I'm looking to enable multi-factor authentication (MFA) across our Windows domain, but I'm aiming to start specifically with our admin accounts for servers and workstations. I've heard that Duo can manage this, but I'm concerned about its effectiveness if not everyone has a Duo license. Additionally, I've come across some information that Duo only supports interactive logins and may have vulnerabilities that allow bypassing. If anyone has updates on these issues, I'd love to hear them!
3 Answers
We actually use Authlite and it works well with TOTP (Time-based One-Time Password). The trick for us is authenticating with a separate account that includes the OTP in the username. This means our main accounts aren’t in the Domain Admins group, making it tougher to just log in without the OTP. For using RSAT (Remote Server Administration Tools), we run the executable with 'Run as different user' and include the OTP as part of the username. Yes, it takes a few extra steps, but it’s manageable.
Duo charges per account, so you can set it up to sync with Active Directory and specify which security groups you want to protect. As long as the users are part of those groups, it won’t matter which system they log into. They’ll still get MFA, which is great for security.
If you have a Public Key Infrastructure (PKI), you might consider using certificate-based authentication utilizing a YubiKey or similar device. It provides strong security, but it looks like you don't have an internal CA set up yet, right?
Did they ever patch that issue where some attackers could bypass Duo using scripts? I keep seeing older comments about this flaw and it's making me wonder if they resolved it.