12-04-2018 04:49 AM
Hi all, I wanted to configure duo in RDP that will, let’s say, challenge members of some local groups (like local administrators group), and will pass through the rest. Anyone could think of way implementing it without use of AD/DUO groups?
Meaning, could there be policy that would check if user is member of “local administrators” on this host and if so challenge him, else pass through?
12-04-2018 06:01 AM
Hi eujeens, based on your requirements, you could consider only enrolling the local administrators in Duo and setting your RDP application policy to allow access without 2FA for all unenrolled users.
We recommend requiring enrollment and using group policy for this for better security, but this solution may help.
12-11-2018 06:25 AM
The problem is that most of my users aer enrolled, they have other machines where they are admins. So they will be challenged in this logon though they are not admins here.
12-21-2018 11:43 AM
You can use Duo applications and group policies to require Duo MFA for a group of Duo users (in a group policy assigned to an application) while bypassing MFA for users not in the Duo group (in an application policy).
Not that I mean a group in Duo populated with Duo users, not a local group on the client that contains users who also exist in Duo.
Here’s an example (only Duo users in the “ServerAdmins” Duo group have to perform 2FA):
Learn more about Duo policies here.
12-27-2018 06:18 AM
You do inherit some risk when you setup bypass rules for these privileged admins. You can add the “administrator” account to DUO and then attach it to the admins who have the required access to use that account. When RDP sessions are initiated, you can select, at logon, which device you want to authenticate with.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide