The setup is a Windows AD client computer requires 2FA for login. This is enforced by requiring smart card login on the computer.
The issue is remote support being able to pass a smart card for UAC authentication or even unattended login.
Does anyone have a method of enforcing 2FA by the user while still being able to support the system remotely?
as far as i know now, connectwise and solarwinds don’t have an option to pass usb smart card. Solar winds does have a rdp option but that’s not exactly a full fix.
Does it have to be a smart card?
If it’s for compliance reasons, I think any 2FA is allowed. So the native 2FA on Connectwise, etc. would work.
I think you could also install Duo or whatever on your Windows box and then when you sign in over your remote you’ll hit Windows login and have to authenticate with Duo.
If it’s got to be a smart card, then you might be stuck with VPN + Windows RDP.
right now its smart card for cost reasons.
I’ve been able to use Yubico for Windows to lock down the machines and still allow me to remote authenticate UAC using admin account with a 32 character password.
The yubico for windows takes over the login but still allows a smart card user to login.
I’ve modified our setup to better provide a method of allowing remote 2FA support. I found that with the DUO free account it covers our administrators and the windows RDP application locks down the machines while still allowing smart card login by the user.
We can now enforce 2FA with smart cards and authenticate unattended logins by remote support using DUO push.
To make login take 1 less step for users I found the GPO setting to set a preferred login credential to smart card so they no longer have to select “other user” when logging in.
So far this is the best setup I’ve been able to find to have 2FA while still allowing remote support. If money was no issue then this wouldn’t be a problem to solve, but there always seems to be a lacking of funding for IT…