Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
3
Helpful
2
Replies

Microsoft RDP/Windows Logon For Dummies

Go to solution
TheWaterbug
Level 1
Level 1

‎06-14-2023 12:14 PM

We’re a small shop, < 10 users, local AD domain running Windows Server 2022 on a test network cloned from our production network. I have a few users enrolled and I’m starting to test on the WS22 box and on a test Win10 Pro/64 workstation:

  1. I originally started down the road with Duo AD Sync, because that sounded correct to me, but couldn’t get that to work, and eventually found the much simpler Microsoft RDP/Windows Logon setup (4.2.2), which is what I’m testing now. I plan to install Duo on each workstation manually instead of pushing via GPO.

  2. Am I correct in understanding that, by using this edition, my 2FA is somewhat independent from the Active Directory directory services, and that I’m no longer relying on anything running on the DC to perform the 2nd factor authentication? e.g. the Duo app sort of inserts itself in between my successful Windows password entry and my successful login on the workstation, but it doesn’t actually communicate or rely on any Duo software installed on the DC? Does Duo even need to be installed on the DC(s) for this to function on the workstations? I suppose I originally thought of Duo as 2FA for “access to the network” whereas in this edition it’s really 2FA for “access to this particular machine,” which then has access to the network.

  3. Does this also mean that I can install this same app on non-domain-joined workstations on my network the same way? I have several machines that are off the domain for security purposes, but I still want 2FA for login.

  4. If I install Duo on a workstation before enrolling the appropriate user, or if the user is misconfigured, I will lock myself out of the machine. Is the recovery/workaround to boot Windows into Safe mode and uninstall the Duo application? Is yes, is this a security hole? Also, given that ability to lock myself out of a machine, would it makes sense to have a Test button on the Duo installer, immediately after installation, so that I can fix things before I log out/reboot and potentially lock myself out of a machine?

  5. On a somewhat related noted, I enrolled my domain Administrator account first, with the same iPhone number as my user account. What are the pitfalls and/or best practices for managing the domain Administrator account?

  6. It took me a long time to find the Microsoft RDP/Windows Logon edition of Duo, because I was searching Protect an Application for “Windows” which doesn’t return any results. I did see Microsoft RDP, but didn’t think that was what I was looking for because my primary concern is local console login, which is how 90% of my users log in. Should Duo change the name to Microsoft RDP/Windows Logon or even Windows Logon/Microsoft RDP or at least have it show up when searching for “Windows”?

  7. How do I do “outline”-style numbered lists in this forum?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎06-15-2023 02:44 PM

  1. Duo AD sync is only about importing users from AD into Duo and keeping the user list up to date so admins don’t have to create the users by hand or repeated CSV file imports. It doesn’t create any sort of 2FA integration on the actual Windows clients.

  2. Yes, Duo Authentication for Windows Logon is an application you install on a Windows system that can apply 2FA to either local or domain logins to that system, coming from an RDP connection to that system or at the local console. Nothing is needed on the domain controller, unless your use case is that you want to apply 2FA to logins on your domain controller too. Thinking of it as “access to this particular machine” is exactly right.

  3. Yes.

  4. Yes, that is the recovery. As in all things, local access to a given system can render many protections ineffective. Your suggestion about a test button is nice, but since it doesn’t exist today take appropriate caution. We do call out the need to enroll users in Duo before installing Duo for Windows Logon a few times in the documentation, like here.

  5. There really aren’t any? To Duo it’s just a user (no concept of privilege). Something to be aware of is that if you have multiple admins who might log in as Administrator they would all need to have their phones attached to the “Administrator” user account in Duo so each of them would be able to 2FA into a system.

  6. Can of worms!! Renaming applications isn’t easy and I’ll leave it at that. I’ll suggest adding Windows as an alternate search term though.

  7. Indent more with spaces to make it look like an outline.

    1. Like this.

    2. But keep in mind that this community is moving to a space at cisco.com next month, and the editor there lets you actually tab indent lists.

Hope this all helps!

Duo, not DUO.

View solution in original post

2 Replies 2

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎06-15-2023 02:44 PM

  1. Duo AD sync is only about importing users from AD into Duo and keeping the user list up to date so admins don’t have to create the users by hand or repeated CSV file imports. It doesn’t create any sort of 2FA integration on the actual Windows clients.

  2. Yes, Duo Authentication for Windows Logon is an application you install on a Windows system that can apply 2FA to either local or domain logins to that system, coming from an RDP connection to that system or at the local console. Nothing is needed on the domain controller, unless your use case is that you want to apply 2FA to logins on your domain controller too. Thinking of it as “access to this particular machine” is exactly right.

  3. Yes.

  4. Yes, that is the recovery. As in all things, local access to a given system can render many protections ineffective. Your suggestion about a test button is nice, but since it doesn’t exist today take appropriate caution. We do call out the need to enroll users in Duo before installing Duo for Windows Logon a few times in the documentation, like here.

  5. There really aren’t any? To Duo it’s just a user (no concept of privilege). Something to be aware of is that if you have multiple admins who might log in as Administrator they would all need to have their phones attached to the “Administrator” user account in Duo so each of them would be able to 2FA into a system.

  6. Can of worms!! Renaming applications isn’t easy and I’ll leave it at that. I’ll suggest adding Windows as an alternate search term though.

  7. Indent more with spaces to make it look like an outline.

    1. Like this.

    2. But keep in mind that this community is moving to a space at cisco.com next month, and the editor there lets you actually tab indent lists.

Hope this all helps!

Duo, not DUO.

Go to solution
TheWaterbug
Level 1
Level 1

‎06-15-2023 03:15 PM

Thanks for the comprehensive reply!

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents