Windows Logon and RDP are easy to brute force because they do not offer built-in multi-factor authentication.

To add MFA or 2FA to Windows, a third-party application is required to generate a One-Time Password (OTP) each time a user logs in.

The OTP can be sent to a smartphone via Push Notification, SMS, or other methods.

Cisco acquired Duo Security in 2018 but still offers a free plan called Duo Free [Link] for up to 10 users.


Creating a Duo Security Account

Go to the Duo Security website [Link] and create an account:

Check your email and click the link to verify your account.

A QR Code will be generated. Keep it on your screen for the next step.


Installing Duo Mobile

On your smartphone, install the Duo Mobile app from the Android [Link] or iPhone [Link] store:

Use the app to scan the QR Code generated in the previous step.

This will create your first token, which is tied to the management dashboard.


Protecting an Application (RDP)

Go to Application > Protect an Application > Search for Microsoft RDP > Protect.

Click on RDP documentation. A new browser tab will open with the download link for the Windows application.

Download page:

During installation, you will be prompted to enter the API hostname:

Then enter the Integration and Security Keys:

Configure the remaining options as needed or leave them as default.

Do not log out yet.


Adding Users

Go to Users > Add a User.

The username must match the Windows account username exactly.

Set the Status to Active and click Save Changes.

Note: if you log out at this point, you will be locked out:

To regain access, set the Status to Bypass and click Save Changes.

Now add an Email address for the account, switch the Status back to Active, and click Save Changes.

Click Resend Enrollment Email at the top:

A confirmation will appear:


Enrolling Users

Enrollment creates the token that grants access to the protected applications, in this case Windows Logon and RDP.

Each user must also have Duo Mobile installed on their smartphone.

Each user needs to open the enrollment email and click the link on their smartphone.

Log out and try logging back in. The following window will appear:

A push notification will be sent to your smartphone. Tap Approve.


Do not panic if you get locked out!

You can always allow a user, group, or the entire workgroup to bypass 2FA if needed.

Make sure the username in Duo matches the Windows account username.

Verify that the user has enrolled correctly and has their mobile token available.