Multi Factor Authentication for Active Directory

peterbrennan · 2020-04-13T11:27:30.000Z

I’m looking for a better way to secure windows active directory. Password complexity and lockout is fine, but if a password is known, it does no good. I would like to use MFA if possible. Does anyone have a good suggestion for this?

Pete

bryandoe · 2020-04-13T11:41:28.000Z

What do you want to use as your second factor, what’s your budget, and what other things do you need to secure with MFA, if applicable?

Duo is great, smartcard support is built-in, various Yubikey methods are available as well. Depends on what you’re after.

peterbrennan · 2020-04-13T11:47:09.000Z

Don’t need to get crazy with it. Looking to secure logins to active directory and possibly RDP (not currently using RDP but if we do, I want it secure). Single Sign On would be nice with 365 but I don’t want to have an integrated AD as we have had issues with that in the past when sync randomly stops.

bryandoe · 2020-04-13T11:57:08.000Z

RDP, like internal RDP, or RDP Gateway? Definitely want to secure remote access (like VPN), but I hope that’s not implying RDP open to the world.

What second factor do you want to use? How many users?

rupesh-lepide · 2020-04-13T12:03:47.000Z

If you have concerns about unauthorized logins, you could improve your security by setting up multi-factor authentication for your users. I recommend this at least for users that have administrative roles - MFA why you should use it . Moreover, you can use Duo Security for this purpose.

Why you Need to Audit Privileged Accounts in Active Directory

Create a security policy and implement it - Important GPO Settings for Security .

Restrict access across your network - Implement the principle of least privilege .

Audit Active Directory and set alert on critical access. You need to enable security auditing or try LepideAuditor for Active Directory to keep track all activities with detailed report and real time alerts.

Security Best Practices for Active Directory

gurugabe1 · 2020-04-13T12:05:50.000Z

I have been looking at YubiKey for 2FA, but honestly, it doesn’t appear to be that secure. Unless I have it configured incorrectly, it only gives the option to use the chip meaning that you can use password also if you lose your chip, plus the integrated touch sensor allows anyone to touch it and it works so if a user leaves it in their system anyone can get in easier than a password.

peterbrennan · 2020-04-13T12:38:48.000Z

I would never expose RDP to the world. We currently use the following security:

VPN access to get to internal resources
Strict security GPO with password expiration, complexity, lockout, etc.
Auditing logs for failed and successful logins
Country Blocking on firewall

However, we have run into issues where users have given their passwords to other users. One particular user had given a management level password out to several staff because they didn’t have access to a shared folder not realizing they gave access to payroll files. We can’t protect against stupidity unfortunately, but we need to make it difficult for someone to use compromised credentials and MFA is the only way to go.

bryandoe · 2020-04-13T12:46:35.000Z

Okay, good deal. Personally I’d mfa the vpn too.

How many users? Still need to know what factors you want to use too. SMS (bad), push app, hardware token, etc?

peterbrennan · 2020-04-13T12:53:28.000Z

We use one time passwords for VPN using Sophos VPN so we’re good there. We prefer a push app for MFA. I was looking at Azure Active Directory MFA integrated into the domain but I may understand that fully. We have used it in the past to sync password to office 365 but I don’t see that it can provide MFA for local login to AD.

bryandoe · 2020-04-13T13:00:39.000Z

I’d go with Duo, it’ll handle this well and uses an app, though it supports other options as well.

peterbrennan · 2020-04-13T13:28:03.000Z

Thanks. There’s no option for using the Azure AD with Microsoft app for MFA?

ryan-netwrix · 2020-04-14T07:57:22.000Z

You definitely need VPN.
When this all work from home madness started, I’ve posted How to ensure security when so many of your employees are working remotely here on SpiceWorks - maybe it’ll give you some useful ideas.
Also, with help of our admins I’ve posted series of Tips on remote work from the Netwrix IT team .

As for personal preferences - try Duo - it’s quite versatile and judging from comments above - quite popular too.

Speaking of theory, as far as I remember, globalknowledge.com have posted The Three Types of Multi-Factor Authentication(MFA) article and The Three Types of Multi-Factor Authentication | Global Knowledge Multi-Step Authentication and Why Should I Use It white paper, instead of which in comments above for some reason there’s a link to a dubious site full of shameless plagiarism.

ryan-netwrix · 2020-04-14T08:00:03.000Z

peterbrennan:

Thanks. There’s no option for using the Azure AD with Microsoft app for MFA?

Azure MFA should work with various Windows Server installation.

Maybe this could help? Getting started Azure Multi-Factor Authentication Server - Microsoft Entra ID | Microsoft Learn

deank321 · 2020-04-14T14:17:03.000Z

Another vote for Duo for me. Currently using it for AD, Dayforce for payroll and ConnectWise for a handful of people.