I've been asked to set up MFA on internal computers and servers
-
I just wanted to get some input before I start diving into research and planning....
My company is in the financial services and we've been told from various sources that we should look at MFA across the board, which includes internal user computers and internal servers.
We currently have a Hybrid on-prem AD/Azure/Exchange 365 (E3) deployment and we already have MFA enabled with Microsoft Azure for all external-related auth/access (remote use employees sign in with their Microsoft identity and use MFA if their access request is coming from a non-company WAN IP address).
I am wondering if any of you can give some input/advice on enabling MFA internally with AD, preferably using Microsoft tools and settings (I'd like to avoid Duo). My thought currently is to utilize the Microsoft Authenticator app and the hybrid joined user workstations along with whatever settings need to be changed to request the MFA codes on the workstations and computers.
Additionally, I welcome any and all questions, criticisms and insults regarding the why and how of this question. I don't personally think we need internal MFA but I still want to gather as much information as possible
-
@dave247 Honestly, MFA for that use case is great. No complaints there. It's a pain for end users, but a good idea for financial services especially.
-
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 Honestly, MFA for that use case is great. No complaints there. It's a pain for end users, but a good idea for financial services especially.
even internally for fully on-prem / non-remote access to user computers and servers? And is there a fully Microsoft solution that wouldn't require using a 3rd party app like Duo? (I'm just trying to avoid unnecessary complexity and cost)
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
-
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
-
I've been looking at some of the options out there. We've been using AuthLite for the IT team's access for years and it works great. The company wants to roll out MFA for all users and through the course of my research I've got the distinct impression that M$ wants people to go fully passwordless with something like a YubiKey.
-
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
Yes, that goes without saying, especially since many other things rely on our internet connection.
Also I'm learning that some of these MFA applications don't support auth events with things like psexec and powershell, etc.
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
I've been looking at some of the options out there. We've been using AuthLite for the IT team's access for years and it works great. The company wants to roll out MFA for all users and through the course of my research I've got the distinct impression that M$ wants people to go fully passwordless with something like a YubiKey.
You can also go MFA with Hello combining for instance fingerprint and pin code with secrets in TPM. It's not immediately obvious how to do it but it can be done.
-
@pete-s said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@scottalanmiller said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
even internally for fully on-prem / non-remote access to user computers and servers?
Yeah, for sure. Things that are local have a way of becoming "non local" without people realizing. Whether by unplanned design, or malicious intent.
Well in my case, no local servers or workstation will accidentally become non-local, I am confident in that. Regardless, I'll set up MFA on them.
Any input as to what tool/application/settings are appropriate? I am currently looking at the NPS for Azure plugin
If you have MFA on your internal stuff then I think you will be dependent on internet for your internal assets as well.
Good to know for business continuity and disaster recovery.
All you need is a local break glass account on the application and you can bypass MFA and then turn it off for other users. This is common in DR planning
-
@dave247 Watching this as I've been tasked with virtually the same requirements!
-
Yeah I'll keep an eye on this. I'm thinking we'll be asked soon
-
I'm curious about the same thing - but I'm really trying to ditch my AD and rely mainly on AAD and M365.
I have devices logging directly into M365 - but enabling MFA on a device - haven't seen that in action yet.
-
We used Yubikeys in an air gapped environment for MFA.
They can either be treated like smart cards, or with a normal totp server. It would probably be much easier to use them if you have internet access as you wouldn't need to run your own u2f validation server.
-
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
-
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
-
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/ -
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
-
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
@dbeato said in I've been asked to set up MFA on internal computers and servers:
@dave247 said in I've been asked to set up MFA on internal computers and servers:
@notverypunny said in I've been asked to set up MFA on internal computers and servers:
As far as the internet connectivity issues are concerned, AuthLite has 0 dependencies apart from AD. It can also integrate with NPS / RADIUS + AD to provide MFA to just about anything that can use RADIUS.
It's also per-user perpetual licensing
oh nice, I will check that out immediately. I was looking at Duo too (of course) so I wonder how that compares. I like the idea that it has no other dependencies than AD - that's perfect for our current environment.
Yeah, DUO has dependencies with their service and if the computer doesn't have internet it has the option to let you login without a prompt so that happens. Not sure if AuthLite does the same.
Authlite has support for offline logins (meaning if the machine can't talk to a DC), it just requires the installation of their client on the workstation / server / endpoint in question. You can also require / enforce 2FA on your endpoints.
Here's a thread where one of the authlite guys gives a quick comparison of AuthLite vs Duo.
https://www.reddit.com/r/sysadmin/comments/ct9m31/duo_vs_authlite_for_ad_mfa/Duo seems to be the easiest and I've been playing with it with the tiral. Its super easy to configure it so without Internet or Duo service connectivity, MFA is bypassed. So in the event we have an Internet outage (happens 2-3 times a year here), users will still be able to get into their computers.
OK.... but then the only thing that you have to do to bypass the security is pull the network cable, right? Unless there's some other requirement it seems like a massive security hole.