Cyber Insurance Requirements - MFA on all administrative logins

Posted by MiniMica@reddit | sysadmin | View on Reddit | 267 comments

Our cyber insurance renewal is coming up, and we are still kind of dealing with the requirements from last year. I am not sure if anyone else has insurance like this, but ours is requiring all administrative accounts to be protected by MFA. This includes: * Windows Servers * Local Admin users * NAS drives * Linux * Backups * Network (Switches/Firewalls/Vmware etc) * Along with anything that has any form of admin access, so like door access A good portion of these we've been able to protect with a mixture of native built in MFA, others we've had to do a bit of juggling with the use of jumpboxes, but some of our infrastructure doesn't have native MFA support. I am currently in the process of talking to Duo about a possible solution, they claim they can pretty much MFA up any application. I would assume this is just sales jargon, or is there something I am just missing? I'm seeing documentation mention using a Radius server? This would also require the device/software to also support it? Or can Duo do something magical?

Reply to Post

Reply

267 Comments

[-]

jlipschitz@reddit

Check out Crowdstrike Identity Protection. It can for force MFA when it detects a password prompt.

Reply

[-]

use_em_and_lose_em@reddit

Does this work for domain admins without easily being bypassed?

Reply

[-]

jlipschitz@reddit

Yes. It can’t be bypassed other than going into crowdstrike and putting an exception in for a specific user.

Reply

[-]

use_em_and_lose_em@reddit

Thanks, I need to look into this.

Reply

[-]

sober_holtzer@reddit

I work with insurance carriers & you can actually use an Zero trust VPN that includes MFA. You do not need to purchase a full system just for that. I recommend [Privatise.com](https://Privatise.com), You get centralized system for device management, DNS filtering, remote office cluster, SASE, IDS/IPS, VPN, Virtual firewalls.

Reply

[-]

OtisB@reddit

Duo MFA is not user-based. It's machine/device based. There is no way you can use duo to provide MFA on an administrative login on a device that doesn't already have duo installed. It's going to end up meaning you need duo on literally everything that supports it.

Reply

[-]

Phyber05@reddit

I am a Duo customer/admin and this is correct.

Reply

[-]

OtisB@reddit

Yeah, I learned that the hard way after beginning a duo implementation and then asking them how to do it. I wasn't impressed when they explained this to me. I understand, but it's the biggest problem with duo as an MFA provider - there's no integration with AD that can check logins at the domain level instead of just the device level.

Reply

[-]

Phyber05@reddit

I mean, I'm not mad at all users being subject to extra security for everyone's benefit.

Reply

[-]

OtisB@reddit

me either, but as the person who had to explain why the bill was going to be45k/year instead of the expected 15k, it wasn't a happy surprise.

Reply

[-]

justmirsk@reddit

We use Secret Double Octopus. For apps, it can do LDAPS and RADIUS auth. To those discussing that credential provider solutions don't protect things like enter ps-session, I agree. SDO is a bit different in that it is frequently rotating your credentials, possibly every time you use it if you want. This significantly reduces the likelihood of compromised credentials and attacks like this happening. Happy to give more info if you need.

Reply

[-]

OkGroup9170@reddit

Do you have a contact for them, submitted the contact form multiple times and never had anyone reach out.

Reply

[-]

justmirsk@reddit

Sorry to hear that. I am a reseller and integrator of theirs. I would be happy to help you if you want to chat and see a demo etc.

Reply

[-]

RCTID1975@reddit

> they claim they can pretty much MFA up any application. Between native abilities, jump boxes, and RADIUS, you can put about 99.9% of everything behind Duo.

Reply

[-]

issaaccbb@reddit

I've been on the receiving end of duo and can comment has incredibly seemless it is. It only pops when I need my admin account to rdp into a computer, not for my non-admin account. It was also a very smooth rollout to all machines

Reply

[-]

Hour-Literature-5985@reddit

Hello, I am given similar project. I have a question, we would like to protect the DC and other server with DUO for console as well as RDP login for admin account. We can pretty much able to do it but we are also using domain admin password to install and troubleshoot users computer. Is there a way we can prompt for MFA whenever we use Domain admin account on users computer as well? if yes do we need to install DUO client on users computer as well?

Reply

[-]

ExcitingTabletop@reddit

I used okta rather than duo, but yeah, same. The users weren't thrilled about MFA, but management was on board because of the insurance requirement. It took us a bit to explain the app does not record ANY information. They turned out to really like having less passwords, and thankfully we did stress that in all the announcement emails. RADIUS was easy to MFA, and works on any RADIUS device even if it doesn't natively support MFA. I assume Duo is the same, but okta had guides for damn near everything and how to MFA it. Having one app and single code rather than a bazillion OTP entries is also super nice.

Reply

[-]

eagle6705@reddit

Jump boxes?

Reply

[-]

RCTID1975@reddit

Basically, it's a computer that you use to manage your devices. You then lock the device to only be managed by that IP. And finally, you restrict access to that computer to always require MFA. Yes, I realize you can easily unplug that computer, and assign the IP to another computer and completely bypass the whole setup, but apparently insurance companies don't know this or something. Either way, the whole requirement is nothing but theater anyway as others have mentioned.

Reply

[-]

Bluetooth_Sandwich@reddit

> Yes, I realize you can easily unplug that computer, and assign the IP to another computer and completely bypass the whole setup The flaw in that argument is ransomware isn’t a physical threat, it’s not going to manifest itself in the real world to perform the task of unplugging anything. At least that’s my belief as to why liability insurance companies don’t address the use of jump boxes.

Reply

[-]

RCTID1975@reddit

IMO, they allow jump boxes simply because sometimes there's either not a feasible option, or it's cost prohibitive. Insurance companies need to weigh those things, and I have no doubts we'll see stricter and stricter requirements as options come to market.

Reply

[-]

TabooRaver@reddit

> Yes, I realize you can easily unplug that computer, and assign the IP to another computer and completely bypass the whole setup, but apparently insurance companies don't know this or something. In theory, the devices could be on a separate network/VLAN and the jump box has two network interfaces or a firewall exception. Or for legacy equipment, an IPKVM could act as a jumpbox. Make sure it's all contained in a locked server rack and I would consider it compliant.

Reply

[-]

TyphoidJaneDoeMary@reddit

I'd tell the to eat shit and die if they told me the rack needed to be locked. 1 gate, 1 security guard, 1 man trap, 1 keycard + pin, 1 keycard to get near my servers.

Reply

[-]

flapadar_@reddit

The locked rack thing is probably more for multi tenant datacenters.

Reply

[-]

TyphoidJaneDoeMary@reddit

Mine is a colo, but I still have my own locked cube. I don't get people insisting on locked racks, 99% of the time it's the same Schneider Electric or APC key that opens more or less all racks on the planet.

Reply

[-]

vialentvia@reddit

And it's a wafer lock at that, in my experience. There are so many times that I've had to open one without a key. Round keys aren't as common and just as easy.

Reply

[-]

ExcitingTabletop@reddit

You can swap out the lock. It's a "cam lock", and just measure to make sure it fits. If the cylinder the correct diameter, it'll work 99% of the time, because the latch is screwed to the back of the cylinder. I've bought even medeco cam locks for couple bucks on eBay. Finding someone to rekey them can be interesting. I can do it myself, but I'm lazy and prefer to spend my personal time making lockpicks rather than keys.

Reply

[-]

vialentvia@reddit

A cam lock is describing a wafer, really. They all have a latch screwed on the back. A Lishi tool would be your friend if you knew what the keyway profile was for getting a new one made. I have to admit, the shock value of coworkers vs my paper clip picks are worth it. I never bring my pick set unless i warn the boss first. Too many paranoid types.

Reply

[-]

ExcitingTabletop@reddit

Cam lock != wafer. It's common in office furniture. I do like Lishi tools, I own a bunch. They're absolutely great for their exact model and damn near worthless if you run into a different model. They're hyper-optimized for a very very specific task. As for carrying, mine are more art than functional, but obviously work just fine. Should when you sand them to 100000 grit. Nice thing is when you have a handmade case with handmade picks, it's harder for anyone to think they're being used for criminal purposes. Not that I want to sell them, but if I did, I'd probably charge more than anything you're likely to be able to steal with a lockpick set. $200 ish per pick is about right. Less in bulk. I do have a couple kilos of laser cut picks I might crank out as semi-custom.

Reply

[-]

vialentvia@reddit

I had to check if we were in r/cybersecurity for a second. I like exploiting physical access during my auditing. It's almost become a hobby.

Reply

[-]

Cyhawk@reddit

"On this episode of Lock picking lawyer, Im going to, and there we go. I now have ChatGPT v4s source code on this hard drive. Its just that easy":

Reply

[-]

RCTID1975@reddit

Yes, you can certainly do all of that, but it still doesn't change the fact it's relatively trivial to replace that jump box with one that doesn't require MFA.

Reply

[-]

TabooRaver@reddit

Sure, if you can break into a colo then cage (or office building then server room), and then the rack. You could theoretically pull the box out and replace it with one you control, But if all of the infrastructure of a network exists behind a physical security boundary, which does add some security, though physical security shouldn't be relied on alone. But if you're that paranoid there are other mitigating controls you could enforce, such as 802.1x on the network. No single security control applied naively in isolation will ever be secure. But you have to admit that if you have someone with hands on your servers, capable of taking/modifying hardware, you're probably fucked.

Reply

[-]

HYRHDF3332@reddit

Agreed. I guess it depends on if they just want to check the box or actually improve their security.

Reply

[-]

eagle6705@reddit

Yea were we moved a bunch of equipment to a secure vlan. All unoccupied ports are disabled to we won't have to worry about playing musical ips. One thing they didn't realize was outside of it there are departments who manage their own servers and require the hosts. We are toying with the idea of wireguard and its ability to restrict clients by ip.

Reply

[-]

TyphoidJaneDoeMary@reddit

That's often how it's done.

Reply

[-]

1z1z2x2x3c3c4v4v@reddit

> unplug that computer, Physical access to anything always allows a system to be defeated. That's why equipment like this needs to be in a secured area.

Reply

[-]

RCTID1975@reddit

> Physical access to anything always allows a system to be defeated. Not always, no

Reply

[-]

INSPECTOR99@reddit

Are you saying all the MFA processes are IGNORING the MAC address of the "jump box" ??? YES, I KNOW, mac address can be spoofed, but I mean we are talking about an established hard wired, locked down MGT ONLY Jump box air gapped and physically secured from the rest of the general LAN network, that is not likely to be available to general public traffic so not very likely to be susceptible to MAC spoofing. As a netsec noob please ELIA5. .

Reply

[-]

eagle6705@reddit

Ahh similar to our bastion hosts to gain access to hardware management like ilo and idrac

Reply

[-]

JwCS8pjrh3QBWfL@reddit

Yes, a bastion host is just another name for a jump box.

Reply

[-]

EnusTAnyBOLuBeST@reddit

Haha, yep. And all you have to do is take a screenshot of a Duo login and they’ll believe you applied it right. It’s wild.

Reply

[-]

TrainsDontHunt@reddit

Connect with public key, from encrypted disk, maybe some port knocking that another computer can't know.

Reply

[-]

Skylis@reddit

You solve this via cert auth.

Reply

[-]

Cremepiez@reddit

Speaking to the whole thing being theater, an MDM solution we bought into pretty much called it when they couldn’t find a solution to a problem we were looking for a workaround for. They pretty much left it with, well you can continue to do things they way you were, but just having bought in to our service will satisfy *blank* insurance company’s requirement. What a joke

Reply

[-]

kckings4906@reddit

Also referred to as PAW's or Priviledged Access Workstations. Lot's of documents on the web for setting these up.

Reply

[-]

Skylis@reddit

Identity aware proxy.

Reply

[-]

CeeMX@reddit

Bastion hosts

Reply

[-]

redvelvet92@reddit

Or you can save a ton of money by not using DUO and using Cloud Native solutions......

Reply

[-]

RCTID1975@reddit

First, Duo offers free accounts up to 10 users. Since we're only protecting admin accounts here, that covers the majority of people that would even be concerned with the costs. Second, what cloud native solutions are available (and free/cheaper) to protect local and RDP admin accounts?

Reply

[-]

redvelvet92@reddit

Considering DUO just checks a box on an audit report, vs actually solving the authentication problem. IE you can access everything apart from RDP without MFA. Hello for business is an excellent alternative. For an Admin Jumpbox scenario, Azure Virtual Desktop which can be steered by conditional access. Very inexpensive secure jump box solution, however this requires some networking expertise and Azure environment which I know is out of the realm of most admins on here.

Reply

[-]

Cormacolinde@reddit

You can do that with Azure AD MFA too. RDG for jumppoints, NPS + Azure AD MFA plugin for RADIUS.

Reply

[-]

RCTID1975@reddit

How do you configure that to protect local admin login and RDP?

Reply

[-]

Cormacolinde@reddit

Firewall rules to block RDP access outside of the jumppoint, console access similarly limited from jumppoint only. GPO to block local login for admins on other systems.

Reply

[-]

RCTID1975@reddit

> GPO to block local login for admins on other systems. Software installation/removal still needs admin access, which needs MFA. Even viewer still needs admin access which needs MFA. Task manager, etc etc etc No one should be logging into an endpoint with admin creds, but it's certainly needed to manage machines

Reply

[-]

Cormacolinde@reddit

Ah right, I’d missed the initial requirement for local admins. You can use WHfB, but third-party solutions can be good solutions for that requirement.

Reply

[-]

infeliciter@reddit

Duo can do it, but it may be a bit expensive.

Reply

[-]

RCTID1975@reddit

Cheaper/same ballpark as every other solution I priced years ago. On top of that, Duo offers up to 10 free accounts, and since this is only protecting admin accounts, that's plenty for a small team.

Reply

[-]

MrSanford@reddit

They're built in Radius server is super simple as well.

Reply

[-]

MadJax_tv@reddit

I second this, DUO can and will be able to facilitate many of them.

Reply

[-]

Comfor544@reddit

The mindless hordes of Duo zombies that come rolling in chanting the We use Duo and it works great mantra.

Reply

[-]

MadJax_tv@reddit

Alright, what is your alternative ?

Reply

[-]

RoosterClaw22@reddit

I've had a lot of success with Microsoft's MFA with free azure AD. We sync up on-prem with azure and pass authentication between both with a force MFA requirement. MFA requirement not MFA condition. There's a difference. One cost money. The other one takes a little reading to get done.

Reply

[-]

MrJacks0n@reddit

Do you have any links on this? It sounds like something I may be able to use.

Reply

[-]

RoosterClaw22@reddit

I tried to find something comprehensive but couldn't. I think MS charges you for the convenience of not having to read white papers yourself. A single check box on azure is the equivalent of 3 VMs you had to bring up yourself. Azure AD has a free option. You'll only be able to sync up AD objects, but that's all you need. Everything else can stay on-prem. You will need to bring up a wap, ADFS, & AD connect server. With HA your looking at about 6 servers Good luck with your project.

Reply

[-]

MrJacks0n@reddit

*See's ADFS and runs for the hills* I thought they were deprecating that, at least as far as a recommended configuration.

Reply

[-]

RoosterClaw22@reddit

Ain't that the truth. Dude, I really dislike working with ADFS. It's like azure Enterprise application beta. I don't think they're going to get rid of it anytime soon. Like removing a tick from inside a Gator's mouth. It's pretty hard Ingrained.

Reply

[-]

MrJacks0n@reddit

I set it up years ago, what a pain to maintain. And it was the first place I checked when people had issues. Not going there again.

Reply

[-]

PowerShellGenius@reddit

We are talking about On-Premise Active Directory admins. Most shops can't just rip that out, and everything integrated with it, and switch to joining PCs directly to Azure AD and throw out all the servers. Most have too many things integrated to it. There is also the control aspect - sure, most of us have email in O365 already, but we can sync AD to Google Workspace or another solution in short order. Putting your entire identity platform in the cloud takes away any realistic chance that you can lift and shift to a competitor for all your cloud elements within the price change notice period. And once enough people do that, MS can set any price they want at least for awhile (like Broadcom is planning for VMware...)

Reply

[-]

altodor@reddit

> Most shops can't just rip that out, and everything integrated with it, and switch to joining PCs directly to Azure AD and throw out all the servers. You can probably do the PCs directly to Azure AD piece, unless you're reliant on a computer object in local AD. They have Kerberos Hybrid Cloud Trust and that eliminates the need for AD binds just to get Kerberos.

Reply

[-]

PowerShellGenius@reddit

But someone still needs to be a domain admin on-premise. You can't just let yourself be locked out of AD when something goes wrong with AAD sync or you need to troubleshoot a DNS issue that is breaking internet access.

Reply

[-]

altodor@reddit

I'm not sure how that's related to anything I said. Binding PCs to Azure means I don't need or use on-prem accounts for authentication for those. If I could use the same thing for servers, I wouldn't need AD anymore because I could offload identity entirely to AAD. Worst case we'd also need LAPS to provide break-glass accounts, but that's going to be Windows native here in a few patch cycles.

Reply

[-]

PowerShellGenius@reddit

And how do you retrieve the LAPS passwords? As a domain admin!

Reply

[-]

altodor@reddit

Retrieve them from AAD. I'm talking about not having AD in any way, shape or form. Not for account management, not for server management, not for Kerberos. Take the DCs and shoot them, blow them up, or delete the VHD/VMDK they run from.

Reply

[-]

PowerShellGenius@reddit

One thing AAD will *never* support, however, is actually keeping your company running (*even* in an "unsupported"/EoL status) in between the time Microsoft finally rises above your boss's price range, and the time it takes you to get a non-Microsoft solution in place. EoL is bad. Deactivated is worse. Subscriptions are a trap.

Reply

[-]

altodor@reddit

That doesn't sound like a technical problem, that sounds like a personal gripe that _you_ have with subscription services.

Reply

[-]

PowerShellGenius@reddit

Also, ownership may be a factor. With AD, you own your identities and identity provider for the long term. Most of us probably sync those identities to Azure AD to use Office 365 for e-mail - that's not the same as being all-in on Azure AD. Everyone (including Microsoft) knows AD is just LDAP and can just as easily be synced to Office 365, Google Workspace or anything else. It's understood there is a ceiling somewhere on Office 365's price increase potential, at which we simply leave, and take our user accounts with us smoothly.

Reply

[-]

RoosterClaw22@reddit

Please read through AZ 900 and AZ 104 training. I'm able to do those things at no cost in a large enterprise environment. We have other services but those two we do not pay for. Methods, the OP was looking into are paid cloud services. I offered a free method. Sorry to break this to you but like the airplane won over the zeppelin, the cloud has won over identity.

Reply

[-]

Golden-trichomes@reddit

You even said in your original response you sync ad to azure and it covers both…

Reply

[-]

RoosterClaw22@reddit

Correct. We have a hybrid environment and sync only one way. If there's a better service out there we will transition to that as well since everything important is still on prem. I'm an IT generalist & not married to any piece of technology. Sure there's other services but they cost money. With azure, you have the luxury of it already being integrated into your enterprise systems. You just don't know it yet.

Reply

[-]

thortgot@reddit

I think you misunderstand the requirements, they are looking for a solution that does local MFA prompting on login. No solution I'm aware of that currently exists that integrates Microsoft MFA in that way. They pitch Windows Hello for Business and call it MFA. It's not awful security but it certainly isn't the equivalent to a FIDO2 solution.

Reply

[-]

RoosterClaw22@reddit

I have a couple of native solutions. Biometrics logins. Deployed with group policies but you'll need to purchase fingerprint readers for all laptops. About $30 each CAC login, factoring in th up front cost. You might as well buy MS. Azure P2 subscriptions. MS ADFS integrated with azure AD. More of a hybrid solution but best of both worlds. I'd go with biometrics as the easiest solution. But going hybrid would definitely give you scalability.

Reply

[-]

thortgot@reddit

Biometrics should be used for identity, not credentialing. You can't change a biometric and you leave them everywhere. They are fine for low security environments but not properly secure. An Azure P2 doesn't solve local MFA using their native Authenticator FIDO2 solution. Which is what I actually want. ADFS doesn't handle local logins? I'm not sure what you are referencing here.

Reply

[-]

RoosterClaw22@reddit

I don't know what to tell you. There is no free lunch. Biometrics is an MFA factor. That leaves CAC as your only native option and that's a lot of up front cost. Like a lot. Unless your government or protecting money I wouldn't go with that option. MS. Sunseted their MFA on prem solution a few years back. I offered P2 as a solution because the questions led me to believe My audience isn't as seasoned in solutions as I am. P2 offers many checkbox solutions so you don't have to think about how to implement something. You just check the box.

Reply

[-]

thortgot@reddit

When I say "local MFA" what I and the OP are referencing is not a locally hosted MFA server (what was EOLd) but MFA on local login into Windows. Azure AD P2 doesn't solve any local login problem for Azure AD devices or AD Hybrid. I don't know why you think that it does. Microsoft pushes Windows Hello for Business which is Device + PIN or Device + Biometric or Kerberos + smart card for it's MFA options. Smart Card is fine but cumbersome to do for all users. It works for admins but users will loose the devices too often. The frustrating issue is that they have a perfectly good FIDO2 compliant authenticator used for all their cloud activities, fully integrated into their auth stack. All they need to do is connect the Windows login screen to it.

Reply

[-]

RoosterClaw22@reddit

Local login and active directory are oxymorons. What about Making the applications MFA compliant? That might mean you're back to a hybrid solution, but you'll get that MFA screen.

Reply

[-]

thortgot@reddit

Local login being an interactive login into Windows. Obviously not a local Windows credential. MFAing only the applications is not the goal. It is to MFA on credential into all devices, including admin elevation to UAC. The current solution for this is Duo or other third party toolchains.

Reply

[-]

RoosterClaw22@reddit

MFA into a VDI environment. Btw, azure bastion is a great product for that, but unfortunately you would need to go to the cloud or hybrid. Are you sure you don't want to go into the cloud or hybrid? I mean all the solutions are kind of leaning that way. Does the customer know about the cloud? It sounds like they already met the security requirements and are trying to invent their own product.

Reply

[-]

thortgot@reddit

Of course I use the cloud. \~90%+ of organizations are on O365. VDI behind MFA is not a replacement for endpoint MFA for cyber security purposes unless you are putting 100% of your corporate data behind that. It's a good solution I've used for very specific companies that have intellectual property concerns. Using the cloud doesn't solve the endpoint issue. You have to be either AAD or hybrid to have Azure MFA to even be an option but it doesn't secure the physical endpoint. That's where you need Duo, smart cards or biometrics to be MFA compliant for cyber insurance.

Reply

[-]

RoosterClaw22@reddit

Well, I was asking if your customer has heard of the cloud because they describe a cloud solution. IA does have considerations for cost. If something's too expensive, IA allows for a substitution. Sounds like you have several solutions to choose from.

Reply

[-]

Golden-trichomes@reddit

You even said in your original response that you sync AD up to azure and it covers both…

Reply

[-]

disclosure5@reddit

>I am currently in the process of talking to Duo about a possible solution, they claim they can pretty much MFA up any application Interesting position given DUO does nothing for the average AD domain. It won't protect "Enter-PSSession", it won't stop psexec, it won't stop people opening C$ shares with just a password.

Reply

[-]

jacobjkeyes@reddit

I'm just going to pre-empt the mindless hordes of Duo zombies that come rolling in chanting the "We use Duo and it works great" mantra. Yes, Duo works great for securing console login and (maybe) RDP. But you know what it doesn't secure? -WinRM -PSEXEC -MMC Snap ins -Powershell remoting -(to my knowledge) SMB access to $ADMIN and other shares With any of those, I could install whatever keylogger I wanted to or create/remove user accounts at will in about 10 seconds. Duo is great for certain things, but it would do just about Jack and Shit when it comes to anything beyond securing console login to a physical workstation.

Reply

[-]

RCTID1975@reddit

You're confusing the requirements here. The requirement isn't security. The requirement is checking the insurance box. As a side note, can you offer suggestions on securing those items with MFA?

Reply

[-]

PowerShellGenius@reddit

>can you offer suggestions on securing those items with MFA? Absolutely, and it's not even a subscription or a Microsoft-unsupported third party plugin to get blamed if you ever have to call MS with AD issues, either. It's called "smart cards". No, it's not a shiny new buzzword, but it's been providing reliable and secure MFA at the Kerberos protocol level (protecting literally everything) for Microsoft's biggest customers, including the feds, since before MFA was a buzzword.

Reply

[-]

lordmycal@reddit

If that’s all you need then great. But if you want the same login across LDAP/LDAPS/SAML/RADIUS it doesn’t work all that well.

Reply

[-]

PowerShellGenius@reddit

That depends. SAML can go to Azure AD, synced with Azure AD Connect. Certificate-based Authentication in Azure AD is in public preview - it's a new feature to have AAD/O365 request an HTTPS client cert, which the browser can use from a smart card, and trust the same PKI as on-prem. RADIUS itself should support it - with PEAP-TLS it can use certs, I don't see why it can't use one on a smart card. Although, nowhere near all clients that use RADIUS support this. However, if the point is cyber insurance, **this is all moot because end-users won't have smart cards** \- their on-prem AD account doesn't need MFA, only remote access (such as Office 365, and the VPN) need MFA. Azure AD MFA protects Office 365, and a SAML VPN or (via an NPS server extension) a RADIUS VPN as well. **If ADMINS are trying to use the same login across everything, your security is extremely broken.** You should not, for example, be trying to SSH to a switch with a domain admin account. Your regular user that has email and surfs the web != your network admin (RADIUS / SSH to switches) != your AD admin with smartcard only != your Office 365 Global Admin which isn't even synced from on-prem.

Reply

[-]

lordmycal@reddit

My latest set of cyber insurance paperwork wanted to know if all users had MFA for logging into their desktops & email. So yes, their on-prem AD account does need MFA.

Reply

[-]

PowerShellGenius@reddit

In that case you only have a few options. In an ideal world, you'd get everything to support smart cards and replace what doesn't, as they are incredibly secure. Alternatively, you could get basically any other cyber insurance provider. Traveler's is well known to be a pain and even they don't stink that bad - their requirements are in line with what OP posted; all remote access and on-site *admin* access need MFA. Otherwise, you need to get workstations joined to Azure AD and get AD trusting kerberos tickets issued by Azure AD for SSO to on-prem resources. Accounts can still sync from on-prem AD to Azure AD, but the workstation sign in will be through Azure AD * I haven't tried this myself * Most licenses should include Azure AD Join, BUT you will lose group policy not having computers joined to on-prem AD, so you de facto need licensing for each user that includes Intune if you want any policy management at all over workstations

Reply

[-]

lordmycal@reddit

Easiest solution is something like Duo, Secret Double Octopus, etc. Unfortunately it doesn’t protect against psexec, powershell remoting, SMB shares, etc. but it does check all the insurance requirements for me.

Reply

[-]

PowerShellGenius@reddit

Do you even use those things on workstations? Couldn't you block them in the workstations' firewalls (either Windows or your endpoint security solution if it has one)?

Reply

[-]

TabooRaver@reddit

Yubikey 5's will also give you FIDO2, which is useful for SaaS web apps that support it. Something you don't get with CACs.

Reply

[-]

PowerShellGenius@reddit

Yep. And Yubico Authenticator. That lets you generate TOTP codes on the YubiKey. It's like Google Authenticator, except you can use it across multiple devices with the same YubiKey. You can generate the codes on your desktop, or you can tap your YubiKey to your phone (NFC) to generate codes there. Supports 32 accounts and the secret cannot be exported after it's installed.

Reply

[-]

Mandelvolt@reddit

I recently implemented this after testing multiple options. Smart card auth is the only sane option for mass RDP/MFA.

Reply

[-]

RaNdomMSPPro@reddit

Compliance has entered the conversation.

Reply

[-]

xxbiohazrdxx@reddit

Use a JIT/PAM tool to generate one time admin logins that get tossed when you’re done with them. The tool itself will be MFA with Azure SSO or whatever you use for identity.

Reply

[-]

RCTID1975@reddit

We were told that doesn't mean our insurance requirements. Either the device itself needs MFA, or a jumpbox.

Reply

[-]

AppIdentityGuy@reddit

I suppose someone had told you that WHfB is not valid because it’s not MFA right? Also make sure no one using the jump boxes is an admin on the jump box. Have your insurers even asked about AD Security at the ACL level?

Reply

[-]

RCTID1975@reddit

> I suppose someone had told you that WHfB is not valid because it’s not MFA right? No idea. We don't currently us WHfB > Also make sure no one using the jump boxes is an admin on the jump box. Have your insurers even asked about AD Security at the ACL level? They (apparently) don't care about those things, and I'm certain all of the agents I've spoken with have no clue what any of that means.

Reply

[-]

AppIdentityGuy@reddit

Sad but true. But you are also not allowed to argue with them that some policy they have come up with is utterly worthless

Reply

[-]

TabooRaver@reddit

>I suppose someone had told you that WHfB is not valid because it’s not MFA By default, it's not considered MFA for local login, the certificate it generates and then uses for SSO to Microsoft services however is considered 2fa. As it uses the TPM. A device can not be a factor to prove the identity of the user, when the user is authenticating to the device itself. (I haven't ever seen a company implement this properly though, I can use Microsoft Authenticator prompts to 2fa into my outlook mobile app just fine on the same phone) WHfB can be setup as 2fa (Without breaking UAC/RunAs) if you use the GPO, but leave the password credential provider enabled, and then use a solution similar to how LAPS works to set the user's password to a long and complex string that they don't know.

Reply

[-]

brkdncr@reddit

Most have no idea what they are talking about, but they make the rules.

Reply

[-]

xxbiohazrdxx@reddit

Get an insurance company that isn't incompetent.

Reply

[-]

ExcitingTabletop@reddit

Good luck with that. There's usually only a handful of any insurance companies for any specific industry. Especially regulated or potentially dangerous industries. Often it might be easier to build a new plant in a new country than find a new insurance company. I've had companies that noodled dumping in half a billion dollars to fund a new insurance company as a potential alternative to the cost increases. Idea would be to spin it up, hopefully get it profitable enough to be self-sustaining, get a locked in long term policy then sell it off hoping nothing goes bad afterwards. Yeah, literally rolling the dice on potentially losing half a billion dollars for nothing in return just so you could pay for a policy with a new insurance company was pondered as the only alternative to the existing insurance companies.

Reply

[-]

anti-osintusername@reddit

I’ll let you know when hell gets cold

Reply

[-]

Zahninator@reddit

Sometimes that isn't an option.

Reply

[-]

mexell@reddit

At $lastplace we had Thycotic Secret Server for that. Pain to set up everything, great way to lop off your legs just over the knee if you f it up, but great solution that actually protects against a lot of vectors.

Reply

[-]

kckings4906@reddit

Our check boxes specifically include PSEXEC, MMC, powershell remoting, etc... Many PAM solutions claim to be able to secure all of these items. We purchased Thycotic but are looking at BeyondTrust and CyberReason.

Reply

[-]

Nothing4You@reddit

another tool in this space is AuthLite, which intercepts the authentication process to dynamically add privileged groups to the session when a second factor (e.g. yubikey or totp authenticator) is provided. in my experience it works well with pretty much all windows auth scenarios.

Reply

[-]

PowerShellGenius@reddit

If you are buying YubiKeys anyways, Smart Cards are natively supported in AD. You just have to learn the tech and know what you are doing.

Reply

[-]

Mandelvolt@reddit

I just went through this for the same reasons as above, to meet insurance requirements. Smartcard access for RDP sessions was the biggest reason for doing this since smartcard auth is supported natively in AD. The deployment process was actually relatively painless; however, the testing and development process revealed just how many things can break this and how time consuming troubleshooting can be if anything breaks. You have to be pretty comfortable with Microsoft PKI management. Also, the Yubikey deployment guides aren't super helpful for troubleshooting if you do run into auth errors. Pretty bulletproof to set up tho once you nail down all the little details with AD policies.

Reply

[-]

HYRHDF3332@reddit

PKI is one of those things where if you don't know how it works and why, you are going to have a very hard time troubleshooting it.

Reply

[-]

Nothing4You@reddit

not as compatible in multi hop or cross platform scenarios though. e.g. i'm primarily working on a macbook, occasionally need to authenticate within a remote session to another system, etc.

Reply

[-]

Mandelvolt@reddit

I have this exact enviro working with smarcards. Can rdp from non-domain Mac to domain Win, then RDP into other Win machines from there. Smartcard redirection really is incredible. Just need correct NLA policy to allow connection before smartcard redirect is available, then you can auth at the win login screen. Obviously you'd want to protect this with VPN or network firewall rules.

Reply

[-]

Mandelvolt@reddit

I set up a Smartcard/Yubikey infra with macs RDP into windows machines. There's some minor workarounds needed with NLA, but the whole company is on smartcards now.

Reply

[-]

PowerShellGenius@reddit

Not sure about Mac clients, but I have no issues with a 2nd hop on Windows. Smart Cards are a device type to check a box for passing through, in the same section of the RDP client settings as your webcam or other commonly passed-through hardware.

Reply

[-]

Nothing4You@reddit

at least the official rdp app from ms for macos doesn't seem to support smart cards, at least i didn't see a reference in a quick look. even if that does support it though, i doubt it would be supported over smb in Finder (macos file explorer).

Reply

[-]

PowerShellGenius@reddit

>also, consider the classic case of access only via vnc-like session for vms When something on our VMware environment isn't accepting RDP for some reason, we can pass a USB device (including a smart card) through using the VMware remote console. For emergencies like that, there is also LAPS. There should be local admin passwords in LAPS, but only domain admins (protected by smart card MFA) can read the passwords and they change constantly. Grab the password from LAPS, log into the VM, figure out and fix whatever broke RDP, and tell LAPS to reset the password and you're back to no one knowing it.

Reply

[-]

Nothing4You@reddit

at least the way our vmware environment is set up there's unfortunately no way for me to pass through devices. if i need to access a vm that way the only option is a web based console. laps might be able to mitigate though.

Reply

[-]

kylejb007@reddit

Another option is Silverfort. They work by having an agent on only the domain controllers so if you can capture the who what when via ldap or radius, you can mfa things that aren’t even intended to be mfa such as Specific folders on a file share, but also psexec/psremote, run-as, etc.

Reply

[-]

jacobjkeyes@reddit

Authlite

Reply

[-]

MiniMica@reddit (OP)

Absolutely you are right. Tieing down those forms of access is also on the docket to close out. At the moment we just need to tick a box in order to get compliance

Reply

[-]

jacobjkeyes@reddit

Box checking repulses me, but I understand

Reply

[-]

MiniMica@reddit (OP)

Our AD domain security is one of the things we're pretty on top of, but obviously always room for improvement. If we had the Duo app deployed to all machines, and excluded everyone apart from a specific group of AD users to require it, do you know if a UAC would prompt for Duo?

Reply

[-]

Fallingdamage@reddit

Look a little closers at DUO, it only protects desktop access be it console or RDP. Things like PS Sessions and any RMM, default shares, etc are not protected.

Reply

[-]

zooky19@reddit

It’s configurable. Duo will prompt during UAC if you enable it during the Duo install (there’s a checkbox for this in the installer) or if you enable it after install (either by registry key or GPO policy)

Reply

[-]

MiniMica@reddit (OP)

Good to know, thank you

Reply

[-]

Fallingdamage@reddit

Yeah. After seeing that it can be bypassed by logging into Safe Mode and has no protections for terminal or RMM access to said servers aside from the regular access methods people already use, it seems more like an expensive show with no teeth.

Reply

[-]

cool-nerd@reddit

What's your best advice here? I've always wondered about this. We use Imprivata and Duo and both have the same hole :(.

Reply

[-]

fartwiffle@reddit

Proper AD tiering that almost nobody actually does. Whereby DA accounts are only for managing the Domain itself, there's maybe 5 DA accounts for a large F500, and those DA accounts can only log in to T0 Privileged Access Workstations and DCs. They're fully prevented from logging on to standard PCs and servers by policy (GPOs setting Restricted Groups and URA and/or using Kerberos Authentication Policy Silos). Those DA accounts are configured for SmartCard authentication, which is the only MFA that's actually built in to Windows and works for this purpose without being bypassed readily like Duo. And also understanding that network logins can't have MFA enforced so you need to properly segment the network and tier out the management networks so that T0 admin traffic doesn't cross streams with server admin or workstation admin traffic. And you sure as fuck wouldn't put ANY service accounts in DA or other standard/built-in high level privileged admin groups because it's also impossible to enforce MFA for service accounts and there's plenty of ways to steal their credentials, hashes, or tickets. You'd delegate exactly the least priv each service account needs, no more.

Reply

[-]

cool-nerd@reddit

Thanks for scaring the crap out of me.

Reply

[-]

RCTID1975@reddit

Insurance companies don't care about those things. Like a lot of insurance requirements, it's not really logical, but you have no choice but to comply.

Reply

[-]

hippopotosauruses@reddit

I'm in the process of rewriting my company's cyber insurance application. How would *you* recommend we ask about or underwrite to this? (this is rhetorical) See, the problem is that the average IT infrastructure? It's not very well-designed and managed. There are a lot of bad and under-equipped and under-staffed IT departments out there. There are a lot of bad MSP contracts. There are nearly infinite permutations of ways that a company's IAM alone can torpedo their security. At a certain point, we have to underwrite to things that A) know or suspect cause or strongly correlate with losses, and B) that we can actually rely on getting accurate answers for. As an industry, we're primarily focused primarily on buttoning up the perimeter, endpoint security, and backups that can actually survive a ransomware attack. PAM is on the horizon as a standard for mitigating IAM risk, but it's expensive and complicated and beyond the means (and frankly not a reasonable ask) for a lot of businesses. And even if they have it, figuring out if a business is using it right is so far down in the technical weeds that it just isn't feasible. See, for example, the litany of companies that "have" EDR, but it's half-deployed, in alert-only mode, and nobody's investigating all the alerts. I see at least one ransomware case stemming from that every week. Sure, it'd be wonderful if I could underwrite to every configuration of every part of every company's tech stack. But we can't. Nobody can. Most companies can barely manage to operate their own tech stack properly.

Reply

[-]

RaNdomMSPPro@reddit

I know it was rhetorical, but the cyber insurance applications could be vastly improved just by asking yes/no questions about one specific thing rather than bundling 2,3, or more concepts into a single question. For example, asking if the company does intrusion detection, intrusion prevention, and has anti virus - Yes or No. These are three different things, so it should be 3 different questions. I'd love to see the entire industry standardize their questions and definitions. The main problem is you have every insurance company doing their application questionnaires differently, and you have every IT environment doing IT differently. They'll never get close the way it's going.

Reply

[-]

hippopotosauruses@reddit

I think most applications already do that - at least from the major cyber insurers. But I don't think we're likely to see standardization on applications any more than we will on IT environment design. Everyone has their own data and priorities and market. There is no one-size-fits-all. Insurance brokers have recognized the problem, though, and rolled out their own applications. Just one problem: they're almost uniformly the worst applications on the market. In insurance, one of the reasons your claim can get denied is what's called a "material misrepresentation." Generally if you answer something wrong on the application, and it doesn't have any impact on your claim or how the underwriter assessed the risk, it's not a problem; your claim will still get paid. But if the answer is wrong *and* it impacts the loss, then you might get your claim denied. Brokers know this, and try to stack the deck in your favor by writing vague questions that are wide-open to interpretation, knowing that they *might* be able to get an underwriter to accept them. Of course, your average cyber insurance broker knows as much about IT and security as a kid one week into an A+ certification course, so the questions aren't just vague; they're often bordering on incoherent. Alternatively, there are a couple of broker applications that work out like a mini audit. They're hundreds of questions long, take ages to complete, and are really more about measuring your compliance with NIST or ISO 27XXX than focusing on what's actually relevant in cyber risk. Applications are tough. What we're trying to measure is, essentially, risk variation from a baseline. But there's no real independent standard of what that baseline is, and everyone's trying to figure it out.

Reply

[-]

HolyCowEveryNameIsTa@reddit

Eventually they will catch on that DUO isn't fit for securing AD after more and more claims get made and someone brings it to their attention... so one way or another you're going to be putting something else in there. Might as well do it right in the first place.

Reply

[-]

RCTID1975@reddit

I don't disagree with you, but doing it right now has limited options and higher price tags. That's not always feasible for everyone. I welcome these changes. They're forcing people to be (at least a little) more secure, and forcing business owners to open their pocketbook rather than neglect security, and then fire IT staff when they get compromised.

Reply

[-]

thortgot@reddit

Disabling PSRemoting and C$ shares has been my stance for a few years now. Great tools, I use to rely on them heavily but bad actors can make use of them too easily. You can disable the types of logins that you allow for admins at either the policy or GPO layer for your endpoints and servers. If you only have interactive logins authorized (no UAC escalation, no service account logins etc.) then Duo acts as a reasonable control.

Reply

[-]

CPAtech@reddit

Cyber insurance usually isn't concerned about those....yet. Sounds like the OP is trying to check boxes to satisfy the requirements, which Duo will absolutely do. If you're actually trying to secure those, that's a different story.

Reply

[-]

PowerShellGenius@reddit

I'm no lawyer but I would say being able to run-as a PowerShell window and remote into a DC and run Add-ADGroupMember to make yourself a domain admin, is definitely administrative access to a directory service. Smart cards are a pain to set up, but they're secure, and the feds have been trusting the same exact tech for 20 years or so. Just build a PKI and deploy YubiKeys for domain admins, and make all domain admins except one break-glass "smart card required".

Reply

[-]

sonyturbo@reddit

All of this but "Except three".

Reply

[-]

TabooRaver@reddit

>I'm no lawyer but I would say being able to run-as I agree with most of this, but DUO (and other third parties) are different in that they can add 2fa to UAC dialogs. Which windows can't do natively unless you use smart cards. With a lot of SMBs using Azure AD tenants instead of Microsoft AD Domains implementing smartcards can be difficult. Unfortunately, my company's owner decided to ditch on-prem as much as possible, and since we operate in a highly regulated industry we can't use SaaS PKI solutions. AADDS is looking to be an attractive option if we can stick to the 100/mo tier and don't have to use the 600/mo tier.

Reply

[-]

Reasonable-Canary-76@reddit

> I agree with most of this, but DUO (and other third parties) are different in that they can add 2fa to UAC dialogs Still worthless. Doesn't prevent non-interactive horizontal movement of privileged accounts. Putting UAC behind 2FA doesn't stop a hacker, it may make them giggle for 5 seconds. Thats just a silly marketing claim duo can put on a page

Reply

[-]

ciphermenial@reddit

Check out Silverfort.

Reply

[-]

PowerShellGenius@reddit

Sure, if you're a fortune 500. I deal with <200 users at a midsize company and inquired about Silverfort. I'm trying to remember if their starting price for a solution was 5 figures, or 6. They did mention they were working on a SMB offering, so maybe that's come out. I've already got my network stuff set up with Azure AD MFA Extensions on the RADIUS server, and everything Windows/AD admin set up with Smart Cards, without spending hardly anything besides YubiKey hardware for IT personnel.

Reply

[-]

menace323@reddit

For the OP, they do allow to only protect a subset of users for a lower. It’s the best solution out there I believe, but yeah $$

Reply

[-]

redstarduggan@reddit

As I understand it you can buy MFA protection for as many users as you need, but you still need to licence the platform for ALL users. Ridiculous.

Reply

[-]

ciphermenial@reddit

Yeah, the pricing is ridiculous. We are lucky because we get education pricing. It's a fantastic product with a stupid pricing model. Considering the product is built there aren't many ongoing costs for them. It's all hosted on your own hardware. I believe it's something they could sell to every IT department easily if they had sensible pricing.

Reply

[-]

PowerShellGenius@reddit

Smart Cards can do all of this! Definitely something to learn about and deploy properly - skills needed! - but the only cost is the hardware (such as YubiKey 5) as long as you already have a secure and properly licensed Windows Server (like a domain controller) to make an internal CA. Yubico has some tutorials on it. Their YubiKey 5 products are a USB FIDO2 token, PIV smart card (what you'll use for AD), and hardware-backed TOTP MFA code generator, and OpenPGP smart card all in one. You might not use the rest of the functions (at least not right now) but if you need smart cards, and don't want separate readers and literal wallet-sized cards, they are still a great idea.

Reply

[-]

TabooRaver@reddit

FIDO2 is great for a lot of SaaS offerings that support it, if you can't federate signing using SMAL/OIDC/OAuth through something like Azure SSO. And it also counts as 2fa(token+pin) for windows hello and other Microsoft logins. I prefer the convenience of their BIO key, as you can use your fingerprint instead of a PIN, but unfortunately, it doesn't support PIV.

Reply

[-]

gestun@reddit

In that case you would disable admin shares and psexec via GP. For powershell you could disable the WinRM service or run it in neutered mode on the workstations then restrict access by a jump box or vlan and/or separate accounts. And if that sounds like DUO not doing anything…..that’s because you’re right. Duo is still just providing the second factor. But they sell this crap to the C-levels as if it’s a magic bullet. We’ve know how to do this for ever. It’s just never been necessary.

Reply

[-]

TuxAndrew@reddit

Nope, but firewall configurations could easily block all of those. If auditing required it then you’d have to restrict access accordingly.

Reply

[-]

denverpilot@reddit

Will add to the pile that says Duo is pretty darn close. Downside is, this also makes them one hell of a target. Could go poorly for all of us eventually. Heh. (Okta could also do quite a bit of it, but they didn’t do things right and see where their reputation is now… not good. We dodged that bullet.)

Reply

[-]

MrJacks0n@reddit

Duo is Cisco, so hopefully they know what they're doing.

Reply

[-]

denverpilot@reddit

Judging by the number of CVEs over the years, they’re as average as anybody. Lol. If we are talking in measurable objective things. If we are talking religious beliefs, I’m out. Haha.

Reply

[-]

Phyber05@reddit

I have Duo on my 300+ endpoints. It's going to get installed on all machines to work, and ideally you want ALL users on it. You can pick and choose who gets it, but you want uniform security. Duo isn't hard to live with.

Reply

[-]

floridadem1@reddit

The way I understand DUO, when you login to a server let's say, they call your cell to verify you. Can you say how much you pay for cyber insurance?

Reply

[-]

netsysllc@reddit

esxi does not have mfa, duo cannot help with that. from my understanding companies like travelers will not accept a jump box as a solution.

Reply

[-]

MrYiff@reddit

VCenter supports ADFS and with the upcoming 8 Update 1 release next month is adding support for Okta, they just need to hurry up and provide generic SAML/OICD support. Obviously this only works for VCenter, not directly connecting to hosts themselves (which would normally be locked down).

Reply

[-]

FRALEWHALE@reddit

I was also able to add Azure AD SSO to our VCenter without issue, if you don't want to go down the Duo/Okta route.

Reply

[-]

thortgot@reddit

I've been looking to do this. I couldn't immediately find docs on this. Everything I've found is taking about using LDAPS. I'd appreciate it if you could give me a breadcrumb in the right direction.

Reply

[-]

FRALEWHALE@reddit

Sure! [Here](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/vmware-identity-service-tutorial) is the official documentation I read through and I read some unofficial guides, [4sysops](https://4sysops.com/archives/how-to-configure-vsphere-7-single-sign-on-domain/) is always solid for me. But in a sense - You need to deploy the Enterprise Application in the Azure Portal. Again assuming you use Azure AD. Search for the official Azure app for VSphere. Configure it. Download the metadata and setup the SAML info. Copy the info over to your Vsphere environment. Save, apply and test. You'll also need to make sure you setup permissions in Azure for accounts you want to access VSphere. Also make sure to have local accounts as a backup in the event services are not available. This is also probably an oversimplification but you hopefully get the gist.

Reply

[-]

thortgot@reddit

Ah I see the problem. The last fellow laid out the issue. I don't use ADFS so we don't have the option. Weird to me that they can't just support standard SAML like everything else. [Azure SSO/SAML with vSphere 7 and conditional acce... - VMware Technology Network VMTN](https://communities.vmware.com/t5/VMware-vCenter-Discussions/Azure-SSO-SAML-with-vSphere-7-and-conditional-access-to-use-MFA/m-p/2896601#M45288)

Reply

[-]

Reasonable-Canary-76@reddit

You can get DUO to work with vcenter pretty easily. If you are referring to individual hosts, SSH should be shut off already and only able to be enabled from vCenter

Reply

[-]

czl@reddit

With Internet access down how does MFA login like Duo fail? Fail Open? Fail Closed? There are non-MFA backup admin accounts? These accounts do not violate insurance rules?

Reply

[-]

Gullil@reddit

I assume you just input the passcode from the duo app? Or use my yubikey?

Reply

[-]

jmbpiano@reddit

> Fail Open? Fail Closed? Your choice. You can configure it to go either way and you can set it up differently for different services.

Reply

[-]

MiniMica@reddit (OP)

Duo has an offline mode, both the endpoint, and the mobile device worked when both were in airplane mode whilst logging into a test Windows machine I am waiting on confirmation about "break glass" admin accounts. We have these in our Azure environment per MS best practice, and we rotate the password on these weekly, hoping something like this can be viable with other admin accounts.

Reply

[-]

HolyCowEveryNameIsTa@reddit

We have a 64 character password for our break-glass admin that is stored in a sealed envelope in a physical vault and that satisfies our insurance companies requirements. We also use Netwrix to send all kinds of alerts, including an alert if that account is ever used.

Reply

[-]

DobermanCavalry@reddit

> I am waiting on confirmation about "break glass" admin accounts. We have these in our Azure environment per MS best practice, and we rotate the password on these weekly, hoping something like this can be viable with other admin accounts. We use Bitwarden to store the totp code for our break glass Azure account. Bitwarden itself is obviously behind mfa as well.

Reply

[-]

thortgot@reddit

I question the value proposition of cyber insurance these days. Policies are more expensive, requirements are through the roof and coverage is under much more scrutiny. Self insuring seems like the better bet if you reinvest the dollars into additional security and account for the reputational risk issues.

Reply

[-]

DburkeZM@reddit

We use Duo for our Admins, anytime we RDP or sign in we are prompted. Works well, easy to install remotely through management software too.

Reply

[-]

iamith@reddit

I didn't read every single comment here (so maybe I missed it), but I'm wondering why no one's mentioned Authlite yet. I'm also looking into this, and Authlite looked attractive to me since: 1) It has a perpetual license, 2) From what I can tell, it covers things like remote powershell and psexec.

Reply

[-]

canadian_sysadmin@reddit

The short answer is you would need to deploy an MFA solution that covers local logins, plus things like RADIUS. Windows does have native smart card support which is very mature and can handle this. Duo it hit and miss as it actually doesn’t support a bunch of scenarios (eg psremote). This is also an extremely steep requirement IMO. I’ve never seen an insurance company get that anal over local internal network stuff. Hell tons of companies still aren’t doing things like strong MFA (or any MFA).

Reply

[-]

PowerShellGenius@reddit

The Azure AD MFA extension for NPS server ais great for avoiding another MFA enrollment (and *another subscription*) for RADIUS. As long as users are synced from AD to O365, the MFA extension will match the local RADIUS user to their Office 365 identity and use its MFA method. You do need to be prepared to understand it at a deep level and work around some pathetic bugs if you need to return attributes based on AD group membership (as opposed to just approve/deny). Basically if you want to prompt users for any OTP (whether SMS or App based), be prepared for attributes in network policies to not be returned, and to have to run the infamous CrpUsernameStuffing script. Connection request policies still work for returning attributes regardless of in-band MFA methods, but can't be conditioned upon AD groups, only usernames. The CrpUsernameStuffing script runs in your task scheduler to keep the username condition of one or more CRPs in sync with an AD group. Clunky, but it works, and only necessary if you need different access by AD group to the same RADIUS client.

Reply

[-]

ITGuyThrow07@reddit

How does it handle the number matching that they're rolling out for Azure MFA? I don't see how you'd be able to do that at a Windows logon screen without a separate agent installation on each server/workstation.

Reply

[-]

PowerShellGenius@reddit

Smart Cards are THE native solution for MFA in Windows / AD itself. MFA extensions for RADIUS is an *additional thing* to cover a lot of things that don't support smart cards. For example, SSHing to routers/switches. Or a VPN since remote access is MFA for all, not just admin, and no one wants to buy *everyone* smart cards and deal with lost ones all the time. RADIUS has nothing to do with logging in to Windows. A registry key on the RADIUS server specifies whether it keeps approve/deny despite number matching, or falls back to asking for a 6 digit OTP from the app. If you want to keep it "out of band" you have to allow approve/deny, or use a voice call ("press # to approve"). OTP methods are fine if not returning attributes based on group membership. They are also fine even with that need, if you're comfortable with the clunky workaround Microsoft references in their docs (CrpUsernameStuffing script). Of course, since creds need to be readable to the server, you need a secure VLAN with your RADIUS server and RADIUS client, as PAP is required for OTP methods. Of course, if your RADIUS client doesn't implement the challenge-response portion of the RADIUS spec, out-of-band options are your only option. A call or Authenticator prompt appears as a mere delay, and works with any RADIUS client that can support a long-ish timeout on RADIUS requests.

Reply

[-]

Pixelgin@reddit

Well this is some deja vu. I had this exact requirement, and resolved it with the exact same software last year. DUO isn’t feeding you sales jargon, and it is possible to add MFA as long as your device supports some form of SSO/SAML. On the desktop/server side Duo Login will work (though it only secures the login or start of an RDP session, it doesn’t MFA “run as” or escalations from an already logged in session). If you have any specific question let me know. I honestly like the DUO software overall, but there are some unintuitive parts to it.

Reply

[-]

zazbar@reddit

mfa needs to be on the alarm keypad when you disarm the alarm :D

Reply

[-]

gawdarn@reddit

Check out silverfort

Reply

[-]

Soggy-Hat6442@reddit

I dealt with this last year. It was a lot of work but essentially we setup Cisco Duo on all administrative desktops, used Office 365 MFA for our Emails, and all network hardware was configured to only allow IP connections from a single administrative subnet which all devices on that subnet run Cisco Duo.

Reply

[-]

povlhp@reddit

I consider it a major bug that Microsoft does not support MFA on everything. Jump servers behind RDP gateway with MFA is one option. Personally, I really love Yubikey for certificate based signon. I don't know my 28-31 character passwords. Else we have MFA on all AAD users. We have normal accounts, admin accounts, and domain admin accounts. Roles are separated.

Reply

[-]

amarao_san@reddit

Is passphrase on SSH key counts as a second factor? 1. You have (the key) 2. You know (the passphrase)

Reply

[-]

AwesomeXav@reddit

I admin DUO for several companies (RDP remote PC's) and it's very nice in use. I can't comment on all the possible things they can MFA, but at least I can say it's not a crap company.

Reply

[-]

Reasonable-Canary-76@reddit

Duo is Cisco after all...

Reply

[-]

RigWig@reddit

Recently implemented CrewdStrike’s identity protection module to accomplish this. Has an agent that sits on each DC and looks at authentication traffic. You can get very granular on what auth methods, systems, and other fine details your put behind it. It took some work to get the rules just right, but very happy with it overall. It’s also a nice tool for auditing authentications and discovering hidden permissions. I hear good things about silverfort as well. My understanding is that both CSIDP and Silverfort are a step above duo as they can capture things like remote powershell and other remote access tools beyond rdp.

Reply

[-]

Reasonable-Canary-76@reddit

We're tempted to try this out. We have crowdstrike right now. Overall initial impressions? Hows pricing work?

Reply

[-]

Rickstamatic@reddit

Do you cover all forms of auth in your rules? I’m running a poc with this now but find it a bit tricky to get just right. Either I feel like I’m not covering everything or I cover everything but get a lot of phantom MFA requests.

Reply

[-]

ITGuyThrow07@reddit

We're using it too and there's a lot of tweaking. It misses some prompts, or sometimes prompts too much. I'm not managing it, but the people managing it have foung a way to resolve each issue, usually with policies. One great feature is that you can "link" accounts. So you can tell it to prompt your regular account's MFA if your admin account logs in. That way, you're not managing an MFA registration for every account.

Reply

[-]

K3rat@reddit

This is what we are doing for MFA on admin access. Across the network. We are actually working to move our firewalls to using a NPS for ad integrated login. Only thing left will be our network controller for L2 and Wi-Fi APs. Our plan there is to create a management only VLAN and move all our data center management interfaces there and then build a jump box to get in with MFA integrated there.

Reply

[-]

CaesarOfSalads@reddit

We've implemented a solution called Silverfort for some of these use cases, and have had really good luck with it so far.

Reply

[-]

glenharrison8@reddit

We had the exact same last year. We chose duo and think it works really well. Very easy to setup, and cheap. The proxy server for onprem switches/firewalls was working in about 10mins.

Reply

[-]

numtini@reddit

These insurance companies don't seem to really understand what they're asking. One rep told me "just use google authenticator, it's free and you can be done in five minutes." And they're painfully short on details of what they want to protect. We managed to pry out an email from our rep that the requirement is limited to servers and PCs connected to the domain network, but I know one school district with the same insurance company who's been told they need to put all their student Chromebooks under MFA and EDR (is there even EDR for Chrome OS?). We too are going with Duo. In our case, it was just the easiest fastest option as we were only given a few months to implement plus we expect to have people who'll refuse to use their phone (or more accurately want to be compensated), and they offer tokens. They also required us to upgrade our antivirus and there's all sorts of new queries and real time data that I don't have time to look at or the skill to understand in more than a remedial level. But we have an insurance policy!

Reply

[-]

MrSanford@reddit

I would also like to suggest Duo.

Reply

[-]

koalafied4-@reddit

Ours is doing the same requirements now. We are looking into Dou or Okta.

Reply

[-]

admiralpickard@reddit

Log all your administrative accounts Put all of them into a password vault that supports password rotation. Rotate passwords at least once a day. Require MFA to access password vault. Done

Reply

[-]

chesther3@reddit

We use jump boxes heavily. We're on a fairly open network (University environment, been on the Internet since before the beginning of time), so even with modern things like firewalls, MFA, and VPNs, the extra layers make sense. Air-gapping critical stuff has the advantage that if a nasty vulnerability comes out, you've got a bit more time to get it patched if nobody can reach it without going through multiple checkpoints.

Reply

[-]

THE1Tariant@reddit

I used Okta (for end user MFA) and Okta ASA (for server authorization and authentication) to cover a similar thing so that almost everything we accessed was behind Okta which we apply our authentication/authorization policies from. Maybe worth a look if you guys wanna shift but it's a lot to shift just for a small use case.

Reply

[-]

jmaitref@reddit

We just went through almost identical situation. Authlite did the trick for us painlessly.

Reply

[-]

redstarduggan@reddit

Looking at Authlite. Anything it's not doing?

Reply

[-]

jmaitref@reddit

Not really, it works very well and is simple, easy to use. There are some oddities using it with VMware and such, but works still. Biggest issue we've hit is we use Duo for most MFA, so consistency is really the down side, sometimes it's Authlite, sometimes it's duo. I wish there was a way to tell Authlite to use Duo push as the token, or to have duo in the domain controller the way authlite is. But otherwise it quickly and easily covered basically every auth by our accounts with two factor and for the right price. Very happy overall!

Reply

[-]

redstarduggan@reddit

Nice, thanks! Pretty sure we're going to go for it, just haven't set ourselves up right for it yet.

Reply

[-]

jmaitref@reddit

That's the other part I've been very happy with, it is really easy to ease into it. Convert one or two groups/applications at a time, or all at once. You can go either way!

Reply

[-]

rune87@reddit

I've had a lot of luck with Authlite and Yubikeys. That pretty much enabled me to get everything onto 2FA in one form or another.

Reply

[-]

firewantic@reddit

+1 for Authlite - works great for us

Reply

[-]

PowerShellGenius@reddit

If you can handle a AD CS PKI and you own YubiKeys, why bother with Authlite? Smart cards are natively supported and more secure. YubiKeys can act as smart cards.

Reply

[-]

rune87@reddit

Candidly...because it was the fastest approach to get implemented before facing a looming deadline by insurance to get fully implemented. Cost me $500 for Authlite and less than 2 hours of time to deploy and teach others. And moving forward when it's mandated for all users, it will be far easier on support staff. Also I have a few pieces of software that don't suppore MFA. Authlite bypasses that issue as long as they support SSO. I may eventually alter the approach in the future, but for now it works as expected.

Reply

[-]

sysad_dude@reddit

I think its all how you read it.... Technically our windows servers require you to join the vpn. in order to join the vpn, you have to MFA. So technically speaking, in order to get into our Windows Servers, you must utilize VPN.

Reply

[-]

TyphoidJaneDoeMary@reddit

Same at old job, MFA on laptop, then another MFA solution to join VPN and then RSA to reach the jumphost. That's IMO more than enough.

Reply

[-]

sysad_dude@reddit

One up us there. No MFA to get into laptop as of now

Reply

[-]

PowerShellGenius@reddit

Even if you are in the office? Our insurance specifically said both local and remote. So we found that none of the hot buzzwords in MFA would help us without shoehorning a bunch of mods into AD and (in most cases) paying either a subscription or (for Silverfort) a 5+ figure purchase regardless of SMB size. So we got our AD CS PKI ready and set up some YubiKey 5's as smart cards for domain admins. Smart cards have been providing subscription-free, native MFA to Microsoft's largest customers for decades, since before MFA was a buzzword. If it's good enough for the US military, it's good enough for me.

Reply

[-]

sysad_dude@reddit

Valid. Not when we're physically in the office on a specific network.

Reply

[-]

MonoChz@reddit

Yea, even in the office (as of recently). So the network is more secure.

Reply

[-]

bob_cramit@reddit

Yeah I just posted this same thing. That is MFA to me.

Reply

[-]

Dick_in_owl@reddit

It’s also MFA to cyber essentials as we just went through this process

Reply

[-]

martintierney101@reddit

Don’t mention the war. We were about a month out from cyber insurance renewal and our COO landed this on us as a requirement for renewal. Had most thins already MFA’d but our main issue was servers and endpoints. We already used manage engine for reporting so went with ADSelfService Plus which was free with our existing licenses at the time (started charging about 3 months ago though).

Reply

[-]

Zer0kbps_779@reddit

Ours (cfc), had similar, but fortunately it included a caveat “where supported”. Nearly all of our systems are behind an azure app proxy and we use that for mfa, but computer logon and elevation is not on their radar yet.

Reply

[-]

HTX-713@reddit

I've worked at two places that have used DUO for Linux MFA. It's pretty seamless and works just about everywhere.

Reply

[-]

geegol@reddit

Might not be the exact answer you’re looking for but I work for an MSP and we use a combination of MFA logins. We use google Authenticator, Duo, and Microsoft Authenticator. With Duo if we log into a admin account or domain admin we get a prompt to enter a MFA code after we put the password in. It’s pretty tight security. Hope this helps.

Reply

[-]

Sudsguts@reddit

Looking in the JED, look at this, could give it a demo month: [How to setup Two-Factor Authentication (2FA/MFA) in Microsoft Windows Login & RDP (miniorange.com)](https://www.miniorange.com/two-factor-authentication-(2fa)-for-windows-login-and-rdp) and lots more strange places you could ever wanna MFA into. $2.00 / month / user. If it's any good. Dang.

Reply

[-]

TriggernometryPhD@reddit

Okta + TwinGate (ZTNA) is how we did it.

Reply

[-]

NorthEntertainer1@reddit

We bought yubikeys and issued certs from a local PKI. Simple and cheap.

Reply

[-]

eagle6705@reddit

We're in the pr9cess of testing manageengine mfa.

Reply

[-]

nickname_nik@reddit

We can also hear ([https://idemeum.com](https://idemeum.com)). We provide a mobile app to protect pretty much anything with Passwordless MFA. Instead of username and password + Duo push, you scan a QR code with mobile app and protect with biometrics. We do workstations, servers, legacy apps, cloud apps, and more. Also have Cloud Radius if needed. Happy to answer any questions.

Reply

[-]

amishbill@reddit

We have a duo driven “sso” page for some internal things. I don’t know the details about how it works, but it works for a good chunk of our stuff.

Reply

[-]

HoustonBOFH@reddit

MFA is the latest magic buzzword for people who do not really understand IT, like insurance companies. And it is NOT a magic bullet... Which is why I am seeing more companies actually considering "running naked" for cyber. The prices are way up, the coverage is way down, and the requirements do little to help, but do make things more difficult. And as the competent leave, that leaves the incompetent in the pool, so it will get worse. We are in for a bad few years until things shake out.

Reply

[-]

Sudsguts@reddit

Shop around, Insurers have all kind of proposals, some tough, some weird (they don't understand IT, just money). More important is what cover you have left where any one of the proposal questions can't be filled out with a positive. You ARE being selected against. Cheers.

Reply

[-]

RCTID1975@reddit

I don't know of a single insurance company willing to write a cyber policy that doesn't require MFA for all admin accounts. In fact, I'm surprised that OP didn't have to do this at least 3 years ago.

Reply

[-]

canadian_sysadmin@reddit

Insurance companies, in my own experience, tend to only require MFA for admin accounts for anything externally accessed (which makes sense). Requiring MFA for every single internal admin login on everything. is a completely different animal. I’ve been through a lot of insurance audits, not to mention have filled out a ton of applications and questionnaires, and tbh have never seen any of them care about internal access. Maybe that’s just me but requiring MFA on everything is a pretty steep requirement for most companies.

Reply

[-]

bob_cramit@reddit

if its an internal server, you could argue that you have MFA. To access it remotely, you need to get on the vpn. Which could be locked down to domain joined machines and MS authenticator. Theres your multi factors.

Reply

[-]

canadian_sysadmin@reddit

Exactly, which is why they tend to focus on MFA when accessing resources externally. MFA from within the corp lan is much more rigorous (and orders of magnitude more difficult to implement properly). I get there’s lots of environments that need that too but I rarely see insurance asking about it.

Reply

[-]

PowerShellGenius@reddit

>and orders of magnitude more difficult to implement properly Smart cards are tricky but they aren't *that* hard. Or did you mean some shiny new buzzword that is shoehorned in to AD without Microsoft support and carries a nice new subscription, for the sole benefit of being able to use a phone instead of put a YubiKey on your keyring and have natively supported MFA at the Kerberos level?

Reply

[-]

canadian_sysadmin@reddit

I’d agree it’s not ‘that’ hard, but there’s a lot more to it than basic Azure/365 MFA. The effort required is going to be a lot higher. And to do it properly and completely and shut down workarounds will require a fair amount of effort as well. That’s more along the lines of what I was implying about it being orders of magnitude harder. Basic Azure MFA is potentially a couple simple CAPs and you’re largely done.

Reply

[-]

RCTID1975@reddit

If you're in the US, that's not at all true, and hasn't been true for years. Most major insurance companies made the shift to all admin accounts internal and external about 3-4 years ago. If you're in Canada like your name implies, that could be different.

Reply

[-]

canadian_sysadmin@reddit

I’ve almost always worked for US-based companies and have never come across this. We just went through searching for a new insurance provider and not a single one asked about local MFA. And these were all big-name US insurance companies that everyone would recognize. Not saying it doesn’t happen, but I see it and hear of it very rarely. Maybe I’m in the vast minority…

Reply

[-]

dwargo@reddit

I had a client just get one from Lloyds of London but it was incredibly expensive. I think they wrote it as a surplus lines policy.

Reply

[-]

Sudsguts@reddit

Further - it's people like us that are being compromised to use our stunning access to big org's barriers. Could be why the focus is on sysadmin access . Sure is evolving to be this here down under . .

Reply

[-]

MiniMica@reddit (OP)

Sadly that is out of my hands. A broker has done the shopping round at C suite level, and along with other parts of the business' insurance, the cyber part has been included in that.

Reply

[-]

PirateNomad@reddit

[https://www.silverfort.com/](https://www.silverfort.com/) could also help I believe.

Reply

[-]

PowerShellGenius@reddit

Multi factor authentication has been built into Active Directory for decades (at least since Windows 2000) and heavily used by their largest customer (USA feds) all that time. It's called Smart Cards. You need a physical hardware token and a PIN. If you're comfortable making a domain controller your CA, you are already licensed - if not, you'll just need a Windows Server license for your CA. And the hardware. A YubiKey 4 or 5 has a smart card built into a USB key form factor that fits on your keychain with no need for a separate reader and wallet-sized card. The YubiKey can also do other things besides be a smart card - it can store TOTP secrets securely and generate codes via the Yubico Authenticator app (USB on desktop, NFC on android). It is also a FIDO2 key so you can do chip-and-PIN on the Office365 / AzureAD side as well. Anything on the network side - router, switch, VPN - can use RADIUS. Use the Azure AD MFA extensions for the RADIUS server, and learn how it works with different methods. You can get it set up such that people can use the MFA already registered in Office 365 for anything that uses RADIUS.

Reply

[-]

staticanime@reddit

This is the way we did it, network gear uses RADIUS to auth off AD, and we tied that into Duo then for MFA to go full coverage (purely cause we had Duo before we had Azure AD)

Reply

[-]

bloodpriestt@reddit

To appease this same requirement with cyber insurance… we went with Duo.

Reply

[-]

pakrat77@reddit

We are using AAD MFA through a radius server for all of the network gear and vpn. We are evaluating Mini Orange for desktop and server admin access. It deploys on all machines and replaces the standard windows login.

Reply

[-]

TechFiend72@reddit

Just had to do this last year for Cyber insurance, f' u travelers!  DUO will handle most everything. HOWEVER, your NAS and your network gear will kick you in the tender bits. The EASIEST way to do that is to make it so you can only manage it from a few workstations that have DUO on them. That way if one is on the fritz, you are not hosed. I ran the plan by our traveler's underwriter team and they signed off. We implemented it. Has worked with zero issue for 8 months. Good luck!

Reply

[-]

Patsfan-12@reddit

This is the way

Reply

[-]

CPAtech@reddit

Travelers is tough.

Reply

[-]

WhiskeyBeforeSunset@reddit

DUO is the way, until cisco kills it anyway.

Reply

[-]

gwyden@reddit

I actually just attended an IAM conference and ran into silverfort. Very compelling product for onprem and directory enabled logins

Reply

[-]

PowerShellGenius@reddit

Does Microsoft support/condone their third party solution being shoehorned into the domain? You can't beat "totally supported, natively integrated into Kerberos, in use by Microsoft's largest customers, and no subscription". Silverfort can't touch smart cards. **Smart cards were MFA before MFA was a buzzword**, and they are still an actively developed and supported part of AD. In fact a certificate based auth option in Azure AD to SSO to Office 365 with existing on-prem PKI (smart cards) is in preview now. Smart cards are not a subscription. Smart cards don't have to be a separate reader and wallet-size card like the federal PIV / CAC system. The YubiKey 5 is a smart card among its many other functions, and that fits on your keyring and goes in a USB port.

Reply

[-]

ittek81@reddit

Double check the insurance requirements. Our MFA requirement was only Administrative logins that were on externally facing devices… Our firewall and VPN access ended up being the only logins required. Along with cloud services like O365.

Reply

[-]

qwikh1t@reddit

Interesting

Reply

[-]

bloodlorn@reddit

I would eliminate admin rights via a cyberarc or beyond trust before attempting to check this box with pure mfa

Reply

[-]

TechDiverRich@reddit

Look into silverfort. Did a poc a while back and was fairly impressed.

Reply

[-]

yesterdaysthought@reddit

It's about interpretation- put MFA on what you can with some on-prem radius like RSA or whatever. Put what doesn't have MFA support behind jump hosts with MFA where possible. Don't overthink it. If a hacker gets into your network and attacks a PC with a protocol exploit, MFA won't do jack. They'll get a kerb ticket, use a service account or SP with no MFA and that will be that.

Reply

[-]

WorstNewbEver@reddit

Duo makes your cybersecurity go down

Reply

[-]

Big_Blue_Smurf@reddit

FWIW - We used RADIUS and/or TACACS to put MFA on Cisco router logins, and I know of many infrastructure devices that supported that type of authentication/authorization. We did also something similar with linux SSH sessions, Windows RDP sessions, etc. It was long ago though, so my memory of the details is fuzzy.

Reply

[-]

MiniMica@reddit (OP)

Linux SSH and Windows login seem to be pretty much covered with native Duo support from what I've tested so far.

Reply