How are you handling MFA these days with cybersecurity insurance requirements?

I am a little late to the MFA game. I recently rolled out Duo to all my servers and IT staff computers (3 of us! ha).

I was able to get AD + Duo working for OpenVPN on my pfSense firewall. I’m debating on rolling this out to our 15 remote users. Right now my VPN is MFA in my opinion, since it requires your OpenVPN user/pass + user cert + Windows user/pass. We only allow RDP ports over the OpenVPN interface. I think I’d rather put Duo on their local machine to increase MFA for local and RDP logins. What would you do? Both?

What are you doing for your infrastructure hardware? Right now I’m only allowing logins in my vCenter, Nimble SAN, pfSense firewall, and HP ProCurve switches from our IT VLAN via management/access rules. The 4 computers on this VLAN have Duo installed, which is required for local/RDP logins. In my opinion, this is sufficient for MFA. Do you agree?

I have onprem Exchange 2016 currently but we don’t allow access to the /OWA and /RPC folders outside our 4 walls. ActiveSync requires IT approval. I feel like is fine, since Duo can’t protect onprem RPC/OutlookAnywhere anyways.

Anything else I’m missing? Love to hear how other SMBs are using MFA in their environments.

All sound reasonable. Please note that the default (but can be changed) settings for DUO are “Fail Open” if their server can not be reached.

1 Like