locked
Direct access ~ Security concern RRS feed

  • Question

  • We did the setup for Microsoft Direct Access for our customer to access our network outside the office.

    Our local domain policy does require a 10 character long password for our accounts and some of our user does put a post it on their laptop with the password. Is there a way to add an MFA to the Direct Access tunnel before it`s being initiate ? I`m looking for a way to secure the workstation/laptop (for the user who leaves their password on their laptop) and I cannot apply Azure MFA at the login screen of Windows 10.

    In the best world possible it would be conditional access with Azure MFA at Windows 10 login but it cannot be done at this point in time from what I saw in different forums.

    Any tough?

    Wednesday, December 5, 2018 1:17 PM

Answers

  • While the purpose of DirectAccess is to be automated so that the user doesn't have to do anything, it is possible to require 2FA on a DirectAccess tunnel. You can choose to enforce either smart cards, or any radius-based One-Time-Password solution, such as RSA or Gemalto.

    I will warn you though that the user experience for plugging in an OTP code for the DA tunnels isn't great. In my experience this is a feature that many customers test, but ultimately decide it's not worth the hassle to their users.

    If you setup DirectAccess to require machine certificates as part of the tunnel authentication process (which everyone should be doing as a best practice), then by definition DirectAccess even without "2FA" turned on, is already two-factor authenticated. Something they have = machine certificate, Something they know = credentials.

    You should, of course, work on training to get users to stop using sticky notes, and then also use Group Policy to enforce an idle time lockout policy so that if the users walk away from their computer or let it sit idle, it will self-lock the screen.

    • Marked as answer by sbrisson-00 Wednesday, December 19, 2018 7:23 PM
    Wednesday, December 19, 2018 4:30 PM