Deploying DUO RDP through GPO can leave your Secret key exposed

DUO RDP login has a convenient deployment mode where you can use GPOs to push out the Integration key, Secret key (SKEY), and API hostname settings. However, if you follow their documentation (as least today 2021-01-29) all authenticated users on the domain will be able to read the SKEY. This could allow attackers to generate the 2FA codes themselves

All users would be able to access the key through any of the steps below:

  • Open GPMC

  • Pull the registry.pol file from the SYSVOL share


I informed DUO of this issue and they will be updating their documentation.

Remediation:

If you intend to keep deploying the DUO settings through GPO then the steps below should keep the SKEY safe(r). Instead of allowing "Authenticated Users" to read the GPO, we will be restricting it to Domain Computers. This would still allow an attacker to read the SKEY GPO if they compromise a computer, but I don't think it's an issue since they would be able to pull it from the registry anyway. 

Make the following changes on the DUO GPO:
  1. Remove Authenticated Users from the Delegation tab

  2. Click Advanced and add Domain Computers and Domain Controllers (if you deploy DUO to them). Select "Apply Group Policy" on both.

  3. If you did everything correctly your GPO should look like this:

  4. Run a gpupdate on some computers and confirm that it's working as expected

Other notes:

Make sure to follow the section "Securing the Group Policy Registry Key" to protect the policy key while its in the registry.

Make sure to apply similar ACLs to the DUO MSI/MST files network share if you are using those to automatically push out the application.

Comments

Popular posts from this blog

Enabling Webcam on RDS

Best Practices for Deploying User Profile Disks

Deploying FSLogix Office 365 Containers