1

I'm evaluating an MFA solution such as Duo or Okta (any one have an opinion on that?). Adding MFA to web logins is straight forward but I want to add another layer of security to our Active Directory administration. Do any solutions work with powershell connections? (e.g. msol-connect Azure AD, or local stuff) With Duo for example I can put MFA on a secure jumpbox and that would add MFA for actions performed on that system. I assume I need to add restrictions where only AD admin actions can be taken on our MFA enabled jumpboxes (which we currently don't enforce).

Advice for MFA+standard server access in general? Should we layer MFA at the workstation login? I don't want to put an agent on every server or IT workstation in the domain if I can help it. Wondering what others do to tackle these issues. Seems MFA wouldn't stop most hackers as they can just go around the MFA secured RDP, would need to relay on other controls.

Thank you for any thoughts

FredS
  • 63
  • 1
  • 1
  • 11

1 Answers1

0

Azure MFA is now working with PowerShell Connections like connect-msolservice for AAD (https://blogs.technet.microsoft.com/ad/2015/10/20/azure-ad-powershell-public-preview-of-support-for-azure-mfa-new-device-management-commands)/

For standard server access using MFA, you can use an RD Gateway as the Jumbox and activate MFA at RD Gateway level. Then you limit Servers RDP access to the Jumbox that will force the RD Gateway use (with MFA).

The following document how to setup step by step an RD gateway with Azure MFA : http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/

This is with Azure MFA but it should be almost the same with other MFA solutions.

Stanislas Quastana Pro
  • 634
  • 3
  • 4
  • Looks like MFA is still in preview for powershell, and only works in certain situations. l'll check out the RD Gateway to see if it works for us. – FredS Apr 29 '16 at 19:39