@Ian0x0r - SNURF

A blog about my adventures in IT

MFA it up a notch. Add an extra layer of security to a jump box with DUO MFA

by · 6th November 2018

Background

I have been evaluating Multi-Factor Authentication solutions recently and came across Duo on my travels. One of the things that grabbed my attention with Duo, in particular, was the free access tier for up to 10 users for personal use. Great! I have also had a niggling issue with my Ravello labs having open RDP access to Windows servers to gain access.

One of the applications that Duo can enable MFA for is RDP access although there are many more. Think about it, what is the primary access method for Windows virtual machines running in Azure or AWS? It is RDP. There is limited to no console support. All those virtual machines with open RDP access, just waiting to be taken advantage of. Adding an additional layer of security certainly is not going to hurt.

 

Sounds good, what next?

Hokay, so your interest is piqued? Cool, you need to sign up for a free account with Duo here. Sign up is a simple process, follow the steps below to create an account and get your phone set up as a soft token. I am using an iOS device for this.

Fill in your details.

Duo_RDP01

Create a password.

Duo_RDP02

Install the Duo application onto your mobile device and scan the QR code to activate.

Duo_RDP03

Add a phone number to use as a backup for verification purposes.

Duo_RDP04

At this point, you can then log into your Duo portal. You need to authenticate with your secondary authentication method. I chose push notification.

Which looks like this on the phone.

Duo_RDP06

Click to approve.

Duo_RDP07

You are now logged into the admin panel. Total time to set up, about 2 minutes.

 

You have an account, now what?

There are a few more steps required to get things working here. We need to add users to the Duo portal, enable protection for Windows RDP application type and install the Windows login agent on the desktop.

User setup

There are a few methods of adding users to Duo, they can be imported from a CSV, linked to active directory or Azure AD or created manually. For the purposes of a personal account, I will stick with manual account creation as it is really straightforward. This protection works with both local and active directory accounts. Duo can employ something called account normalisation, so an account username in the format as domain\joe.bloggs or [email protected] will display as and only check against the name joe.bloggs. A local account with the name joe.bloggs can be added manually to the Duo portal as well.

Step 1 – Add a user

Click on users in the navigation pane and then click Add User.

Duo_RDP08

Enter your Windows login name.

Duo_RDP09

Add more detail as required to the user.

Duo_RDP10

Step 2 – Attach a mobile device

Attaching a mobile device to the user account will allow you to link the new user to the Duo soft token on the phone. This will be used as the MFA method when logging into Windows.

Scroll down the new user page and click Add Phone.

Duo_RDP11

Enter the phone number. If using a mobile phone, we will have the option to send a SMS with instructions to link the phone with the user.

Duo_RDP12

Add a descriptive name for the device, change the platform type and then click Activate Duo Mobile.

Duo_RDP13

Click the Generate Duo Mobile Activation Code.

Duo_RDP14

You can customise the SMS if you wish. Instructions are sent to download the app and to then activate the app.

Duo_RDP15

Which looks like this.

Duo_RDP17

Which adds the user account into the Duo app. Note you can have multiple accounts linked to one device.

Duo_RDP18

And once that is complete we get a bit more info in the Duo portal about the device. This is useful for policy enforcement. Policies can be configured to limit by platform type, platform OS version etc.

Duo_RDP16

 

Enable RDP application protection

Choosing to protect RDP with Duo will activate a unique API hostname and integration key that will be used as part of the Duo agent for Windows installation. When you log into your machine, an authentication request will be sent to the hostname and then trigger the MFA process.

Browse to applications and choose to Protect an Application.

Duo_RDP19

Search for RDP and click protect this application.

Duo_RDP20

Make a note of the integration key, secret key and API hostname, you will need these during the Duo agent install. Click on RDP documentation link to bring up the help guide which includes a link to the Duo agent.

Duo_RDP21

Grab the agent. You can see the steps below are pretty much this blog post :). Agent link is here.

 

Install the Duo agent

Once downloaded, run the installer.

Duo_RDP24

Enter the API Hostname you made a note of earlier.

Duo_RDP25

Enter the integration key and Secret key you made a note of earlier.

Duo_RDP26

Tick or untick as necessary. I enabled authentication for RDP only. I still have console access to this VM which I do not require MFA for.

Duo_RDP27

Install.

Duo_RDP28

Done.

Duo_RDP29

Log out of the machine and log back in again.

 

Testing

Log back into the machine again and after initial username and password check you should see the following on the screen. It has automatically sent a push notification to the phone device we configured earlier.

Duo_RDP30

Which looks like this on the phone.

Duo_RDP31

Login request for snurfadmin account for Microsoft RDP.

Duo_RDP32

And that’s it! An extra layer of security to help protect you against unwanted access to your environment.

Gotchas

Time sync has to be correct on the machine that you are connecting to with the Duo agent installed. If it is out, you can not log into the machine.

 

Further reading

Take a look at the policies available. There is some really cool stuff in there, some of which I have mentioned already. there are other things like lock down by location, device type, user groups etc.

Duo_RDP22

 

Ian

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.