Windows 2019 Server being compromised with no DUO authentication logged

Hi,

As per the topic title, I’ve a full updated Windows 2019 server running DUO authentication for RDP connections.

There is a single sign on method for DUO PINs which uses a manually entered TOTP hardware key.

The server appears to be getting compromised, while the DUO authentication logs on duo.com show no sign of an authorised login with the TOTP. When installed, the block shell access box was ticked and no other services are running on the server that should allow access.

How to proceed?

Thanks

Hi there, I recommend contacting Duo Support for the fastest help with this issue. They’ll be able to assist you in reading the logs, reviewing your configuration files, and determining what’s going on here. As a friendly reminder, the Duo Community forum is not an official support channel, and especially in the event of a suspected compromise, you’ll want to go through the Support team. Thanks!