1

I need to setup two factor authentication for my administrator accounts. I have an on-premise Exchange server setup as a resource forest to two account forests with linked mailboxes for single sign on. Yes the hafnium patches have been applied. No this doesn’t have anything to do with hafnium. All of the administrator accounts, including accounts in Enterprise and Domain Admins need two factor authentication. I see that MFA server has been discontinued. My Exchange AD is in Azure as we use Exchange Online Protection. What are my options?

10 Spice ups
2

Do you have any existing MFA providers, such as Duo?

3

No. We don’t have anything existing.

4

I think that you need to be very clear about what kind of applications and authentication activity you want MFA for. Not all solutions cover all scenarios.

For example, Exchange Control Panel and powershell use different authentication mechanisms.

5

The box I am trying to check is on an audit form written by people who don’t have an understanding of technology. I am currently failing because I can’t check the boxes. My setup exceeds the form requirements. My encryption algorithms aren’t on the form so they aren’t good enough. AES128 is the highest on the form. I use AES256. SSL v3.0 and TLS 1.0 are required. Of course those are disabled. TLS 1.2 and 1.3 are the only protocols I support. The form is a joke.

The only information I have is “Do you use 2-factor authentication to secure all domain or network administrator accounts?” No one I have talked with is technical enough to explain what the question means. I take the literal meaning as I have to setup 2FA on my domain controllers to cover the domain/enterprise admin accounts. Or I have to setup a RADIUS server so all of my network equipment (firewall, network switches, router) can use the RADIUS server for authentication and hopefully use a 2FA mechanism. I doesn’t look like the Microsoft RADIUS server supports 2FA. It looks like Microsoft is forcing everyone to the cloud so they can milk us every month. Of course the owners don’t want to pay a monthly bill or preferably any bill so I don’t have a budget for this.

6

Aha, I know what you’re dealing with now and I’m stuck in a similar boat. For the authentication and encryption stuff I check the box regardless when it’s a better technology.

However, I don’t have a good answer for 2FA on the domain. Watching this thread for suggestions.

7

Okay, you can apply MFA for O365/M365. You can apply MFA for RADIUS authentications. It is a lot harder to just do it for all administrative access in an AD environment, because AD wasn’t built to do that.

I know of two products will help put these kinds on controls in AD environments. Silverfort https://www.silverfort.com/ and User Lock Protect Active Directory Identities with 2FA and SSO | UserLock

1 Spice up
8

I have been doing MFA with Microsoft RADIUS for almost 10 years now.

9

AuthLite is designed for securing AD admin accounts such that they fail safe/secure and you only get the Domain Admins group SID once you’ve demonstrated 2FA logon. (See in particular, this configuration . )

10

Thanks @kevinhsieh
UserLock can indeed help you add MFA for all on-premise Active Directory user accounts.
It works right alongside on-prem AD to enable MFA for Windows logon, RDP, RD Gateway, VPN and IIS sessions.
It can also enable SSO - combined with MFA - on access to Microsoft 365 and other Cloud Applications - all still using on premise AD as your identity provider.

  • Works with both Mobile Apps and Hardware Tokens such as YubiKey & Token2
  • Can work with no internet connection or LAN connection to still ensure MFA is prompted
  • Circumstances for MFA can be customized with granular settings
  • Recovery codes available for end users
  • Users can self enroll easily - even remotely
  • RT monitoring, alerts and full audit on all logon events

Hope this might help. Free 30 day fully functional trial.

Short video focusing on MFA for Windows login and RDP