1

Hey All,

I was hoping you guys could help me out with this. I’m having issues trying to get two factor authentication in place for domain accounts. I was hoping to sync it with Azure since two factor is setup there for email, is there anyway to send this to local desktops in the network? I was looking it up and thought I read it wasn’t an option but that doesn’t make sense to me.

I imagine there needs to be some software that encrypts the hard drive?

Edit: Personally I was thinking about Duo.

34 Spice ups
2

We recently wrapped up an MFA/2FA rollout.

Sadly, the MFA requirement from the local login, can’t be tied to the Microsoft 365 MFA, although I understand that third party solutions may offer this.

Drive encryption is not a requirement, but it would be advisable.

1 Spice up
3

Ok! I’m glad I’m at least not crazy! What did you guys use for your local logins? I’m currently thinking about DUO.

3 Spice ups
4

We are looking Duo as well.

5

We don’t consider our facilities to be unsecured, so we’re happy to leave the workstations with single authentication. We moved our entire file system to Sharepoint, and there’s nothing on the network that is of value (read: no operational data).

We did consider deploying the Microsoft solution: NPS (which requires AD CS ), which anyone should look at, as the “baseline Microsoft option”, and pick a 3rd party from there.

I did explore using Yubikeys, but at $50/key, deploying a key (or two) to each user was deemed too costly (although it was a lot cheaper than RSA). You might want to check out Okta as well (I’m not vouching for them, just naming one 3rd party solution that I know of).

6

I was actually really curious about Yubikeys but got confused. It looks like they only sell the keys and the software is free? Or is it that you need to use another program like duo?

Also, never heard of Okta but I’ll be sure to check it out.

7

Duo has a MFA solution that can provide 2FA to the workstation. It works pretty well in my opinion. Yubikey provides a hardware token which acts as a factor of authentication. You can use that as “something you know”.

Okta is an Identity and Access Management solution. It allows you to provide MFA primarily to your cloud apps, but I believe they have a solution to provide MFA to the Windows login as well.

JumpCloud is another provider in that IAM space that has a similar offering, and can provide MFA to the cloud apps, but also to your Windows login.

Yubikey works as a factor to Duo, Okta, or JumpCloud.

Other MFA options available (not necessarily from Yubikey) include TOTP, and there are a lot of providers out there including Google Authenticator and Microsoft Authenticator. I’m only mentioning it to state there are other options.

You can even use Duo with an IAM to provide more flexibility with your MFA options, as some orgs require it.

BitLocker in a Windows environment is a popular option for full disk encryption, and a good practice.

Hope this helps.

2 Spice ups
8

I’ve experienced this setup through RSA…what a joke. Stay away from RSA.

3 Spice ups
9

We’ve started using DUO for desktops, RDP and SSL VPN, I’m a fan. I know it costs, but from what I’ve done with it, its been worth it. My first SSL VPN implementation didnt go perfect, they helped me tshoot it. Then my RDP setup got goofy too. If you catch their support line at the right time, the wait is usually less then 7 minutes. I’ve had waits of up to 45 minutes, but once I got a person on the line, they pretty much did what I said/asked, while teaching me. Thus far it has been my favorite, and myself and another guy have spent some time becoming our teams duo resources.

10

I just recently deployed this setup with DUO. Works very nicely. You can tie it down to a group of users on workstations and servers or apply to all users with workstations and servers. DUO also has a solution to provide hardware tokens either from them or another brand you wish to bring to the table.

11

We use RSA for Citrix . still can be a pain at times.

12

We were looking at Authlite for MFA. It works with Yubikey or similar hardware token too. If Duo is too expensive, they might work for you.

3 Spice ups
13

We use DUO for RDP on all our machines. It has been nice to use. No real problems for us. I like that you can install the app as much as you want, we are only getting charged per user and since the only users affected are the ones using RDP anyways it hasn’t been a big deal.

1 Spice up
14

Yeah, the Yubikey option isn’t very clear; yes, it’s primarily just a token. There’s 2 versions: Blue and Black. The Blue ones are mostly for the simple public websites (Facebook, Twitter, Google, etc) and the black one’s a token that would work with whatever local MFA solution you choose (Black keys are the same as Blue keys, plus some).

The way it’s secure (i.e. not replicable) is that you have to put the key in a USB slot, which triggers an app to launch, and asks you to touch the sensor on the key. The app ties into whatever supported MFA solution you are using (including Microsoft’s NPS). It’s best to get two keys, in case you loose one, but the Black keys can be centrally managed, so it’s not too much of an issue having only one per user.

Most services will let you setup two keys (except for Yahoo, but who’s surprised), so you can use your “backup” key, to swap out a lost key for a new one. Theoretically, a couple can share two Blue keys (assuming you trust your significant other to help you replace your lost key!).

I had to explore using tokens, because SMS authentication, as simple and convenient as it seems, isn’t foolproof (there are several vulnerabilities). They’re not major, but for anyone that (needs to) takes security seriously, you don’t use SMS for MFA.

Professionally, I use the Microsoft Authenticator app on my company iPhone, wherever I can, and a (blue) Yubikey for systems that don’t accept the Microsoft app. Personally, all my (significant) accounts are secured with two (blue) Yubikeys.

Edit: be sure to purchase security tokens from a reliable source. never buy 2nd hand keys.

3 Spice ups
15

If you go with Duo be aware that it doesn’t protect any network access attack vectors (powershell, RPC, CIFS, etc.), it just presents an extra step when you are doing console or RDP logon.

Disclosure tho: I work on AuthLite and so I’m more likely to point out this limitation in other products

1 Spice up
16

DUO is great. I’ve used it for myself and the office for a while. As long as you can keep people from sending text messages through it it’s totally free and it works quite well.

The only issue I’ve ever really had with it is that there’s really no good way to have an MFA mechanic when your internet is down using this other than ‘fail open’ which rather defeats the purpose.

One of the things that I like the most is the ability to simply bind a username to your phone number. This has allowed me to pretty easily use my same phone number for a lot of different systems simply by adding a unique username (or a common username). Excellent for security VMs and your domain structure in general.

17

My MFA fails closed. I have redundant ISPs, firewalls, data centers, and local servers, so I should generally be okay. I do have non-MFA local logons to networking gear if crap hits a fan.

18

They have an offline mode that seems t work for these use cases unless I’m misunderstanding something.

1 Spice up
19

I implemented Authlite right before we went to work from home, good call!

It’s fairly easy to implement, supports Authenticator (Google and Microsoft) apps as well as the Yubikey.

Implementation is “free” and the developer helps you with any tech issues.

I use the yubikey and some of our “not using my phone for company use” folks have it too. It works great, is updated frequently and does what it is supposed to do, MFA against Domain log ins on PCs and VPN.

1 Spice up
20

Plus one for the Yubi Key. Don’t leave it at the office if you need to log in at night or you will be driving!

3 Spice ups