Enabling MFA on admin level access to On premise AD

%3CLINGO-SUB%20id%3D%22lingo-sub-2349559%22%20slang%3D%22en-US%22%3EEnabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349559%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone.%20I've%20run%20into%20a%20puzzler%20and%20I'm%20hoping%20someone%20can%20give%20me%20a%20tip%20on%20how%20to%20solve%20this.%20I%20have%20received%20a%20%22cyber%20security%20attestation%22%20document%20from%20a%20major%20insurance%20provider%20and%20must%20be%20able%20to%20say%20yes%20to%20all%20of%20the%20items%20on%20it%20as%20a%20baseline%20to%20receive%20a%20policy.%20Here's%20the%20one%20I'm%20stuck%20on%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3Emulti-factor%20authentication%20is%20required%20for%20the%20following%2C%20including%20such%20access%20provided%20to%203rd%20party%20service%20providers%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAll%20internal%20%26amp%3B%20remote%20admin%20access%20to%20directory%20services%20(active%20directory%2C%20LDAP%2C%20etc.).%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20aware%20of%20a%20way%20to%20set%20up%20any%20MFA%20for%20admin%20access%20to%20Active%20Directory%20itself%2C%20but%20I'm%20all%20ears%20if%20someone%20knows%20of%20a%20way.%20What%20I%20think%20the%20only%20viable%20solution%20would%20be%20is%20to%20set%20up%20MFA%20for%20access%20to%20any%20Domain%20Controller%20in%20the%20domain.%20In%20order%20for%20that%20to%20be%20adequate%20though%2C%20I%20then%20need%20to%20be%20able%20to%20prevent%20RSAT%20connections%20to%20Active%20Directory.%20I'm%20not%20sure%20if%20there's%20a%20way%20to%20restrict%20that%20or%20not%2C%20so%20that's%20where%20i'm%20currently%20stuck.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20point%20me%20in%20the%20direction%20of%20a%20solution%20for%20either%20preventing%20RSAT%20access%20or%20(fingers%20crossed)%20enabling%20MFA%20on%20AD%20itself%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EJoel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398826%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398826%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20Business%20is%20considered%20by%20Microsoft%20to%20be%20a%20multi-factor%20solution.%20There%20is%20a%20certificate%20on%20the%20device%20(something%20you%20have)%20and%20then%20you%20typically%20sign%20in%20with%20a%20PIN%20(something%20you%20know)%20or%20a%20biometric%20(something%20you%20are).%20I%20highly%20recommend%20that%20you%20check%20out%20this%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fwhy-are-my-users-not-prompted-for-mfa-as-expected%2Fba-p%2F1449032%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fcore-infrastructure-and-security%2Fwhy-are-my-users-not-prompted-for-mfa-as-expected%2Fba-p%2F1449032%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2755820%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2755820%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536162%22%20target%3D%22_blank%22%3E%40JHanson1821%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESame%20situation%20here%2C%20have%20you%20found%20a%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2756156%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2756156%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1157668%22%20target%3D%22_blank%22%3E%40_SAube_%3C%2FA%3E%26nbsp%3BI%20found%20a%20couple%20of%20solutions.%20The%20most%20straightforward%2C%20and%20the%20one%20we%20opted%20to%20go%20with%2C%20is%20a%20company%20called%20Authlite.%20They%20provide%20the%20mechanism%20to%20protect%20your%20administrative%20access%20and%20the%20actual%20MFA%20is%20byo.%20Good%20luck%2C%20this%20is%20quite%20a%20journey!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2759768%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2759768%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536162%22%20target%3D%22_blank%22%3E%40JHanson1821%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20quick%20response.%20I%20will%20take%20a%20look%20at%20it.%20Regards%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2818248%22%20slang%3D%22en-US%22%3ERe%3A%20Enabling%20MFA%20on%20admin%20level%20access%20to%20On%20premise%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2818248%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536162%22%20target%3D%22_blank%22%3E%40JHanson1821%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20believe%20that%20my%20company%20has%20the%20same%20cyberSec%20Insurance%20company%20because%20we%20received%20the%20exact%20same%20attestation%20statement.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20been%20scrambling%20a%20bit%20to%20find%20a%20viable%20solution%20for%20the%20requirements.%20Specifically%20the%20one%20referenced%20in%20your%20original%20post.%20Securing%20remote%2Finternal%20access%20to%20ActiveDirectory%20and%20other%20RSAT%20tools.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20currently%20use%20DUO%20as%20our%20MFA%20solution%2C%20and%20are%20in%20the%20process%20of%20deploying%20the%20DUO%20for%20RDP%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fduo.com%2Fdocs%2Frdp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fduo.com%2Fdocs%2Frdp%3C%2FA%3E%26nbsp%3Bto%20protect%20our%20endpoints%20and%20servers%20from%20remote%20login.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20not%20identified%20any%20viable%20solutions%20which%20integrate%20with%20DUO%20for%20remote%20access%20to%20the%20RSAT%20services.%20What%20were%20some%20of%20the%20solutions%20that%20you%20had%20identified%20and%20considered.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello everyone. I've run into a puzzler and I'm hoping someone can give me a tip on how to solve this. I have received a "cyber security attestation" document from a major insurance provider and must be able to say yes to all of the items on it as a baseline to receive a policy. Here's the one I'm stuck on:

 

multi-factor authentication is required for the following, including such access provided to 3rd party service providers:
All internal & remote admin access to directory services (active directory, LDAP, etc.).

 

I'm not aware of a way to set up any MFA for admin access to Active Directory itself, but I'm all ears if someone knows of a way. What I think the only viable solution would be is to set up MFA for access to any Domain Controller in the domain. In order for that to be adequate though, I then need to be able to prevent RSAT connections to Active Directory. I'm not sure if there's a way to restrict that or not, so that's where i'm currently stuck.

 

Can anyone point me in the direction of a solution for either preventing RSAT access or (fingers crossed) enabling MFA on AD itself?

 

Thanks,

Joel

13 Replies
Windows Hello for Business is considered by Microsoft to be a multi-factor solution. There is a certificate on the device (something you have) and then you typically sign in with a PIN (something you know) or a biometric (something you are). I highly recommend that you check out this article: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompte...

@JHanson1821 

 

Same situation here, have you found a solution?

@_SAube_ I found a couple of solutions. The most straightforward, and the one we opted to go with, is a company called Authlite. They provide the mechanism to protect your administrative access and the actual MFA is byo. Good luck, this is quite a journey!

@JHanson1821 

 

Thanks for the quick response. I will take a look at it. Regards,

@JHanson1821 

I believe that my company has the same cyberSec Insurance company because we received the exact same attestation statement. 

We have been scrambling a bit to find a viable solution for the requirements. Specifically the one referenced in your original post. Securing remote/internal access to ActiveDirectory and other RSAT tools. 

We currently use DUO as our MFA solution, and are in the process of deploying the DUO for RDP https://duo.com/docs/rdp to protect our endpoints and servers from remote login. 

 

I have not identified any viable solutions which integrate with DUO for remote access to the RSAT services. What were some of the solutions that you had identified and considered. 

@DaveSysAdmin83 

As I said here, the only option I investigated thoroughly enough to complete a POC is the one I personally chose, which is Authlite. Most people who answered this question didn't understand the difference between putting MFA on a Domain Controller at log in (not at all the requirement) vs putting MFA on administrative access to AD and all it's component tools. So since the question is frequently misunderstood, your mileage may vary on if these are viable answers or not. Here are a couple of other ones that were suggested to me, in no particular order:

isdecisions UserLock

Secret Double Octopus

WiKID

 

Good Luck in your journey.

Dabona, I glanced over the outline of your post and that's a lot to take in, in a good way. Thank you for the info. I am going to take the time to read through all the concepts you have, as well as how you have them strung together. I anticipate being a better sysadmin afterwards!
Hello, please check if this can be an alternative to third party tools.
I think this procedure is able to "putting MFA on administrative access to AD and all it's component tools." w/o using third party tool (AFAIK, basically authlite solution is similar to what I hipotized and properly tested )
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-enabling-mfa-for-acti...
Thanks JHanson, please test if you have time and let me know your feedback... I am trying to find people who can test my POC :) !!

I would look into MFA solutions offered by DUO. Very easy to implement.

@SamLourie 

The Duo solutions do NOT protect active directory, they only protect logins to endpoints. That endpoint could be a workstation, a member server or a Domain Controller. There are a number of scenarios where that is not sufficient. If a computer somehow doesn't have Duo on it (byod or it simply got missed). RSAT. Remote Powershell. 

 

That’s a shame I was not was NOT helpful Joel. Hopefully you do NOT run in to any further road blocks, As I canNOT be of any further assistance I shall NOT reply any further. All the best on your quest buddy!