MFA on domain controllers

Posted by CaptainObviousII@reddit | sysadmin | View on Reddit | 25 comments

I am considering implementing MFA on our domain controllers. My worry is what will happen if that authentication service becomes unavailable and we get locked out of the DC. What is the best way to prevent that from happening or creating a contingency? The worry about a contingency obviously is that it creates a workaround for the MFA at the same time. I don't love the "trust us, that won't happen 99% of the time". Thank you for your feedback.

Reply to Post

25 Comments

[-]

d0nkey_0die@reddit

You need to have a contingency plan which includes break glass accounts that are monitored for any flicker of movement. These would be excluded from MFA so that it doesn't become a problem.

[-]

Academic_Ad1931@reddit

SIEM setup (Wazuh) with alerts for any logins from x account. If anything comes from that account, scramble.

[-]

J_de_Silentio@reddit

One step further: automate actions if someone logs in with that account.

[-]

Cooleb09@reddit

Annnd this is how the young soc engineer gets the breakglass account locked in an actual DR scenario.

[-]

jeezarchristron@reddit

This is the way to go

[-]

J_de_Silentio@reddit

If someone can login to your domain controller, they can open ADUC and do whatever they want anyway. I'm not saying don't MFA your DC, but MFA for interactive logins doesn't stop a bad actor that already has your domain admin account.

[-]

deverhart33@reddit

We use DUO and there is an offline feature

[-]

CaptainObviousII@reddit (OP)

How does the offline feature work?

[-]

GotBeaverFever@reddit

Don't know DUO's version but with the one we use (FortiAuthenticator), it does require a more recent online login for the user you're trying to log in with while offline. For example, if you allow 2 days offline but it's been 3 days since you've logged in while online, then the offline tokens won't work because they're all expired as of day 2. One nice thing is it tells the user how long until the offline tokens expire on the login page. So, if you use an offline feature, be sure to think about how long you want to allow. For us, we did a couple weeks since some of our laptop users may not use them frequently enough. I did test our solution and it still requires the token within the appropriate timeframe (i.e. the token is still only valid for the 60s it would have been while online).

[-]

deverhart33@reddit

You set it up in the app and then if the device isn’t connected to the internet you select the device you want within the app and it will generate a passcode for you to use. I have used it during internet outages without issue.

[-]

iwoketoanightmare@reddit

I use Duo on mine, but it only functions for remote logins. The break glass is physical access via the rack KVM terminal. As this is behind two locked doors. So anyone accessing it still needs a password and physical access.

[-]

maximillianx@reddit

Do you not have it configured for local logins on purpose? Just curious why you wouldn't go with that solution too.

[-]

iwoketoanightmare@reddit

Physical access is already the second factor..

[-]

Cormacolinde@reddit

Yes, physical access should require a key, keycard or something similar.

[-]

maximillianx@reddit

Yep, physical access isn't a form of MFA, unless he's employing some form of biometric...

[-]

Acehigh87@reddit

Cyberark

[-]

TruthExposed@reddit

Bingo! [CyberArk PAM](https://www.cyberark.com/products/privileged-access-manager/#manage)

[-]

xxdcmast@reddit

Break glass or fail open configuration. Also what benefit do you see by implementing mfa on the DCs? It will only support interactive logon, and likely wouldnt offer any kind of protection from PS, PTH or other malicious scenarios. Basically making your admins lives more difficult and not adding anything to limit bad actors.

[-]

maximillianx@reddit

It helps reduce the chance of a compromised account logging into the server. An MFA provider like DUO supports RDP, so perhaps this is what OP is going for. You're right about PS, PTH. This is only to (hopefully) augment the other layers that OP's org has in place.

[-]

vane1978@reddit

Are using MFA to prevent malicious actors to RDP to your domain controllers?

[-]

RCTID1975@reddit

For those mentioning break glass accounts, It's important to confirm that this meets any insurance requirements. Likely, it won't. Generally speaking, ALL admin accounts need to be protected with MFA. Likewise, failopen won't meet the requirements. Nor is that the best option as it's trivial to unplug a NIC if you have physical access, or to remove a vNIC if you have access to the host. What you need here is offline MFA. This will allow users to enroll and use an offline generated code.

[-]

MFA on domain controllers

Reply to Post

25 Comments

d0nkey_0die@reddit

Academic_Ad1931@reddit

J_de_Silentio@reddit

Cooleb09@reddit

jeezarchristron@reddit

J_de_Silentio@reddit

deverhart33@reddit

CaptainObviousII@reddit (OP)

GotBeaverFever@reddit

deverhart33@reddit

iwoketoanightmare@reddit

maximillianx@reddit

iwoketoanightmare@reddit

Cormacolinde@reddit

maximillianx@reddit

Acehigh87@reddit

TruthExposed@reddit

xxdcmast@reddit

maximillianx@reddit

vane1978@reddit

RCTID1975@reddit

Recalcitrant-wino@reddit

RCTID1975@reddit

jamesaepp@reddit

itspie@reddit