It’s going to install in C:\Program Files\Microsoft\AzureMfa\ no matter what. But also, it doesn’t matter what you put in this install location. Firstly, there’s no setup.exe here (as per installation instructions) as the installer is named NpsExtnForAzureMfaInstaller.exe. You’ll be greeted with two interesting bugs here. It’s done a lot of good for security across the board, but building the functionality and then leaving it there doesn’t quite close the gap people need.
Microsoft does offer an NPS plugin, which is designed for use with specific services such as Remote Desktop Gateways and VPNs. I recommend this article on why a lot of “easy” solutions don’t work. It doesn’t cover the majority of practical ways an attacker can abuse privileges. A very common answer is “just deploy DUO on RDP for servers”, but in my view this is a really poor solution. Much of this comes down to Microsoft’s great MFA offerings in the cloud, and people wanting their more “at risk” environments to utilise similar capabilities. This question, “how can I implement MFA with my on premise Active Directory”, has come up an awful lot recently. Using Azure MFA for on premises Active Directory DecemOn premise Active Directory - Getting MFA
0 kommentar(er)
