Re: Protecting workstations with Duo

[Emily Harris <emharris () VASSAR EDU>]

Good conversation - thanks for the feedback.  Since I wrote the note we
went ahead and added the application and are testing.  The tip on laptops
makes sense.  Our current goal is only to protect admin accounts.

I noticed Duo has a beta MacOS application and we just asked for access.
Does anyone here use that yet?


----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221

On Wed, Jun 7, 2017 at 2:48 PM, Scantlin, Aaron J. <ScantlinA () missouri edu>
wrote:

> I disagree; I am much more apt to leaving my phone somewhere than I am my
> keys (where my YubiKey lives).  That said, I imagine there are plenty of
> people where the opposite is true, so as Rich said, choose a solution that
> provides an acceptable balance of security and usability WRT your
> organization’s workflow.
>
>
>
> FWIW, I really like using the YubiKey as a second factor for Windows
> login… if the key is not inserted, the user attempting to login will get an
> authentication error, but it doesn’t tell you that it’s because you’re
> missing the YubiKey.  Another handy trick a fellow MU employee shared with
> me is creating a “password prefix” that only you know and configuring the
> second mode (3 second press) on the YubiKey to be a long, random string;
> you can then set your password as the concatenation of your password prefix
> and YubiKey mode two output… I refer to it as 1.5 FA. ;)
>
>
>
> *Aaron J. Scantlin*
>
> *Security Analyst, Division of IT*
>
> GSEC, GCFA
>
> University of Missouri, Columbia
>
> (W) +1-573-884-7555
>
> (C)   +1-573-424-0539
>
> scantlina () missouri edu
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Rich Graves
> *Sent:* Wednesday, June 7, 2017 1:31 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Protecting workstations with Duo
>
>
>
> The nice thing about many of the typical Duo factors is that they are
> slightly less likely to be stolen or left unattended than a Yubikey or
> smartcard. Of course, if you allow voice call to your desktop phone as a
> backup factor, which is something that we actually recommend to most people
> for pretty good reasons, that's not going to protect your desktop computer.
> Regardless, make sure the security/usability ratio is meaningfully positive.
>
>
>
> On Wed, Jun 7, 2017 at 1:24 PM, randy <marchany () vt edu> wrote:
>
> I use Yubikey as my standalone 2nd factor (no duo). I have it tied to my
> local accounts on my laptops (standalone). THe yubico setup is pretty
> straightforward to set up.
>
> -r.
>
>
>
> On Wed, Jun 7, 2017 at 1:23 PM, Emily Harris <emharris () vassar edu> wrote:
>
> I'm curious if anyone has deployed (or is thinking of deploying) MFA on
> their workstation logins via Duo.  It looks like it can be done, but it
> isn't very straight-forward.  It requires a local workstation client, and
> to manage the users via Group policy.
>
>
>
> Our goal is to require MFA for admin accounts only (for now).  I'm
> wondering if anyone has already deployed this.  Thanks!
>
>
>
> ----
>
> Emily Harris, CISSP
>
> Information Security Officer, CIS
>
> Vassar College
>
> 845-437-7221 <(845)%20437-7221>