Re: Protecting workstations with Duo

[Rich Graves <rgraves () CARLETON EDU>]

Emily clarified out-of-band that by "admin accounts" she means admin rights
on the local workstation (not domain admin, not "administrative
departments" like HR).

We manage the local admin problem with LAPS (
https://technet.microsoft.com/en-us/mt227395.aspx).

We are looking at requiring Duo for remote desktop connections to our most
critical servers. This would not protect RPC or PowerShell remote access
but since non-interactive sessions are considered way better for security
(see
https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users
and
https://dfir-blog.com/2015/11/24/protecting-windows-networks-dealing-with-credential-theft/comment-page-1/)
it's a nice carrot-and-stick approach. Smartcards (which usually means USB
tokens nowadays) would cover the client-server cases.