Forum Discussion

JHanson1821's avatar
JHanson1821
Copper Contributor
May 12, 2021

Enabling MFA on admin level access to On premise AD

Hello everyone. I've run into a puzzler and I'm hoping someone can give me a tip on how to solve this. I have received a "cyber security attestation" document from a major insurance provider and must be able to say yes to all of the items on it as a baseline to receive a policy. Here's the one I'm stuck on:

 

multi-factor authentication is required for the following, including such access provided to 3rd party service providers:
All internal & remote admin access to directory services (active directory, LDAP, etc.).

 

I'm not aware of a way to set up any MFA for admin access to Active Directory itself, but I'm all ears if someone knows of a way. What I think the only viable solution would be is to set up MFA for access to any Domain Controller in the domain. In order for that to be adequate though, I then need to be able to prevent RSAT connections to Active Directory. I'm not sure if there's a way to restrict that or not, so that's where i'm currently stuck.

 

Can anyone point me in the direction of a solution for either preventing RSAT access or (fingers crossed) enabling MFA on AD itself?

 

Thanks,

Joel

  • SamLourie's avatar
    SamLourie
    Copper Contributor

    I would look into MFA solutions offered by DUO. Very easy to implement.

    • JHanson1821's avatar
      JHanson1821
      Copper Contributor

      SamLourie 

      The Duo solutions do NOT protect active directory, they only protect logins to endpoints. That endpoint could be a workstation, a member server or a Domain Controller. There are a number of scenarios where that is not sufficient. If a computer somehow doesn't have Duo on it (byod or it simply got missed). RSAT. Remote Powershell. 

       

      • SamLourie's avatar
        SamLourie
        Copper Contributor
        That’s a shame I was not was NOT helpful Joel. Hopefully you do NOT run in to any further road blocks, As I canNOT be of any further assistance I shall NOT reply any further. All the best on your quest buddy!
    • JHanson1821's avatar
      JHanson1821
      Copper Contributor
      Dabona, I glanced over the outline of your post and that's a lot to take in, in a good way. Thank you for the info. I am going to take the time to read through all the concepts you have, as well as how you have them strung together. I anticipate being a better sysadmin afterwards!
      • Dabona's avatar
        Dabona
        Icon for Microsoft rankMicrosoft
        Thanks JHanson, please test if you have time and let me know your feedback... I am trying to find people who can test my POC 🙂 !!
  • DaveSysAdmin83's avatar
    DaveSysAdmin83
    Copper Contributor

    JHanson1821 

    I believe that my company has the same cyberSec Insurance company because we received the exact same attestation statement. 

    We have been scrambling a bit to find a viable solution for the requirements. Specifically the one referenced in your original post. Securing remote/internal access to ActiveDirectory and other RSAT tools. 

    We currently use DUO as our MFA solution, and are in the process of deploying the DUO for RDP https://duo.com/docs/rdp to protect our endpoints and servers from remote login. 

     

    I have not identified any viable solutions which integrate with DUO for remote access to the RSAT services. What were some of the solutions that you had identified and considered. 

    • JHanson1821's avatar
      JHanson1821
      Copper Contributor

      DaveSysAdmin83 

      As I said here, the only option I investigated thoroughly enough to complete a POC is the one I personally chose, which is Authlite. Most people who answered this question didn't understand the difference between putting MFA on a Domain Controller at log in (not at all the requirement) vs putting MFA on administrative access to AD and all it's component tools. So since the question is frequently misunderstood, your mileage may vary on if these are viable answers or not. Here are a couple of other ones that were suggested to me, in no particular order:

      isdecisions UserLock

      Secret Double Octopus

      WiKID

       

      Good Luck in your journey.

    • JHanson1821's avatar
      JHanson1821
      Copper Contributor

      _SAube_ I found a couple of solutions. The most straightforward, and the one we opted to go with, is a company called Authlite. They provide the mechanism to protect your administrative access and the actual MFA is byo. Good luck, this is quite a journey!

Resources