CISA alert over Duo misconfiguration


Following CISA alert Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability | CISA

They say “The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory” and one of the recommendations is " Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios."

What are the policies for re-enrollment? How do I prevent inactive devices from being un-enrolled? Are there other settings needed?

Hi @DaniAvni ,

We have a response to the CISA alert with guidance for customers on our blog: