carry tunneled RDP, client drive redirection, and USB redirection traffic.
TCP4172PCoIP via PCoIP Secure Gateway
UDP4172PCoIP via PCoIP Secure Gateway
UDP443Optional for Login traffic. Blast Extreme will attempt a UDP login if there are issues establishing a TCP connection.
TCP8443Blast Extreme via Blast Secure Gateway (High Performance connection)
UDP8443Blast Extreme via Blast Secure Gateway (Adaptive performance connection)
TCP443Blast Extreme via UAG port sharing.
Network Ports Required for VMware Horizon View to VMware Unified Access Gateway (UAG)

You’ll notice the ports that are required for Blast Extreme and PCoIP. If these are not open you can experience a blank screen when connecting to the VMware Horizon VDI Guest VM.

For more information on VMware Horizon network ports, visit VMware’s Network Ports in VMware Horizon | VMware.

Certain types of IPS (Intrusion Prevention Service) can also intercept and block traffic. IPS may cause intermittent issues.

DNS Issues

While VMware Horizon View usually uses IP address for connectivity between the View Connection Server, guest VM, and client, I have seen times where DNS issues have stopped certain components from functioning properly.

It’s always a good idea to verify that DNS is functioning both internally and externally. DNS (forward and reverse) is required for VMware Horizon Linux guests VMs.

XDR, EDR, and AV Platform causing momentary blank screen at logon

When using an XDR (Extended Detection and Response), EDR (Endpoint Detection and Response), or special AV solution with non-persistent desktops, one may experience a momentary blank screen on user session logon. I have observed this with Sophos XDR as well as Cortex XDR, with blank screens varying from 10-30 seconds on user login.

Removal of the platform can reduce the momentary blank screen down to 1-5 seconds.

I highly recommend configuring and tweaking policies as much as possible to enhance and optimize your environment. There will always be a trade off of performance for security, and the decisions should be made by those in the organization who make cyber security related decisions.

Incorrectly configured Unified Access Gateway

A big offender when it comes to blank screens is an incorrectly configured VMWare Unified Access Gateway for VMware Horizon.

Sometimes, first-time UAG users will incorrectly configure the View Connection server and UAG.

When configuring a UAG, you must disable both “Blast Secure Gateway”, and “PCoIP Secure Gateway” on the View Connection Server, as the UAG will be handling this. See below.

Picture of the Secure Gateway settings on VMware Horizon View Connection Server when used with VMware UAG.
Secure Gateway Settings on View Connection Server when used with UAG

Another regular issue is when admins misconfigure the UAG itself. There are a number of key things that must be configured properly. These are the values that should be populated on the UAG under Horizon Settings.

Connection Server URLhttps://ConnectionServerIP:443
Connection Server URL Thumbprintsha1=SSLTHUMPRINT
(Thumbprint of the SSL certificate your View Connection Server is using)
PCOIP External URLUAG-EXTERNALIP:4172
Blast External URLUAG-InternetFQDN:443
Tunnel External URLUAG-InternetFQDN:443

You must also have a valid SSL certificate installed under “TLS Server Certificate Settings”. I’d recommend applying it to both the admin and internal interface. This is a certificate that must match the FQDN (internal and external) of your UAG appliance.

Once you’re good, you’re green!

Picture of the VMware UAG interface showing all green (functioning).
VMware Unified Access Gateway showing valid

You should always see green lights, all protocols should work, and the connections should run smooth. If not, troubleshoot.

GPU Driver Issue

When using a GPU with your VM for 3D graphics, make sure you adhere to the requirements of the GPU vendor, along with the VMware requirements.

Some vendors have display count, resolution, and other limits that when reached, cause Blast Extreme to fail.

An incorrectly installed driver can also cause issues. Make sure that there are no issues with the drivers in the “Device Manager”.

VMware documents regarding 3D rendering:

Blast Extreme log files can be found on the guest VM in the following directory.

C:\ProgramData\VMware\VMware Blast\

Looking at these log files, you can find information that may pertain to the H.264 or display driver issues that will assist in troubleshooting.

When using GPUs such as Nvidia GRID and AMD MxGPU, it is recommended to disable the VMware SVGA 3D Driver and adapter inside of Device Manager after you install the applicable GPU drivers.

NVIDIA vGPU Issues

You may be experiencing issues related to the NVIDIA vGPU platform, either inside of the VM guest, or on the VMware ESXi host.

Please check out my NVIDIA vGPU Troubleshooting Guide – How to troubleshoot vGPU on VMware for more information on how to troubleshoot, as well as a list of common issues experienced with VMware Horizon and NVIDIA vGPU.

VMware Tools

A corrupt VMware tools install, whether software or drivers can cause display issues. Make sure that the drivers (including the display driver) are installed and functioning properly.

It may be a good idea to completely uninstall VMware Tools and re-install.

If you’re experiencing display driver issues (such as a blank screen), before re-installing VMware Tools try forcibly removing the display driver.

  1. Open “Device Manager”
  2. Right click on the VMware Display adapter and open “Properties”
  3. On the “Driver” tab, select “Uninstall”
  4. Check the box for “Delete the driver software for this device”.

This will fully remove the VMware driver. Now re-install VMware Tools.

Horizon Agent

Often, re-installing the Horizon Agent can resolve issues. Always make sure that VMware Tools are installed first before installing the Horizon Agent.

Make sure that if you are running 64-bit Windows in the VM then you install and use the 64-bit Horizon Agent.

You may experience issues with the “VMware Horizon Indirect Display Driver”. Some users have reported an error on this driver and issues loading it, resulting in a blank screen. To do this, I’d recommend forcibly uninstalling the driver and re-installing the Horizon Agent.

To forcibly remove the “VMware Horizon Indirect Display Driver”:

  1. Open “Device Manager”
  2. Right click on the “VMware Horizon Indirect Display Driver” and open “Properties”
  3. On the “Driver” tab, select “Uninstall”
  4. Check the box for “Delete the driver software for this device”.

Now proceed to uninstall and reinstall the Horizon View Agent.

When running the Horizon Agent on Horizon for Linux, make sure that forward and reverse DNS entries exist, and that DNS is functioning on the network where the Linux VM resides.

Also, as a reminder, it is recommended that you re-install the Horizon agent in versions up to and including Horizon 8 2103 after upgrading VMware Tools. As of Horizon 8 2106, you no longer need to re-install the Horizon Agent when performing a VMware Tools upgrade.

Video Settings (Video Memory (VRAM), Resolution, Number of Displays)

When experiencing video display issues or blank screens on VMware Horizon View, these could be associated with the guest VM’s memory, video memory (VRAM), display resolution, and number of displays.

vSphere Video RAM (VRAM) configuration for VMware Horizon
vSphere Video RAM Configuration for VMware Horizon

If you do not have enough Video RAM (VRAM) allocated to the virtual machine and/or you have too many displays (multi-monitor), then you can experience the blank screen with Horizon.

Make sure you are adhering to the specifications put forth by VMware. Please see the following links for more information.

Master Image Resolution

While this isn’t likely to cause a blank screen issue (it can though), it’s always a good idea to set your image to a lower resolution before snapping or converting to a template for deployment.

It’s a lot easier for the VMs to start using lower resolution and VRAM (Video Memory) and then increase to what’s needed, instead of starting at a crazy high resolution and then getting adjusted down.

I consider it a good practice to reduce the graphics resolution before creating and deploying the image to the desktop pools.

Protocol

When troubleshooting blank screens with VMware Horizon, you need to try to identify whether it’s specific to the guest VM, or if it’s associated with the connection protocol you’re using (and the route it takes whether through a Connection Server, or UAG).

Always try different protocols to see if the issue is associated with all, or one. Then try establishing connections and find if it’s isolated direct to the Connection Server, or through the UAG.

If the issue is with a specific protocol, you can view the protocol log files. If the issue is with the UAG, you can troubleshoot the UAG.

Log files can be found in the following directory:

C:\ProgramData\VMware\

HTTPS Proxy and redirection issues

If you are connecting through a network that does passive and/or transparent HTTPS scanning or uses a proxy server, you may experience issues with inability to connect, or blank screens.

You’ll need to modify your firewall or proxy to allow the VMware connection and open the required ports for VMware Horizon and create an exception not to touch or manipulate the VMware Horizon related traffic.

Login banner or disclaimer (PCoIP)

I haven’t seen or heard of this one in some time, but when using VMware Horizon with PCoIP, sessions can fail or show a blank screen when the legal disclaimer login banner is used on the Windows instance (Windows 7, Windows 10, or Windows 11).

For more information on this issue, and how to resolve or workaround, visit https://kb.vmware.com/s/article/1016961.

Old version of VMware Horizon

It never stops surprising me how old some of the VMware Horizon View environments are that some businesses are running. VMware regularly updates, and releases new versions of VMware Horizon that resolve known issues and bugs in the software.

While it may be difficult, simply upgrading your VMware Horizon environment (VMware vSphere, View Connection Server, VMware Tools, VMware Horizon Agent) can often resolve many issues.

Blank Screen connecting to Physical PC running Horizon Agent

When you install the VMware Horizon Agent on a Physical PC, you may encounter issues with a blank screen.

This is usually caused by:

After troubleshooting these issues, you should be able to resolve the issue.

Conclusion

As you can see there are a number of different things that can cause Horizon View to show a blank screen on login. It’s always best to try to understand how the technology works, and establish where the failure points are.

Let me know if this helped you out, or if you find other reasons and feel I should add them to the list!

How to rapidly deploy Remote Desktop Services (RDS) for employee remote access

 Microsoft, Remote Access, Remote Desktop Services (RDS), Security  10 Responses »
Mar 222020
 
Microsoft Remote Desktop Services Logo

In the last few months, the crisis with COVID19 has put organizations in a panic to enable employees to be able to work from home, to continue business productivity, keep employees safe, and keep employees on the payroll. It’s good for business, and it’s good for employees to avoid layoffs so everyone keeps their jobs.

This has put IT departments and IT professionals in a hectic position where they must roll out and deploy remote access technologies on the fly, often with little or no notice.

I’ve heard horror stories where organization leadership has made decisions without consulting IT which resulted in the inability to work, also where organizations didn’t involve their IT teams in strategizing and planning moving forward.

Business executive giving directive on IT

In this post I’m going to outline the most efficient way to rapidly deploy Remote Desktop Services (RDS) for employee remote access.

Remote Access Technologies

There’s a number of different remote access technologies and software packages available today. Some are designed to allow you to work fully remotely (providing a remote desktop to office resources), and some are designed to provide access to specific resources remotely (such as documents, files, etc).

The main technologies typically used for remote access include:

The main software packages that enable a remote workforce include:

  • Microsoft Office 365
  • Microsoft 365
  • Skype for Business
  • Microsoft Teams
  • Zoom
  • Numerous other applications and cloud suites

Every technology or application has it’s purpose and is deployed depending on the business requirements, however in this specific situation we need a solution that is easy and fast to deploy.

For most small to medium sized businesses, Remote Desktop Services would be the easiest solution to roll out on such short notice.

Remote Desktop Services (RDS)

Remote Desktop Services is a server/client technology that allows the client to connect to the server, and have access to a full Windows desktop that’s actually running on the server itself.

These sessions are encrypted, secure, and essentially brings the display to the connecting client, and brings back mouse and keyboard feedback.

With Remote Desktop Services, you’re maintaining one Windows Server that provides multiple concurrent sessions for multiple concurrent users. You can install software packages (database applications, Microsoft Office 365, and other line of business applications), and make them available to the connecting users.

Even users who are accessing large files have a beautiful experience since the data never leaves your IT environment, only the sessions display is transmitted.

This works great for home users who have slow internet connections, users who are travelling, or using their cell networks LTE connection to connect.

For administrators, it provides an easy way to manage a desktop experience for multiple users by maintain a single server. There are also many additional controls you can implement to limit access and optimize the experience.

What’s required

When deploying RDS, you’ll need the following:

  • A dedicated Server or dedicated Virtual Machine running Microsoft Windows Server to be configured as a Remote Desktop Services server.
  • Remote Desktop Services CALs (Client Access Licenses – One CAL is required for each user or device)
  • A high speed internet connection (that can handle multiple RDS sessions)
  • A firewall to protect the RDS Server and preferably 2FA/MFA logins
  • A Static IP and DNS entries to make the server available to the internet and your users

You’ll want the RDS server to be dedicated strictly to Remote Desktop Services sessions. You will not want to run any other servers or services on this server or virtual machine.

You will need to purchase RDS CALs. A Remote Desktop Services Client access license, is required for every device or user you have connected to your RDS server. During your initial purchase of RDS CALs, you must choose between user count based licensing, or device count based licensing. If you need help with licensing Microsoft Remote Desktop Services, please feel free to reach out to me.

The connections between the server and client consist of an encrypted presentation of the display, as well as mouse/keyboard feedback, and other peripherals. For a single session it’s not much, which means your users don’t ultra fast internet connections. However, on the server side if you are running multiple sessions, the bandwidth requirements add up.

Remote Desktop Services servers are often under attack on the internet. You’ll find that the servers are subjected to scans, brute force attempts, and exploit execution. You’ll want to make sure that you have both a firewall (with intrusion prevention) and a security technology like DUO Security Two Factor Authentication configured to protect your server.

Finally, you’ll need a static IP on the internet and a friendly DNS hostname for your employees to connect to using the Remote Desktop Protocol (RDP) Client, such as “remote.companyname.com”.

Deploying RDS

Deploying RDS is easy. Here is a brief summary of the steps to rapidly deploy a Remote Desktop Services server for remote access.

  1. Install Windows Server on the server or virtual machine that will host RDS.
  2. Configure networking (static IP) and join to domain.
  3. Using the server manager, add the Remote Desktop Services role.
  4. Configure Remote Desktop Services and Remote Desktop Web Access
  5. Configure an SSL Certificate
  6. Configure user session settings
  7. Install user software on the RDS Server (Including Office 365, Line of Business applications, and others)
  8. Configure ACLs (Access Control) to secure user access.
  9. Test the environment
  10. Move to production

Even with limited to no experience with Remote Desktop Services, an IT professional will be able to deploy the first server within hours. A focus must be paid to securing the environment, performance enhancements can be made later after deployment.

Please note that special steps are required when you install Office 365 in a Remote Desktop Services Environment, and configure office 365 in a Remote Desktop Services environment.

Microsoft has a detailed deployment guide available here: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure

Security Considerations

As mentioned above, your RDS server will be subject to ongoing attacks. These attacks include vulnerability scans, bruteforce attempts, and targeted exploitation attempts.

  • You’ll want to make sure that you have and enforce strict password policies to stop bruteforce attempts.
  • A firewall should be implemented that includes an intrusion prevention system to identify and stop intrusion attempts.
  • You should implement two factor authentication using a product like Duo from Duo Security.

Your new RDS server while enabling a mobile workforce, also substantially increases your security footprint. Considerations must always be made and factored in when deploying internet available services.

Below is a video demo of what Duo Security Two Facter authentication looks like when logging in to an RDP session.

Duo Security Two Factor Authentication on Remote Desktop Services RDS Demo

Optimizations

There’s a fair number of optimizations which can be made in an RDS environment. I’m going to cover a few of the most widely used below.

Please note, you should also configure the RDS Group Policy Objects (GPO) as well.

Folder Redirection

While most data should be stored on network shares, we often find that users will store data and files on their Desktop and My Documents.

If you have available and extra storage, you can enable Desktop and My Documents Folder redirection. This will redirect users Desktop’s and My Document’s folders to a network share. On local computers on your network, the computers will retain a cached copy for performance.

If you deploy an RDS Server and have Folder redirection configured, the users My Documents and Desktop will be available to that user. Additionally since the server is on the same network as the share hosting the data, the RDS server will not retain a local cached copy (saving space).

If you are considering implementing and turning on Folder Redirection, I would recommend doing so before deploying an RDS Server (especially before a user logs in for the first time).

Anti-virus and Endpoint Protection

Careful consideration must be made when choosing the antivirus and endpoint protection software for your RDS environment.

First, you must make sure that your antivirus and/or endpoint protection vendor supports Remote Desktop Services, and then also deploy their recommended settings for that type of environment.

A proper endpoint protection solution should run few processes for all users, and not individual processes for each user.

Service Delivery

For continued service delivery, your IT staff must monitor and maintain the server. This includes monitoring logs, updating it via Windows Update, and updating the various applications your users are using.

IT professional working on organization infrastructure including Remote Desktop Services RDS

As the environment grows, you can deploy additional RDS Servers and create an RDS Farm. If you get to this point you’ll be able to deploy a load balancer and grow as more performance is required, or additional users are brought online.

Software Installation

When installing software on your Remote Desktop Services Server, extra steps must be taken so that the registry is properly handled for the multi-user environment.

Before launching a software installer, open a command prompt (elevated as Administrator) and run the following command:

change user /install

This will change your user session to an install mode. You can now run your software installation.

After the software installation is complete, put the RDS Server back in to execution mode with the following command:

change user /execute

Performing the above will make sure that the registry is properly handled during software installation for proper functioning of software in a multi-user RDS environment. Restarting the server will always automatically bring it back up in execute mode.

Conclusion

Deploying a Remote Desktop Services server is a great way to get a large number of users online and working remotely in a short amount of time. This keeps management happy, employees happy, and maintains a productive workforce.

Employee working remotely from home using Remote Desktop Services

As I mentioned, there are numerous other technologies so depending on what your company has already implemented or is using, may change what solution would be best for you.

If you have any questions or require help or assistance with deploying Remote Desktop Services for your organization, don’t hesitate to reach out to me!

Leave a comment with some feedback!

Duo Security – Two-Factor Authentication Demo

 Duo MFA, Remote Access, Security  No Responses »
Mar 142020
 
DUO

Want to see DUO Two-Factor Authentication in action? I’ve created a number of demo videos showing DUO 2FA being used on numerous different platforms. You can see how DUO works with these platforms, and the experience a user can expect when using two-factor authentication from Duo Security.

Duo 2FA is a great way to secure your environment whether it’s servers, workstations, VDI, firewalls, or even WordPress!

And remember, I sell Duo licensing and provide consulting services to help set it up!

The following video playlist contains:

Video demo playlist

Duo Security Two-Factor Authentication Product Demo

Feel free to reach out to me if you need a quote, want to buy, or need help implementing Duo Security Two-Factor Authentication!

Don’t forget to check out my corporate blog post to “Secure your business and enterprise IT systems with Multi Factor Authentication (MFA)“!

For more content on my blog on Duo Security, visit: https://www.stephenwagner.com/category/duo-mfa/

For more content on my corporate blog on Duo Security, visit: https://www.digitallyaccurate.com/blog/category/vendors/duo-security/

To visit Duo Security’s website, visit: https://duo.com/

How to configure DUO MFA 2FA on VMware Horizon View

 Duo MFA, Remote Access, VMware Horizon View  2 Responses »
May 072019
 
VMware Horizon View Icon

So you’ve started to use or test Duo Security’s MFA/2FA technology on your network. You’ve been happy so far and you now want to begin testing or rolling out DUO MFA on your VMware Horizon View server.

VMware Horizon is great at providing an end user computing solution for your business, a byproduct of which is an amazing remote access system. With any type of access, especially remote, comes numerous security challenges. DUO Security’s MFA solution is great at provided multi-factor authentication for your environment, and fully supports VMware Horizon View.

In this guide, I’ll be providing a quick how to guide on how to get setup and configured with DUO MFA on your Horizon Server to authenticate View clients.

If you are looking to only implement DUO 2FA on the VMware Unified Access Gateway (and not the connection server), head over to my colleague’s post here: https://securedpackets.com/?p=424

Here’s a video of DUO on VMware Horizon View in action! Scroll down for instructions on how to set it up!

Video Demonstration of DUO MFA 2FA on VMware Horizon View

Enabling DUO MFA on VMWare View will require further authentication from your users via one of the following means:

  • DUO Push (Push auth request to mobile app)
  • Phone call (On user’s pre-configured phone number)
  • SMS Passcode (Texted to users pre-configured phone number)
  • PIN code from a Hardware Token

For more information on the DUO technology and authentication methods, please visit
https://www.digitallyaccurate.com/blog/2018/06/12/secure-business-enterprise-it-systems-multi-factor-authentication-duo-mfa/

Prerequisites

  • VMware Horizon View Connection Server (Configured and working)
  • VMware View Client (for testing)
  • DUO Authentication Proxy installed, configured, and running (integrated with Active Directory)
  • Completed DUO Auth Proxy config along with “[ad_client]” as primary authentication.

Please Note: For this guide, we’re going to assume that you already have a Duo Authentication Proxy installed and fully configured on your network. The authentication proxy server acts as a RADIUS server that your VMware Horizon View Connection Server will use to authenticate users against.

Instructions

The instructions will be performed in multiple steps. This includes adding the application to your DUO account, configuring the DUO Authentication Proxy, and finally configuring the VMware View Connection Server.

Add the application to your DUO account

  1. Log on to your DUO account, on the left pane, select “Applications”.
  2. Click on the Blue button “Protect an Application”.
  3. Using the search, look for “VMware View”, and then select “Protect this Application”.
  4. Record the 3 fields labelled “Integration key”, “Security key”, and “API hostname”. You’ll need these later on your authentication proxy.
  5. Feel free to modify the Global Policy to the settings you require. You can always change and modify these later.
  6. Under Settings, we’ll give it a friendly name, choose “Simple” for “Username normalization”, and optionally configure the “Permitted Groups”. Select “Save”.

Configure the DUO Authentication Proxy

  1. Log on to the server that is running your DUO Authentication Proxy.
  2. Open the file explorer and navigate to the following directory.
    C:\Program Files (x86)\Duo Security Authentication Proxy\conf
  3. Before any changes I always make a backup of the existing config file. Copy and paste the “authproxy.cfg” file and rename the copy to “authproxy.cfg.bak”.
  4. Open the “authproxy.cfg” file with notepad.
  5. Add the following to the very end of the file:
    ;vmware-view
[radius_server_challenge]
ikey=YOUR_INTEGRATION_KEY
skey=YOUR_SECRET_KEY
api_host=YOUR-API-ADDRESS.duosecurity.com
failmode=safe
client=ad_client
radius_ip_1=IP-ADDY-OF-VIEW-SERVER
radius_secret_1=SECRETPASSFORDUOVIEW
port=1813
    Using the values from the “Protect an Application”, replace the “ikey” with your “integration key”, “skey” with your “secret key”, and “api_host” with the API hostname that was provided. Additionally “radius_ip_1” should be set to your View Connection Server IP, and “radius_secret_1” is a secret passphrase shared only by DUO and the View connection server.
  6. Save the file.
  7. Restart the DUO Authentication Proxy either using Services (services.msc), or run the following from a command prompt: 
    net stop DuoAuthProxy & net start DuoAuthProxy

Configure the VMware View Connection Server

  1. Log on to your server that runs your VMware View Connection Server.
  2. Open the VMware Horizon 7 Administrator web interface and log on.
    Horizon 7 Administrator Launch Icon Screenshot
  3. On the left hand side, under “Inventory”, expand “View Configuration” and select “Servers”.
    View Configuration and Servers highlighted on Left Pane
  4. On the right hand side in the “Servers” pane, click on the “Connection Servers” tab, then select your server, and click “Edit”.
    Select Connection Server in Server Pane Window
  5. On the “Edit Connection Server Settings” window, click on the “Authentication” tab.
    Authentication under Edit Connection Settings Window
  6. Scroll down to the “Advanced Authentication” section, and change the “2-factor authentication” drop down, to “RADIUS”. Check both check boxes for “Enforce 2-factor and Windows user name matching”, and “Use the same user name and password for RADIUS and Windows Authentication”.
    Advanced Auth Settings for DUO in Authentication Tab Dialog Window
  7. Below the check boxes you will see “Authenticator”. Open the drop down, and select “Create New Authenticator”.
  8. In the “Add RADIUS Authenticator” window, give it a friendly name, friendly description, and populate the fields as specified in the screenshot below. You’ll be using the shared RADIUS/DUO secret we created above in the config file for the proxy auth.
    Edit RADIUS Authenticator VMware View Window
    Please Note that I changed the default RADIUS port in my config to 1813.
  9. Click “Ok”, then make sure the newly created authenticator is select in the drop down. Proceed to click “Ok” on the remaining windows, and close out of the web interface.

That’s it!

You have now completely implemented DUO MFA on your Horizon deployment. Now when users attempt to log on to your VMware View Connection server, after entering their credentials they will be prompted for a second factor of authentication as pictured below.

DUO Security Login VMware View Client Dialog Box
DUO Security Login VMware View Client
DUO Security MFA authenticate VMware View Client dialog box
DUO Security MFA authenticate VMware View Client

VMware Horizon View is now fully using MFA/2FA.

Leave a comment!