Ian Sanderson's walkthrough details configuration of roll-your-own MFA using free Cisco Duo Authentication for Windows Logon and RDP
I must have mentioned Duo's MFA to over a dozen folks all this year, sharing the existence of this great gem with user group attendees, colleagues, friends, and strangers. If you have an alway-on Windows or Windows Server jump box or VM listening for connection attempts to port 3389 in your home lab, it’s vulnerable to brute force attacks on that logon, and is an excellent attack vector for malicious software or humans to use that weak spot to hop on in.
Despite my finding a great solution for me well over a year ago, I never managed to get a detailed walk-through guide published...
Step-by-step
To my delight, just such a guide has now been cooked up, and it’s fully baked! Here you go, ready to roll (out) to up to 10 of your Windows systems, for free:
- MFA it up a notch. Add an extra layer of security to a jump box with DUO MFA
Nov 06 2018 by Ian Sanderson @lan0x0rI have been evaluating Multi-Factor Authentication solutions recently and came across Duo on my travels. One of the things that grabbed my attention with Duo, in particular, was the free access tier for up to 10 users for personal use. Great!
...
What fellow Veeam Vanguard Ian has done here is pretty incredible, leaving no step un shown or un explained, which makes implementing this feature on your Windows systems a whole lot easier. I know whose guide I'll be using when I go to install this on my 3rd system, with the other two using MFA for RDP for over 6 months now, with excellent reliability and usability.
Duo's Documentation
This new guide goes well beyond Duo's official documentation found at:
- Duo Authentication for Windows Logon and RDP
duo.com/docs/rdp...
There is a known issue with using Duo authentication and Microsoft/Live accounts after installing the Windows 10 Fall Creators Update (version 1709) released 10/17/17. Please see the Microsoft Account FAQ item for more information and a workaround.
...
Yes, this problem is annoying, and still unresolved, maybe even in the re-released Windows 10 version 1809 / Windows Server 2019 version 1809, I'll be testing that soon. This issue is discussed in this very long Duo Community thread. The simplest work-around I use is sticking with local logins for now.
Details of my use case for my home lab
I also have a brief write-up here:
iOS/watchOS and Android support
My video demonstration below shows that even with a locked phone, your watch can be used to approve the request instead, see also Duo's Apple Watch and Duo Mobile documentation featuring Duo Push.
Duo Mobile is available on App Store and Google Play.
Video
The above video shows exactly what happens when you're phone happens to be locked, with Apple Watch kicking in automatically to prompt you instead. Nice!
FYI, MFA (Multi-Factor Authentication) is sometimes also loosely referred to as 2FA / two-factor or dual-factor authentication.
FYI, I had drafted back in March of 2018, to eventually be published, here they are:
Why
When cellular isn't available to tether, you might not have a choice but to connect to whatever network you got, much as I did when doing consulting at 35 of the 50 states from 2005 to 2009, using a VPN once online. Looking back, I sure wish I had Duo back then, as connecting to remote desktops would have been so much simpler and more secure. I was using Windows Home Server and its baked-in Remote Desktop Gateway, combined with its DDNS service, to get to my jump box, but keeping that going was a bit clumsy over the years, with upgrades requiring a complete reinstall.
Remote access methods
There are many ways to access a Windows sytem or VM left running in a home lab when you're not at home. There are also many challenges, including the harsh reality that anything but port 80 and 443 is likely to be blocked by at least some locations you may choose to try to work from, including airports, corporate networks, hotels, and other guest WiFi. This means no traditional RDP, at least not over the default port 3389 anyway.
VNC over a WAN is slow
A no go for me, as my remote sessions sometime last for hours, so any increased latency seen as a sluggish mouse or slow typing is completely unacceptable. RDP is much better at handing a WAN.
What about Teamviewer and LogMeIn
The push to a paid offering can get frustrating.
Here's how I rolled my own secure remote access using VPN and RDP
- Configure my router to do DDNS (Dynamic DNS), to allow for remote access to VPN using native Windows VPN client pointed to my hostname (rather than changing IP)
- Configure my router to be a VPN server
- Connect to whatever wired or wireless network I'm able to get to when traveling
- Connect to my home's VPN
- Connect to my RDP
Here's how I rolled my own secure remote access using RDP
- Configure my router to do DDNS (Dynamic DNS), to allow for remote access to VPN using native Windows VPN client pointed to my hostname (rather than changing IP)
- Configure my router to be a VPN server
- Connect to whatever wired or wireless network I'm able to get to when traveling
- Connect to my home's VPN
- Connect to my RDP
Social
See also at TinkerTry
- All Network articles.
- Microsoft Windows 10 and Windows Server 2019 download links for re-released version 1809 October 2018 Update
Nov 20 2018