Duo security, now a part of Cisco provides a range of scalable security solutions for Enterprise and SMB’s, including Duo MFA.
Multifactor authentication (MFA) is a great way to secure your identities and protect sensitive information. At cubesys, usually, when it comes to MFA, we work with Azure MFA, which is often included as part of a broader Microsoft 365 engagement. Both Duo and Azure MFA products offer cloud-based, scalable, easy-to-implement and configure platforms, and Duo MFA even integrates with Azure AD, for conditional access, for example. However, in this post, I wanted to quickly introduce Duo MFA, especially with small SMBs in mind, and how easy it is to set up and demo. I will do this by setting up second-factor authentication on a stand-alone (not AD-joined) Windows server deployed in Azure.
Currently, you can sign up for a free trial of Duo here.
Once your Duo account is set up, you can add users and services or applications that you want to protect. What I am going to do here is create an application in the Duo admin portal for remote desktop logons (RDP) to the Windows server I have created in Azure. The entire process for setting this up is well documented on Duo Authentication for Windows Logon and RDP. In this demo, I am simply going to create the application (‘Microsoft RDP’) and do no more, however, you can configure more granular access policies, scoping and even offline access to allow MFA to continue working offline which is pretty cool.
You will need to have access to the API hostname, integration and secret keys for installing the Duo software on the Windows server shortly. The screen-grab below shows what this information looks like in the Duo admin portal. And the link to download the software is presented in the above Duo documentation or can be downloaded from here.
The next step to do in the Duo admin panel is to set up a demo user account. This account doesn’t have any special requirements apart from a valid email address is required. In the case of this demo, I have created a local user account on the Windows server called Duo. Demo and I am going to create a new user in the Duo admin portal by the same name (Duo.Demo) and enter a valid email address, and that’s it. Again there are many other configurable properties for the user account, but these are the only two steps I performed for this demo.
The option to require 2FA for the user should be selected by default as shown in the below screen-grab. Click on ‘Save Changes’ at the bottom of the user details.
From the user details page, click on the ‘Send Enrolment Email’ link as shown below, and then go to the mailbox to enrol the demo user into Duo.
Click on the link in the enrolment email and complete the enrolment process. For the enrolment, Select ‘mobile phone’ for the type of device to enrol. Then enter your mobile number, select the type of mobile device, follow the instructions to download the Duo mobile app, scan the barcode presented with the Duo app, and on the last page of user enrolment I selected ‘Automatically send this device a Duo push’ for ‘When I log on’. Once completed you’ll see that enrolment has completed successfully.
Important: This last step is optional, but I definitely recommend it, especially if the above user is not an administrator on the Windows server.
Note, that once the Duo software is installed on the Windows server, all users, including administrators, will need to authenticate via the Duo MFA platform when logging onto the server, unless they are excluded in the Duo admin portal from doing so. For this reason, you should also ensure that a user account is added in the Duo admin portal that relates to an administrator user on the Windows server, to ensure you have administrator access once the software is installed. And this account could also be excluded from MFA if you wish while testing for example. This is what I did for my Windows server admin account, selecting the ‘Bypass’ option, as shown below.
The final step is to set up your Windows server by installing the Duo Security software. The is a simple process, copy across the installer package that was downloaded earlier and run it, copy the API hostname and key values from the ‘Microsoft RDP’ application configured in the Duo admin portal earlier in this demo when prompted by the installer, and then leave the default selections for the ‘Duo integration options’, and then click Install. Done!
Now when I log into my Windows Server with the Duo. Demo user, I am prevented from proceeding to the desktop by the Duo Security software, and instead presented with the below screen, while a push notification is sent to my Duo app on my mobile phone.
Similar to the Azure authenticator app, once I tap on ‘Approve’ on the Duo app notification on my mobile device, the above Duo Security window closes, and I am allowed onto the server. If the above window is closed or cancelled before approving the push notification, or if the notification is denied, the user can not log into the desktop.
As you can see above, there are other second-factor authentication options. There is an opportunity to report fraudulent logon attempts from the authenticator app, and many other configurable features throughout the product. But in the context of this demo, there you go, enhanced security via MFA provisioned in around 10 minutes!