2-Factor Authentication for Microsoft Windows using Duo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to another considered normal blog my name is Matthew Koster as some of you know I am a Linux server administrator and one of the things that I do as a Linux admit is to make sure a server is secure for Linux that's fairly easy for SSH we use SSH key pairs or RSA key pairs this allows us to log into a server log into a mine here quickly and securely without having to remember any passwords or anything like that it uses a key pair so there's a private key on my machine and a public key on the server and when I go to authenticate it doesn't look for a password it looks for that key pair so it looks at the private keys on the server it looks at the public key that's right look for the public key on the server and the private key on my machine and make sure that they're compared to each other than if they do match I'm able to be logged in you'll see here that there's actually been 18 law failed login attempts in about the last hour or so these are people who are attempting to log in to the server on the default port using root and a password now they'll never be able to get in because of course password authentication has been disabled and replaced with RSA key pair authentication so the only way a person can actually get into the server is if they have your private key which is located on your machine so the chances of that are fairly rare one of the other things you can do to secure your machine of course is to change the default port or some other things but this particular vlog isn't about Linux and how to secure it if you want a vlog on that put in the comments and let me know I'll probably create one for you but this particular video is about how to secure a Windows Server Windows doesn't use SSH uses Remote Desktop Protocol and there's no way to have a key pair or RSA key pair for Windows so how do we do how do we how do we make Windows more secure well let's quickly login to a Windows Server so using a remote desktop and then log into my server which just cost your win of course my username now I have the details save so it's automatically log me in this is great because you don't have to remember your password the sad part is though is that it just logs you in automatically so if hacker by chance managed to get your administrator password they could login using admin and password or whatever your password is and have complete access to your server now one of the things you can do and one of the things I recommend doing is you go into your computer management under local users and groups and their users and change your administrator this used to be administrator now it's Matthew okay so the built in ministry account change that this will deter most hackers from attacking you because they usually go like just like to do for Linux that use root for Windows they use administrator they don't usually go to many other different usernames so change to whatever you want to and this could help deter hackers one of the other things you could do is you can also change the default port by read hacking the registry using reddit and a few other things but I don't recommend this as you know having to remember the default port or the new port etc it can be time-consuming just like I did for Linux I don't change the port anymore I just have it on that one port and I secure it so that nobody can access it unless they actually have permission to so you could change the port but I don't recommend that so how else can we secure it well other than changing your user name and having a very good strong password there's also a way of doing two-step authentication with Windows and the way to do that is with an application called duo let's just go back to the actual duo page so this is two-factor authentication for a bunch of things one of the things is RDP now this is a paid product but there is a free version for those who have 10 users and less so for up to 10 users it's free it has protection for logging with two-factor authentication and it also has protection of on perhaps we don't really care much about that one there we're really looking for is to protect with two-factor authentication so let's create our account now I already have an account under one of my primary email address only create one under a secondary email address just to show you the process of how it's created if I could take today and I missed luckily have you know less than 10 employees so once you put in your first last name your email address your phone number that you have to 10 employees just click on by signing up I agree the terms of privacy and create my account few moments later it's gonna ask you to create your password oops typed it wrong okay so now it's gonna ask you to install dual Mobile on your cell phone or on a device like a an Android device or an iPhone or an iPad or any other tablet and I already have this installed so what I'm gonna do is I'm actually going to go to my phone yeah and I really turn on screen record so I can actually show you what it looks like so no login to my do application you're gonna see that I already have two accounts on there admin and revel no this is this is my other account that I have so you're gonna hit the key with the plus sign at the top and you're gonna scan that little barcode at the bottom so now you see it has the admin account attached we'll continue on the screen set the correct number for your backup and then you just press the key beside your thing then I'll show you a number enter that and there you go now you're authenticated so now it's your in the system we're gonna try and find in this very very large list of things that they'll secure need to find wrote RDP or Microsoft RDP we can say protect this application it's not a valid application to your account it's gonna give you a few different bits of information we'll get back to this afterwards but we are going to need to edit the global policy for this and the reason for that being is that certain authentication methods cost credits and those credits cost money so we want to turn that off just in case some hackers managed to get are usually own password we don't want them wasting our particular tokens and stuff so we're basically gonna take off everything but dual mobile pass codes and do a push starting to save that policy the other thing we need to do is we need to create an account or our users we have to add a user to the account my apologies so that when we log in it recognizes who's logging in let's just really see what's this here this is this King up on my screen as well it said none and I don't know why but okay it's probably cuz I have another account anyways so let's add a user now the username you saw on here you saw that my user was Matthew you want to basically replicate that in the settings for this application so the user name is Matthew okay now that's gonna put down lowercase I'm just gonna put up an uppercase just in case I know windows isn't case sensitive but I want to make sure that there's if in future it does become case sensitive I make sure that I actually have all the information that I need okay I'm gonna put in my name here my email address okay I'm gonna make sure I'm active of course I don't any groups or any the information I'm going to save and it's gonna tell me that the user isn't enrolled yet so I'm gonna send the user and enrollment email address aroma team ale sorry and in my inbox very shortly make sure I spelled this right yeah may take a few minutes for the there we go for the email to go through and I'm going to click the link and I'm going to go through the two-factor authentication step for the user now we did do already set up for the administrator account for duo but this is for the user account okay so of course you can go from a mobile phone put in that same phone number tell it that it's the correct phone number you tell it's an Android because mine is yours as an iPhone or anything else please put that information in and tell me you already have the deulim will file installed it'll give you another code you can go back to your phone you can go back into duo again and you're going to go up to that plus sign once again then you're going to make sure that it grabs the code on the screen and there we go the codes been successfully acted this is successfully created so continue mmm and leaving has asked me to choose what what method of authentication to have okay and finish enrollment so now we've completed the enrollment for the users let's go back here it should say that the user is active but never a CENTAC eight so I've never actually logged into the server so now you can go back to our server I no longer need this we're gonna go to duo calm this is a brand-new machine so there are some default apps haven't gone through yet so let's go to do Oh calm I'm going to login if you remember your password don't save okay I'm gonna ask you to do a push approve confirm and that sure Laos into our system which is great okay so we can go to our applications we're gonna go to RDP that's gonna say see the RDP documentation just sit up you know you're doin occasion so we're gonna scroll down and under the first steps we're going to actually click on do authentication for windows login installer page there package sorry and we're going to save this to our download directory we can open the file and I'm going to let it install well isn't that odd there's some sort of setups going on or downloads updates okay yeah that's why give it a few seconds here to reboot now I should be able to connect there we go okay so now we're back in we're going to go back to our download directory I'm gonna try and do that dual windows login again now one of the things you should do with windows always you know there's no extension here in dot exe you really really want to have that so do not have the hide file extensions enabled enable it so you can actually see the file extensions they'll help you out a lot as well okay so this is where you need to have that information so let's go back and log back in the duo again hopefully I type my password right hopefully I type in my email right okay I'm just gonna do a push to my phone again prove confirm and there we go we're now logged in we're gonna go to our applications we're gonna click on our Microsoft RDP and this is the information we're going to need so we're gonna create a copy this year is your integration key gonna need the secret key and we're gonna need the API now you can have it where it prompts them even if there's login regularly if they're at the decimal so if you have this at home and you want to make sure that you know nobody logs into your your Windows server at home see you have kids or whatever you want them to stay a VAX is their local machine but they can't log into the actual server itself you could put this on as a way of authentication as well but since we're only going through RDP and you can't really get the console unless you're logged in to the actual providers screen I don't want to have I just won't have aware you know if someone tries to actually no I'm gonna leave it in case somebody hacks into my account and goes the the prompt goes the the screen I'm still protected so anyways let's just leave it this way here click Next mm-hmm and install and there we go okay so we can just finish that know that we have it installed just close that off now if we go me disconnect and we try and connect again should give us the duo push ended up happening is it automatically sent a push to my machine let's see here says there's a request waiting and I can say approve and I'm in and now I can access my system and the cool thing is I'm just quickly disconnect here again the cool thing is is even if you're at the actual screen sync draught Lister that way there perfect [Music] I didn't type it right really yeah there we go it's still gonna ask me to push as well this is why it left on so again it's gonna go back to my machine and approve and that of course should let me into my system now so that is how you can secure your machine look better by using two-step authentication by using duo duo is a really cool application it's free if you like this video please go ahead and like and subscribe at the bottom until next time [Music] you you oh that little icon is for proton meal little icon beside the name is because it's from proton meal that's why it has that little icon there it's interesting let's understand why it has none my other ones had names you can only just rename these edit account I'm just gonna name this Matthew there your name this one here oops okay so there we go so at least now I have the information I need okay so let's see if it's back up and running yet and it's not back up just yet if it does if you do a free boot your Windows machine it does this weird thing where it says gonna be authenticating that just disappears unless because the server actually hasn't rebooted just yet okay so just keep trying it'll eventually actually kick in just give it a few more seconds give it a few more seconds it's really good fruity herbal teas say these days really nice okay so we just got another email sending us to pretty much confirm the email address and we're going to this is for our user of course okay so email opt-in thanks for subscribing to emails blah blah blah it's good to have that information in there just in case so let's try and go back remote desktop again so it's doing updates so it'll take a little while I really really really hate windows updates again this is why I love Linux you know Linux updates work the only thing here after reboot for Linux for is for a kernel update string the linux update one wing for windows to do its update still going it's gonna do a linux update here yes so it has 10 packages to install and I said the only thing that ever really needs to reboot for is if you do a kernel update an SSH usually always comes back so look at that I'm already updated see if Windows is updated yet nope this is one of the reasons why I am a linux server admin and not windows sometimes windows is good other times when those is a pain in my ass this is the reason why if you ever noticed if you go to a hosting company for instance like vulture or direct that's right digitalocean national she doesn't you have it but vulture does why they charged 16 dollars extra month or even if you go anywhere else that has these these cloud versions of Windows and why they charge extra a month and for those of us in the industry it's called a headache fee that's right a headache fee why because Windows has so many issues it is a headache that's why you get paid more that's what you get charged more for running a Windows Server as opposed to a Linux server at some host so let's try it connect again no one be hold still doing updates okay I'm tired of waiting let's just take a look here and see exactly what it's doing black screen that can't be good there we are why did you give me a black screen you're never supposed to you're never supposed to do that to a server by the way see don't turn off your computer oh boy this is so lame the bloopers at the end of the video I don't care it's not gonna be in the actual video it'll be just at the end cuz I'm pretty sure he'll don't have time to wait for this mmm sorry I shouldn't say that either don't wait for this wonderful update time every time this does I think of that jeopardy theme song doo-doo-doo doo-doo-doo doo-doo-doo-doo-doo-doo doo-doo-doo-doo-doo doo-doo-doo-doo doo-doo-doo-doo okay

Info

Channel: Considered Normal?

Views: 11,595

Rating: undefined out of 5

Keywords: Duo, 2FA, Windows

Id: Qm2sYXZl4UY

Channel Id: undefined

Length: 25min 50sec (1550 seconds)

Published: Sat Sep 30 2017