I've been asked to set up MFA on internal computers and servers
-
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
-
I've been looking at some of the options out there. We've been using AuthLite for the IT team's access for years and it works great. The company wants to roll out MFA for all users and through the course of my research I've got the distinct impression that M$ wants people to go fully passwordless with something like a YubiKey.
-
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
Yes, that goes without saying, especially since many other things rely on our internet connection.
Also I'm learning that some of these MFA applications don't support auth events with things like psexec and powershell, etc.
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
I've been looking at some of the options out there. We've been using AuthLite for the IT team's access for years and it works great. The company wants to roll out MFA for all users and through the course of my research I've got the distinct impression that M$ wants people to go fully passwordless with something like a YubiKey.
You can also go MFA with Hello combining for instance fingerprint and pin code with secrets in TPM. It's not immediately obvious how to do it but it can be done.
-
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
All you need is a local break glass account on the application and you can bypass MFA and then turn it off for other users. This is common in DR planning
-
@dave247 Watching this as I've been tasked with virtually the same requirements!
-
Yeah I'll keep an eye on this. I'm thinking we'll be asked soon
-
I'm curious about the same thing - but I'm really trying to ditch my AD and rely mainly on AAD and M365.
I have devices logging directly into M365 - but enabling MFA on a device - haven't seen that in action yet.
-
We used Yubikeys in an air gapped environment for MFA.
They can either be treated like smart cards, or with a normal totp server. It would probably be much easier to use them if you have internet access as you wouldn't need to run your own u2f validation server.
-
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
-
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/ -
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
I guess "knowing to unplug the cable" is the second factor?
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
Pretty much lol.
Currently it's more of a audit/exam item check box for us. That said, this is just phase 1 of rollout. I'll gradually tweak and tighten things after deployment. Also, the back of our computers are locked so employees can't really get at the network cable.
Additionally, this is just one of many security layers. I have stuff locked down in other places that I feel matter quite a bit more. This is just going to help prevent unauthorized local and RDP logins for internal computers and servers only (users can't even get at servers currently).
-
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
I guess "knowing to unplug the cable" is the second factor?
Also you can disable that setting and it won't let you login at all in Duo.
-
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.
I guess "knowing to unplug the cable" is the second factor?
Also you can disable that setting and it won't let you login at all in Duo.
My main problem with this is that we lose internet connectivity a few times per year and people won't be happy if they can't get into their computers. We have limited providers in our small and rural area. I would do offline codes but apparently that is per/pc and we have quite a bit of computer sharing, which would essentially mean people would have to deal with the offline registration pop-up on every pc and/or have an offline MFA added to the app for multiple computers. If I find a good way around this in time, I will disable MFA bypass when offline.