Securing Active Directory with Duo MFA
Active Directory (AD) has played a critical role in the development of modern computer networks since being introduced by Microsoft in 1999. As the central repository for information about all user accounts and other network resources in Windows environments, it supports a host of essential tasks and services.
Virtually all companies with Windows infrastructure depend on AD. Globally, more than 90 percent of businesses run AD — including 95 percent of the Fortune 1000. They use it to authenticate and authorize users and devices accessing network resources, enforce security policies, assign permissions for shared drives, store encryption keys, update software, and enable centralized network management.
As an older technology with near-universal usage, Active Directory has naturally become a prime target for hackers — nearly 100 million AD accounts are attacked every day, according to one study. Once they breach an AD server, attackers can exfiltrate user credentials and other sensitive information.
The Challenge of MFA Integration
Most experts recommend creating an extra layer of security by implementing multifactor authentication (MFA) for Active Directory environments. However, integrating MFA with Active Directory isn’t as easy as you might imagine. Because it was originally designed to support Windows environments, AD is limited in its ability to work with non-Microsoft applications and devices. Typically, implementing MFA with AD requires installing additional software or a proxy service that conducts the secondary authentication after the initial AD logon.
Active Directory has naturally become a prime target for hackers.
Most leading MFA solutions cannot directly protect an on-premises AD environment but can provide an extra layer of protection with some additional configuration. For example, there are two different ways to add MFA to AD with Cisco’s Secure Access by Duo. In the first, you can install Duo Authentication for Windows Logon, which prompts users to enter a second authentication factor after they’ve completed their standard Windows login. Or you can install the Duo Authentication Proxy software, which performs both primary and secondary authentication.
The Duo Advantage
The Duo Authentication Proxy also simplifies the process of importing users, groups and administrators into Duo with directory synchronization. Duo regularly updates information to reflect the latest user status and associated device information. User synchronization runs twice a day, but administrator syncing occurs every 30 minutes.
Other important Duo features that contribute to a more secure AD environment include:
Device verification. Duo’s Device Insight collects information about users’ devices as they authenticate. It automatically flags any devices that are out of date, jailbroken or otherwise out of compliance with security policies. It also tracks versions of operating systems, browsers and plugins.
Network visibility. With more people working remotely, network administrators often lack visibility into the user-owned devices accessing network resources. Duo provides detailed information about every Duo-enabled device on your network, whether corporate- or user-owned.
Policy enforcement. Duo allows you to set up and manage detailed access policies in minutes via a simple, intuitive administrator dashboard. You can customize policies for different users, devices, locations and many other contextual factors.
Frictionless access. Duo’s single sign-on feature creates an easy and consistent login experience. Users can log in to a single, MFA-protected dashboard to gain access to all of their applications, whether they are on-premises or in the cloud.
Although Duo facilitates integrating MFA with AD, the process does require a fair amount of effort to configure synchronization, provision user accounts and test the solution. Through our fully managed Duo service, GDS can relieve you of that load. We offer comprehensive implementation services as well as ongoing administration and support. Contact us to learn more about securing your Active Directory environment.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.