MFA on email, VPN, admin, RDP
Demonstrate that multi-factor authentication is consistently enforced for all user and administrative access to email, VPN, administrative interfaces, and RDP endpoints across the organization.
Description
What this control does
Multi-factor authentication (MFA) requires users to present at least two independent authentication factors before accessing email systems, VPN connections, administrative interfaces, and Remote Desktop Protocol (RDP) sessions. This control enforces possession-based or biometric factors in addition to passwords, significantly raising the barrier for unauthorized access even when credentials are compromised. MFA implementations may include time-based one-time passwords (TOTP), hardware tokens, push notifications, or biometric verification.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is consistently enforced for all user and administrative access to email, VPN, administrative interfaces, and RDP endpoints across the organization.
Associated risks
Risks this control addresses
- Credential theft via phishing, keylogging, or credential stuffing enables unauthorized access to email systems containing sensitive business communications and data
- Compromised VPN credentials allow attackers to establish persistent external access to the internal network perimeter
- Stolen or weak administrative passwords grant attackers privileged access to manage critical systems, create backdoors, and escalate privileges
- RDP brute-force attacks or credential replay enable lateral movement and ransomware deployment across Windows infrastructure
- Password reuse across personal and corporate accounts exposes organizational assets when third-party breaches occur
- Session hijacking or man-in-the-middle attacks bypass password-only authentication by intercepting valid credentials in transit
- Insider threats with stolen or shared credentials access systems without detection when single-factor authentication is the only gate
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's MFA policy documentation and approved authentication methods for email, VPN, administrative access, and RDP
- Export authentication configuration settings from the email system (e.g., Microsoft 365 Conditional Access policies, Google Workspace 2-Step Verification settings) and verify MFA enforcement status
- Review VPN concentrator or gateway configuration files to confirm MFA is required for all VPN connection profiles and user groups
- Examine Active Directory, privileged access management (PAM) systems, or identity provider (IdP) configurations to verify MFA requirements for accounts with administrative privileges
- Inspect RDP gateway policies, Network Level Authentication settings, and Group Policy Objects (GPOs) to confirm MFA enforcement for remote desktop access
- Select a random sample of 15-20 user accounts spanning standard users, administrators, and service desk personnel, and review their authentication logs for MFA usage over the past 30 days
- Perform live authentication tests by attempting to access email, VPN, an administrative console, and an RDP session using valid credentials without completing the second factor to confirm access is denied
- Review exception logs, bypass accounts, or service accounts to verify any MFA exemptions are documented, justified, and subject to compensating controls
Where this control is tested