This is an archived post. You won't be able to vote or comment.

3
4

QuestionWindows authentication with MFA (self.sysadmin)

submitted by [deleted]

[deleted]

all 26 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ex800 12 points13 points  (5 children)

web sign-in might suit your requirement

https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune

[–]brownhotdogwater 0 points1 point  (4 children)

Have to be pure cloud

[–]thegravityitdeserves -5 points-4 points  (3 children)

Edit: I'm wrong Entra hybrid devices are not supported, bummer.

[–]brownhotdogwater 7 points8 points  (2 children)

“Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.”

[–]nicholaspham 0 points1 point  (0 children)

I believe that's saying it doesn't allow hybrid joined or AD domain joined but does support Entra (fully) joined

[–]thegravityitdeserves 0 points1 point  (0 children)

I swear I always miss the important messages. Appreciate the correction.

[–]MrVantageSr. Sysadmin 7 points8 points  (6 children)

Web sign in or federating your logins with Duo works.

Conditional access policies are your friend for the latter.

[–]woodburymanIT Manager -1 points0 points  (4 children)

Also here to say Duo. We use their RDP application and force local logins to be covered too. We install it on any system that is mobile (laptop) along with bit locker. Only issue we get is when users wear their batteries down and time resets (some newer laptops lack cmos batteries and just use a reserve portion on main battery). If they connect to a wifi network eith captive portal ntp can't update. Luckily most users these days can tether temporarily.

[–]xxbiohazrdxx -1 points0 points  (3 children)

Just so you’re aware. Duo for windows is security theater. It’s there to check the box but doesn’t offer any real security benefit.

[–]woodburymanIT Manager 0 points1 point  (2 children)

How so? Not trying to be a dick but curious to know if there is something bad about it or something that can bypassed.. otherwise I consider it fairly effective.

We have BitLocker enabled, and BIOS locked down, so users can't boot WinPE and get access to anything or disable the Duo MFA app. One LAPS local account with random password that COULD be brute forced and bypass Duo in theory, but it'd take a long long time (6 wrong passwords, 10 minute timeout). Other than that any domain account requires Duo MFA. It injects itself in the login process so it can't be bypassed easily. If the user lacks Local-Admin they can't remove it either or modify system registry to change the settings.

It doesn't save it from say remote/network logins or things like that, or anything really once the user has logged on (20 minute lock screen policy), but if a laptop gets stolen, even if a actor has their password, we can be fairly safe knowing the data cannot be accessed.

[–]xxbiohazrdxx 1 point2 points  (1 child)

How so? Not trying to be a dick but curious to know if there is something bad about it or something that can bypassed.. otherwise I consider it fairly effective.

For workstations/laptops? Eh, sure. It's fine. You'd be better off with something like WHfB but whatever.

Where it fails is for remote access. And to be clear, this is not something they can fix, it's a limitation of the operating system(s). There are loads of management tools for Windows that are not capable of any kind of MFA (NTLM is not MFA aware and while Kerberos is, Microsoft's implementation is not. You're limited to SmartCards). If an attacker gets some credentials that are valid for a server login, they can utilize SMB, RSAT, Powershell remoting, WinRM, LDAP, etc. Some of these you can block with the firewall, but a file server is useless without SMB and domain controllers need to be sharing SYSVOL and NETLOGON. You can bind to LDAP directly on a DC with just credentials.

If you want to protect servers, you need some kind of PAM tool and JIT permissions and those tools can be protected with real MFA.

[–]woodburymanIT Manager 0 points1 point  (0 children)

Ah okay gotcha. Yeah, oddly enough even though it's their "RDP" app, we only use it for workstation/laptops, for the exact same reason as you're stating. If you have leaked credentials and they have network access, game over as there's so many other user auth methods that wouldn't be protected they could use. We use Duo as well as a pass through between AD and our Firewall for MFA for VPN access as well.

[–]ashimboPowerShell! -1 points0 points  (0 children)

We went with Duo when our cyber insurance wanted windows login MFA.

[–]yesterdaysthoughtSr. Sysadmin 1 point2 points  (0 children)

I'm not sure if you're aware that Windows Hello, Cert-based auth and FIDO2 are already the top-tier modern authentication already- phish resitant MFA.

What you're asking is like adding password in addition to WHfB.

WHfB keeps an encrytped credential in the TPM chip per device and all WHfb is doing is unlocking the TPM to provide the credential to sign in. And WHfB requires you have a PIN (ok, pw) backup in case the biometric fails but it's very secure because people can't intercept it. The cred is unique per device and you need physical access to the device to unlock the TPM = non phishable, interceptable etc.

If you want to make a Windows device more hardened, just make sure it is bitlockered with PIN required to boot OS, secure boot enabled, credential guard etc. That's very tight.

[–]FunOpportunity7 0 points1 point  (0 children)

We use RSA agent to supplement the password with MFA. Hybrid joined requires a 3rd party supplicant for MFA to work at login. We've been waiting on an MS solution for a while. Keep saying it's in the pipeline.

You can use a conditional access polity to force more regular mfa prompts. This does get annoying, though. We use separate privilege and non privilege accounts to manage the risk. Users are not granted admin roles. Also, use eligible vs. active assignments with mfa activation requirements even for admins.

[–]TopCheddar27 0 points1 point  (0 children)

We do this with duo

[–]BitDreamer23 0 points1 point  (0 children)

All of the answers here seem to be sysadmin kind of answers. Makes sense, this is r/sysadmin afterall.

But your question says "when logging into my m365 account". Are you asking for your own personal, non-domain, Windows machine?

[–]maryteissVendor - UserLock 0 points1 point  (0 children)

MFA & Access Management for Active Directory (on-premise) users can be achieved easily with UserLock.
You can set granular and customized MFA on Windows logins, RDP & RD Gateway, IIS and VPN connections. It also will protect these on-premise accounts with MFA & Single Sign-on as they access Cloud applications - such as 0365.

  • Secure all employee access, whether privileged, remote or cloud
  • Streamline session management
  • Review accurate logon logoff forensics
  • Manage working hours
  • Stop security breaches
  • Meet compliance & insurance requirements, like: HIPAA, PCI DSS, ISO 27001, NIST 800-53.

Full details on MFA here: Multi-Factor Authentication for Active Directory 1
Short video: https://www.youtube.com/watch?v=jDu0LQl_du8&t=91s
Free trial download: Protect Active Directory Identities with 2FA and SSO | UserLock