Deploying DUO RDP through GPO can leave your Secret key exposed
DUO RDP login has a convenient deployment mode where you can use GPOs to push out the Integration key, Secret key (SKEY), and API hostname settings. However, if you follow their documentation (as least today 2021-01-29) all authenticated users on the domain will be able to read the SKEY. This could allow attackers to generate the 2FA codes themselves.
All users would be able to access the key through any of the steps below:
- Open GPMC
- Pull the registry.pol file from the SYSVOL share
- Remove Authenticated Users from the Delegation tab
- Run a gpupdate on some computers and confirm that it's working as expected