Securing Domain Administrators

Daniel Andryszak · ‎08-02-2019

Our company is evaluating the product and our security department would like to use DUO for securing domain administrators logons. I don’t see that as an application (?) to secure. Sorry for such a vague question, but we are new to this.

DuoKristina · ‎08-02-2019

The typical use case for Duo with on-prem Windows/AD is securing a workstation or server, and not necessarily a person.

If you are looking for an application that would prompt for 2FA when a domain admin right-clicks to run ADUC as an administrator or makes a change to an AD object, Duo does not address this today.

But, if you wanted to require 2FA when a domain admin logs on to a domain controller, we have a solution. You can learn more about what logon types we protect here.

For O365/Azure AD tenant admins, you could add Duo for login verification a few ways:

Federation to a SAML IdP that has Duo, like our Duo Access Gateway, AD FS, etc.
The Duo MFA custom control for Azure AD P1/P2

Duo, not DUO.

Daniel Andryszak · ‎08-06-2019

So there is a method within the DUO product to require a user to enter a passcode when logging on with a Domain Administrator level account? I see many posts were people have “implemented”, but my understanding is DUO is an endpoint product. The application would need to be installed on each server you wanted to 2FA required.

DuoKristina · ‎08-09-2019

So there is a method within the DUO product to require a user to enter a passcode when logging on with a Domain Administrator level account?

No, as I said, Duo for Windows Logon protects the server/workstation, not the user.

The application would need to be installed on each server you wanted to 2FA required.

Correct, as described in the linked documentation for Duo for Windows Logon.

Duo, not DUO.