Educause Security Discussion mailing list archives
Re: Protecting workstations with Duo
From: Rich Graves <rgraves () CARLETON EDU>
Date: Fri, 9 Jun 2017 10:51:07 -0500
Emily clarified out-of-band that by "admin accounts" she means admin rights on the local workstation (not domain admin, not "administrative departments" like HR). We manage the local admin problem with LAPS ( https://technet.microsoft.com/en-us/mt227395.aspx). We are looking at requiring Duo for remote desktop connections to our most critical servers. This would not protect RPC or PowerShell remote access but since non-interactive sessions are considered way better for security (see https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users and https://dfir-blog.com/2015/11/24/protecting-windows-networks-dealing-with-credential-theft/comment-page-1/) it's a nice carrot-and-stick approach. Smartcards (which usually means USB tokens nowadays) would cover the client-server cases.
Current thread:
- Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Frank Barton (Jun 07)
- Re: Protecting workstations with Duo Greg Williams (Jun 07)
- Re: Protecting workstations with Duo randy (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Scantlin, Aaron J. (Jun 07)
- Re: Protecting workstations with Duo Emily Harris (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 07)
- Re: Protecting workstations with Duo Rich Graves (Jun 09)