Windows Logon and RDP are so easy to brute force because they do not offer any way for multi-factor authentication.
To implement an MFA or 2FA on Windows a third-party software is necessary to generate a One-Time-Password every time a user tries to log in.
The OTP can be sent to a smartphone over Push Notification, SMS, and other methods.
Cisco acquired Duo Security in 2018 but still offering a plan, called Duo Free [Link], for up to 10 users at no cost.
Creating a Duo Security Account
Go to the Duo Security website [Link] and create an account:
Then access your email and click on the link to validate your account.
A QR Code will be generated. Keep in on your screen for now.
Installing DUO Mobile
Use the newly installed app to read the QR Code generated when on the step before.
It will create the first token of your app and will be used uniquely to the management dashboard.
Protecting an Application (RDP)
Go to Application > Protect an Application > Search for Microsoft RDP > Protect.
Click on RDP documentation. It will open another tab on your browser with the link to download the application to be installed on Windows.
During the installation will be prompted to insert the API hostname:
Insert the Integration and Security Keys:
Select the other options/features accordingly to your need or leave them as default.
Do not log out just yet.
Go to Users > Add a User.
The username has to be the same as the Windows account.
Select the Status as Active then Save Changes.
At this point, if you log out and try to log in again you will be locked out:
To be able to log back in, select the Status as Bypass then Save Changes. This will allow you to log in.
Now add the Email address for this account, switch back the Status as Active and Save Changes.
Select Resend Enrollment Email at the top:
The confirmation will appear:
Enrolling the Users
It will create the token that will give access to the applications, in this case, Windows Logon and RDP.
The users will also have to have Installed DUO Mobile on their smartphone too.
Each user will have to open the enrollment email and click on the link using their smartphone.
Log out and try to log back in. The following window will pop up:
A request was pushed to your smartphone, select Approve.
Do not panic if you got locked out of your computer!
You can always allow a user, group, or the entire workgroup to bypass the 2FA if necessary.
Make sure the username added on DUO is the same as the username on the Windows account.
Check if the user has enrolled correctly and has the mobile token handy.