Ian Sanderson's walkthrough details configuration of roll-your-own MFA using free Cisco Duo Authentication for Windows Logon and RDP

Posted by Paul Braren on Nov 27 2018 (updated on Nov 28 2018) in
  • HomeLab
  • Network
  • Windows
  • I must have mentioned Duo's MFA to over a dozen folks all this year, sharing the existence of this great gem with user group attendees, colleagues, friends, and strangers. If you have an alway-on Windows or Windows Server jump box or VM listening for connection attempts to port 3389 in your home lab, it’s vulnerable to brute force attacks on that logon, and is an excellent attack vector for malicious software or humans to use that weak spot to hop on in.

    Despite my finding a great solution for me well over a year ago, I never managed to get a detailed walk-through guide published...

    Step-by-step

    To my delight, just such a guide has now been cooked up, and it’s fully baked! Here you go, ready to roll (out) to up to 10 of your Windows systems, for free:

    featured

    What fellow Veeam Vanguard Ian has done here is pretty incredible, leaving no step un shown or un explained, which makes implementing this feature on your Windows systems a whole lot easier. I know whose guide I'll be using when I go to install this on my 3rd system, with the other two using MFA for RDP for over 6 months now, with excellent reliability and usability.

    Duo's Documentation

    rdp

    This new guide goes well beyond Duo's official documentation found at:

    Yes, this problem is annoying, and still unresolved, maybe even in the re-released Windows 10 version 1809 / Windows Server 2019 version 1809, I'll be testing that soon. This issue is discussed in this very long Duo Community thread. The simplest work-around I use is sticking with local logins for now.

    Details of my use case for my home lab

    travel-tech-2018

    I also have a brief write-up here:

    iOS/watchOS and Android support

    applewatch1
    Image from Cisco Duo, click to visit source article.

    My video demonstration below shows that even with a locked phone, your watch can be used to approve the request instead, see also Duo's Apple Watch and Duo Mobile documentation featuring Duo Push.

    Duo Mobile is available on App Store and Google Play.

    Video

    Duo Authentication for Windows Logon and RDP - roll-your-own two factor demo of home lab access

    The above video shows exactly what happens when you're phone happens to be locked, with Apple Watch kicking in automatically to prompt you instead. Nice!

    FYI, MFA (Multi-Factor Authentication) is sometimes also loosely referred to as two-factor or even dual-factor authentication.

    FYI, I had drafted back in March of 2018, to eventually be published, here they are:

    Why
    When cellular isn't available to tether, you might not have a choice but to connect to whatever network you got, much as I did when doing consulting at 35 of the 50 states from 2005 to 2009, using a VPN once online. Looking back, I sure wish I had Duo back then, as connecting to remote desktops would have been so much simpler and more secure. I was using Windows Home Server and its baked-in Remote Desktop Gateway, combined with its DDNS service, to get to my jump box, but keeping that going was a bit clumsy over the years, with upgrades requiring a complete reinstall.

    Remote access methods
    There are many ways to access a Windows sytem or VM left running in a home lab when you're not at home. There are also many challenges, including the harsh reality that anything but port 80 and 443 is likely to be blocked by at least some locations you may choose to try to work from, including airports, corporate networks, hotels, and other guest WiFi. This means no traditional RDP, at least not over the default port 3389 anyway.

    VNC over a WAN is slow
    A no go for me, as my remote sessions sometime last for hours, so any increased latency seen as a sluggish mouse or slow typing is completely unacceptable. RDP is much better at handing a WAN.

    What about Teamviewer and LogMeIn
    The push to a paid offering can get frustrating.

    Here's how I rolled my own secure remote access using VPN and RDP

    1. Configure my router to do DDNS (Dynamic DNS), to allow for remote access to VPN using native Windows VPN client pointed to my hostname (rather than changing IP)
    2. Configure my router to be a VPN server
    3. Connect to whatever wired or wireless network I'm able to get to when traveling
    4. Connect to my home's VPN
    5. Connect to my RDP

    Here's how I rolled my own secure remote access using RDP

    1. Configure my router to do DDNS (Dynamic DNS), to allow for remote access to VPN using native Windows VPN client pointed to my hostname (rather than changing IP)
    2. Configure my router to be a VPN server
    3. Connect to whatever wired or wireless network I'm able to get to when traveling
    4. Connect to my home's VPN
    5. Connect to my RDP

    Social

    1067427708546609152
    vv-boat-departure-photo
    Can you find Ian Sanderson and Paul Braren? Zooming by clicking twice helps.

    See also at TinkerTry

    windows-10-and-windows-server-2019-version-1809-downloads