Showing posts from January, 2021

Deploying DUO RDP through GPO can leave your Secret key exposed

DUO RDP login has a convenient deployment mode where you can use GPOs to push out the Integration key, Secret key (SKEY), and API hostname settings. However, if you follow their documentation (as least today 2021-01-29) all authenticated users on the domain will be able to read the SKEY. This could allow attackers to generate the 2FA codes themselves .  All users would be able to access the key through any of the steps below: Open GPMC Pull the registry.pol file from the SYSVOL share I informed DUO of this issue and they will be updating their documentation. Remediation: If you intend to keep deploying the DUO settings through GPO then the steps below should keep the SKEY safe(r). Instead of allowing "Authenticated Users" to read the GPO, we will be restricting it to Domain Computers. This would still allow an attacker to read the SKEY GPO if they compromise a computer, but I don't think it's an issue since they would be able to pull it from the registry anyway.  Make