Regardless of whether you’re running Windows or an Active Directory environment, there are a few common considerations of abusing duo authentication misconfigurations in windows. This includes ignoring the FailOpen feature, allowing unenrolled or partially enrolled users to use MFA devices, and exposing your API keys to attackers.
Bypassing Duo authentication when offline (FailOpen)
Duo is a multifactor authentication (MFA) service that integrated with Windows and Active Directory. You can configure Duo to support offline logons. It can also configure to allow for bypasses in case of disruption. However, if you don’t know what you’re doing, you could easily make your environment vulnerable to attack. Here are a few tips to avoid misconfigurations.
First, read through the documentation. The best way to protect your workstations is to enforce two-factor authentication, or 2FA. This will limit the ability of attackers to use weak passwords to access your network. You can also enable UAC elevation protection.
Duo Authentication for Windows Logon (RDP) version 4.0 has a feature that overrides a configured failure mode setting if a user activates offline access. Consequently, it is important to ensure that your Duo agent is set to fail secure. You can also configure an outbound HTTP proxy to help if your computer doesn’t have direct Internet access.
Enabling unenrolled or partially enrolled users with attacker-controlled MFA devices
If you are using Duo Authentication to protect Windows and Active Directory environments, you may have concerns about enabling unenrolled or partially enrolled users with attacker-controlled MFA devices. Fortunately, there are a few ways to ensure that these users protected.
First, you can configure policies that deny logons for unenrolled users or partially enrolled users who do not have MFA. For example, you can block access from any network, or only allow access from specific networks. These policies are important because they can protect your environment from threats and ensure that your users can access applications.
You can also use Group Policy to enforce different MFA policies. However, you will need to change registry keys and other settings. This is especially true for MFA that requires a password plus two-factor authentication.
Another option is to create a policy that allows access without MFA for all users. This is safer than allowing only certain users to bypass MFA, but you should still take precautions. This type of policy can configure for passwordless logins, as well as for 2FA logins.
Exploiting Duo Auth API keys
There is an old saying that says “the cheapest thing you can buy is an expensive item.” However, there is a simple way to improve your security posture for a fraction of the cost. It called duo mfa or multi-factor authentication and is available from a wholly owned Cisco subsidiary.
It is a Linux-based software agent, or agent as it is more commonly known, that verifies primary logon credentials against Active Directory. The Cisco duo MFA isn’t alone in the authentication space. Many organizations have opted for OpenLDAP, Azure AD, or on-premises Active Directory. To leverage Duo MFA, these on-premises authentication proxy servers need to configured to allow pass-through authentication.
There are many applications that have Duo integrations. For example, users can automatically enroll in Duo from their Active Directory account and receive an enrollment email. Also, the company offers tools to import users from identity stores. In addition, it allows you to set restrictions for individual applications as well as groups.
Creating a GPO for Duo Authentication
Creating a GPO to avoid abusing duo authentication misconfigurations in windows and Active Directory Environments requires several steps. Firstly, a GPO must contain a MSI install package for Duo. The package contains the secret key values that Duo uses to enforce MFA requirements. It is important that the secret key kept confidential and not shared with unauthorized individuals.
During an interactive installation, the Duo application agent will configure the API hostname. The API hostname is the hostname of the Duo Auth API service. If the Internet is unavailable or a network connection is unreliable, it may not be able to connect to the API hostname.
For computers without Internet access, an outbound HTTP proxy can use. A proxy host and port can specify to timeout the Duo Auth API service.
In addition to configuring the proxy host, one GPO needed to configure the hostname of the API. The second GPO needed to set up the integration key.
