MFA it up a notch. Add an extra layer of security to a jump box with DUO MFA
Background
I have been evaluating Multi-Factor Authentication solutions recently and came across Duo on my travels. One of the things that grabbed my attention with Duo, in particular, was the free access tier for up to 10 users for personal use. Great! I have also had a niggling issue with my Ravello labs having open RDP access to Windows servers to gain access.
One of the applications that Duo can enable MFA for is RDP access although there are many more. Think about it, what is the primary access method for Windows virtual machines running in Azure or AWS? It is RDP. There is limited to no console support. All those virtual machines with open RDP access, just waiting to be taken advantage of. Adding an additional layer of security certainly is not going to hurt.
Sounds good, what next?
Hokay, so your interest is piqued? Cool, you need to sign up for a free account with Duo here. Sign up is a simple process, follow the steps below to create an account and get your phone set up as a soft token. I am using an iOS device for this.
Fill in your details.
Create a password.
Install the Duo application onto your mobile device and scan the QR code to activate.
Add a phone number to use as a backup for verification purposes.
At this point, you can then log into your Duo portal. You need to authenticate with your secondary authentication method. I chose push notification.
Which looks like this on the phone.
Click to approve.
You are now logged into the admin panel. Total time to set up, about 2 minutes.
You have an account, now what?
There are a few more steps required to get things working here. We need to add users to the Duo portal, enable protection for Windows RDP application type and install the Windows login agent on the desktop.
User setup
There are a few methods of adding users to Duo, they can be imported from a CSV, linked to active directory or Azure AD or created manually. For the purposes of a personal account, I will stick with manual account creation as it is really straightforward. This protection works with both local and active directory accounts. Duo can employ something called account normalisation, so an account username in the format as domain\joe.bloggs or [email protected] will display as and only check against the name joe.bloggs. A local account with the name joe.bloggs can be added manually to the Duo portal as well.
Step 1 – Add a user
Click on users in the navigation pane and then click Add User.
Enter your Windows login name.
Add more detail as required to the user.
Step 2 – Attach a mobile device
Attaching a mobile device to the user account will allow you to link the new user to the Duo soft token on the phone. This will be used as the MFA method when logging into Windows.
Scroll down the new user page and click Add Phone.
Enter the phone number. If using a mobile phone, we will have the option to send a SMS with instructions to link the phone with the user.
Add a descriptive name for the device, change the platform type and then click Activate Duo Mobile.
Click the Generate Duo Mobile Activation Code.
You can customise the SMS if you wish. Instructions are sent to download the app and to then activate the app.
Which looks like this.
Which adds the user account into the Duo app. Note you can have multiple accounts linked to one device.
And once that is complete we get a bit more info in the Duo portal about the device. This is useful for policy enforcement. Policies can be configured to limit by platform type, platform OS version etc.
Enable RDP application protection
Choosing to protect RDP with Duo will activate a unique API hostname and integration key that will be used as part of the Duo agent for Windows installation. When you log into your machine, an authentication request will be sent to the hostname and then trigger the MFA process.
Browse to applications and choose to Protect an Application.
Search for RDP and click protect this application.
Make a note of the integration key, secret key and API hostname, you will need these during the Duo agent install. Click on RDP documentation link to bring up the help guide which includes a link to the Duo agent.
Grab the agent. You can see the steps below are pretty much this blog post :). Agent link is here.
Install the Duo agent
Once downloaded, run the installer.
Enter the API Hostname you made a note of earlier.
Enter the integration key and Secret key you made a note of earlier.
Tick or untick as necessary. I enabled authentication for RDP only. I still have console access to this VM which I do not require MFA for.
Install.
Done.
Log out of the machine and log back in again.
Testing
Log back into the machine again and after initial username and password check you should see the following on the screen. It has automatically sent a push notification to the phone device we configured earlier.
Which looks like this on the phone.
Login request for snurfadmin account for Microsoft RDP.
And that’s it! An extra layer of security to help protect you against unwanted access to your environment.
Gotchas
Time sync has to be correct on the machine that you are connecting to with the Duo agent installed. If it is out, you can not log into the machine.
Further reading
Take a look at the policies available. There is some really cool stuff in there, some of which I have mentioned already. there are other things like lock down by location, device type, user groups etc.
Ian