Duo Integration for Active Directory

Owned by mhodges
Feb 23, 2024
2 min read

Table of Contents

Service Name

  • Duo Integration for Active Directory

Access to this service is controlled by InfoSec using a grouping.

Service Overview

Description

This service allows for IT staff managing Active Directory (AD) infrastructure across the UH System to integrate their AD-related servers (domain controllers, DNS servers, file shares, etc.) with Duo in order to force MFA when administrators log in to the servers. Requests for this service must be submitted by authorized IT staff and must include requisite information about the AD-related instances and administrator user accounts.

For an Active Directory-related instance, ITS will:

  1. set up a new Duo application

  2. set up Duo aliases to be used with the various privilege levels of AD user accounts provided by the requester

  3. provide the application’s integration key, secret, and api hostname (and link requestor to Duo documentation - https://duo.com/docs/rdp )

The following AD account naming conventions are required to prevent conflicts in the UH Duo domain:

  1. The base AD account name must match UH Username for chain-of-responsibility and lifecycle management purposes.

  2. Privileged accounts are requested numerically. Example, requesting 3 privileged accounts results in the following aliases:

    • uhusername-ad0, uhusername-ad1, uhusername-ad2, where the privilege level strictly communicates the actual privilege level.

Special account naming is supported by designating an account name suffix. Example backup account:

  • uhusername-ad0-bup

Benefits

  • Support security best practices for establishing account privilege levels and protecting each with Duo MFA.

  • Establish a standard convention based on the UH Username for naming AD accounts across multiple privilege levels.

ITS Responsibilities

Initial

  1. InfoSec: Generate the Duo integration information and securely transmit it to the requester.

  2. CSOC: Generate the Duo aliases

Ongoing

  1. Lifecycle administration

End-of-Life

  1. Ensure access to role transitions as needed for AD access lifecycle administration.

Service Consumer Responsibilities

Preparation

  1. Consumer is responsible for configuring the administrator usernames to match the DUO alias format

  2. For departments interested in setting up DUO for VDI additional requirements are needed

    1. https://duo.com/docs/citrix

    2. https://duo.com/docs/vmwareview

  3. Protecting servers with DUO will require 443 outbound to the DUO api instance, if you restrict your tier0 from accessing the internet directly you will need to either allow outbound to the DUO host, setup a proxy, or setup offline mode

    3. (University of Hawaii is deployed on DUO9)

Administrative

  1. Installing the duo application

Data Protection

  1. The API information is “sensitive” data and must be stored securely.

Security

  1. Ensure timely deprovisioning of access to AD resources and/or privileged accounts.

Availability & Response Times

Support Requests

  • Requests are usually processed during normal business hours.

  • Requests should receive a reply within 2 business days.

Service Owner

  • ITS InfoSec

Service Representative

  • Jason Young

  • Contact information: <infosec@hawaii.edu>