I need some clarification regarding a request from my boss about requiring multi-factor authentication (MFA) for directly connecting to server drives via SMB. I typically connect as an admin without any MFA, and it's not something I've encountered before. Is there any way to enforce MFA on these connections? Currently, we're using Duo for MFA during RDP sessions and have set up a Duo LDAP auth proxy for VPN access, but I'm unsure if any of this can be applied to secure SMB share connections. I'm looking for a sanity check on this or any potential solutions that might work. Thanks in advance!
6 Answers
From my experience with compliance, we usually require Duo for local Windows logins instead, which essentially covers most scenarios without adding extra steps for SMB access. Just a heads-up though, Duo for Windows Logon disables Windows Hello and may complicate things for large deployments. While this doesn't directly meet your boss’s request, it could still enforce MFA for accessing those shares effectively. It's worth considering!
For Windows Server with Active Directory, look into Central Access Policies. This will help you manage access controls without needing to enforce MFA directly for SMB connections.
Just to clarify, directly connecting to server drives without MFA is standard behavior—your initial access at login already includes MFA. Adding MFA for subsequent SMB access sounds unnecessary and could lead to issues. A better solution might be to implement stricter idle timeouts or more granular permissions on your share configurations. It's essential to assess why your boss wants to apply MFA here before taking any further steps.
Instead of trying to force MFA on SMB, a better approach is to disable NTLM and require MFA for critical accounts using options like YubiKeys set as PIV. This ensures that admins also face MFA requirements without unnecessarily complicating share access.
Requiring MFA for SMB access is problematic because SMB uses NTLM as its authentication protocol, which doesn't support MFA. The only way to get MFA on SMB shares is through an authentication proxy, but be aware that this could disrupt operations, especially for service accounts and mapped drives. Plus, you'll need SMB access for essential Active Directory functions like gpupdate, so enforcing MFA might risk breaking your entire AD domain setup. Just keep that in mind when discussing this with your boss.
You might face some surprising complications if you enforce MFA for SMB access. Instead, consider running a script at user logon to clear cached credentials. You could also lower the inactivity timeout so that computers lock faster when unattended, which might be a less intrusive approach while still enhancing security.
That's a good point, but relying solely on the endpoint for Duo isn't foolproof. If for any reason Duo isn't deployed correctly, users could still access shares without any MFA. For real security, smart cards might be necessary.