I am getting ready to implement DUO with my RDP sessions to servers and I am looking for best practice on this. Do most people setup a domain admin user in DUO for logging into these machines? The other alternative would be to login as a standard user and then use runas for everything.
Duo for Windows Logon only protects interactive login sessions at Windows OS consoles or over RDP. It does not add MFA to “runas” logins.
Thanks Kristina. I would protect the standard user during the RDP login with 2-factor and once in then they could use the runas command. The other solution is to create a separate domain admin. I assume that I can assign the same device to multiple duo users?
You can attach hardware tokens to multiple users (at least with yubikeys), but I believe best practice is to have everyone log in using their own account with their own personal 2FA device. Sharing a domain admin login is usually frowned upon (which is why I implemented Duo RDP in the first place ).
@asmith is right. Having your admins using individual accounts with their own authentication devices makes auditing server access much easier.
Thanks for the input guys! To clarify things a bit, we do indeed log into servers with a users specific domain admin account. What I was not aware of is that in DUO you can use aliases to map the unique domain admin account to a user in DUO. For example, John Doe’s normal user account, “jdoe”, is a user in DUO and this user also has the domain admin account “jdoeadmin”. I can map jdoeadmin to the user jdoe and it is now tracked.
As far as best practice in the windows world, I assume Microsoft will tell you to log into the server as non-admin and use run-as when necessary.
I would recommend against using aliases for this type of authentication. Doing so will grant both the regular and admin account rights to authenticate to the servers in Duo. This pokes an unnecessary hole in your security posture. That said, the downfall of this is that you’re paying for multiple Duo accounts tied to the same person. That’s something we’ve decided is worth doing.
Also I just want to throw it out there that letting domain admins log into all of your servers is not a good practice. Domain admin level privileges are only needed to make core changes to AD such as schema changes, ACL changes, etc., This happens very infrequently when compared to other server maintenance in an enterprise, which can be delegated away to lesser privileged admin accounts.
We have dedicated domain admin accounts. These accounts can only log into domain controllers, enforced by the LogOnTo settings of the account, and are the only accounts in the organization that can log into domain controllers.
If your administrators already use DUO for remote access such as VPN, add their admin accounts to DUO and attach it to their regular users device. No need to re-register a new device or user and the administrator doesn’t have to do anything - it just works.
We went DUO on all our servers and for non-named accounts, like “administrator” - we attached them to those whom are accountable for the governance of those accounts.
Thanks for the info Lance, We do have dedicated domain admin accounts and I have created another account that I pushed about via a GPO to all machines that is a local admin. Is this similar to what you are doing for installs and such on machines?