May 12 2021 12:27 PM
May 12 2021 12:27 PM
Hello everyone. I've run into a puzzler and I'm hoping someone can give me a tip on how to solve this. I have received a "cyber security attestation" document from a major insurance provider and must be able to say yes to all of the items on it as a baseline to receive a policy. Here's the one I'm stuck on:
multi-factor authentication is required for the following, including such access provided to 3rd party service providers:
All internal & remote admin access to directory services (active directory, LDAP, etc.).
I'm not aware of a way to set up any MFA for admin access to Active Directory itself, but I'm all ears if someone knows of a way. What I think the only viable solution would be is to set up MFA for access to any Domain Controller in the domain. In order for that to be adequate though, I then need to be able to prevent RSAT connections to Active Directory. I'm not sure if there's a way to restrict that or not, so that's where i'm currently stuck.
Can anyone point me in the direction of a solution for either preventing RSAT access or (fingers crossed) enabling MFA on AD itself?
May 29 2021 11:53 PM
Sep 16 2021 06:32 AM
@_SAube_ I found a couple of solutions. The most straightforward, and the one we opted to go with, is a company called Authlite. They provide the mechanism to protect your administrative access and the actual MFA is byo. Good luck, this is quite a journey!
Oct 06 2021 09:00 AM
I believe that my company has the same cyberSec Insurance company because we received the exact same attestation statement.
We have been scrambling a bit to find a viable solution for the requirements. Specifically the one referenced in your original post. Securing remote/internal access to ActiveDirectory and other RSAT tools.
We currently use DUO as our MFA solution, and are in the process of deploying the DUO for RDP https://duo.com/docs/rdp to protect our endpoints and servers from remote login.
I have not identified any viable solutions which integrate with DUO for remote access to the RSAT services. What were some of the solutions that you had identified and considered.
Oct 07 2021 06:54 AM
As I said here, the only option I investigated thoroughly enough to complete a POC is the one I personally chose, which is Authlite. Most people who answered this question didn't understand the difference between putting MFA on a Domain Controller at log in (not at all the requirement) vs putting MFA on administrative access to AD and all it's component tools. So since the question is frequently misunderstood, your mileage may vary on if these are viable answers or not. Here are a couple of other ones that were suggested to me, in no particular order:
Secret Double Octopus
Good Luck in your journey.
Oct 07 2021 07:00 AM
Oct 07 2021 07:01 AM
Oct 07 2021 07:03 AM
Dec 04 2021 03:48 PM - edited Dec 06 2021 03:38 PM
I would look into MFA solutions offered by DUO. Very easy to implement.
Dec 06 2021 07:17 AM
The Duo solutions do NOT protect active directory, they only protect logins to endpoints. That endpoint could be a workstation, a member server or a Domain Controller. There are a number of scenarios where that is not sufficient. If a computer somehow doesn't have Duo on it (byod or it simply got missed). RSAT. Remote Powershell.
Dec 06 2021 03:43 PM
Apr 12 2022 01:53 PM
In addition to the prior answers, you can also find information on multi-factor authentication (MFA) in the Plan your Passwordless Deployment Setup Guide, specifically go to the Combine registration section.
The Plan your Passwordless Deployment Setup Guide in the Admin Center simplifies selecting and deploying the right authentication method for IT Admins.
Note: If you don't have Microsoft 365 admin permissions, open the guide in a test or POC tenant to get instructions.