Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,120 @@
---
name: None
description: Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust
domain: cybersecurity
subdomain: identity-access-management
tags: [iam, identity, access-control, authentication, mfa, duo, multi-factor]
version: "1.0"
author: mahipal
license: MIT
---
# Configuring Multi-Factor Authentication with Duo
## Overview
Deploy Cisco Duo multi-factor authentication across enterprise applications, VPN, RDP, and SSH access points. This skill covers Duo integration methods, adaptive authentication policies, device trust assessment, and phishing-resistant MFA deployment aligned with NIST 800-63B AAL2/AAL3 requirements.
## Objectives
- Configure Duo MFA for VPN, RDP, SSH, and web applications
- Implement adaptive access policies based on user, device, and network context
- Deploy phishing-resistant authentication (Duo Verified Push, WebAuthn)
- Configure device health policies (trusted endpoints, OS version enforcement)
- Set up Duo Admin Panel monitoring and reporting
- Implement MFA bypass and emergency access procedures
## Key Concepts
### Duo Authentication Methods (by security strength)
1. **Security Keys (WebAuthn/FIDO2)**: Phishing-resistant, AAL3 capable
2. **Duo Verified Push**: Requires code entry, resistant to MFA fatigue attacks
3. **Duo Push**: Push notification to Duo Mobile app
4. **TOTP (Duo Mobile Passcode)**: Time-based one-time password
5. **Hardware Tokens**: OTP from physical token
6. **SMS/Phone Call**: Least secure, use only as fallback
### Duo Integration Architecture
- **Duo Authentication Proxy**: On-premises proxy for RADIUS/LDAP integration
- **Duo Web SDK**: Embed Duo MFA in web applications
- **Duo OIDC/SAML**: SSO integration for cloud applications
- **Duo for RDP**: Windows Logon MFA
- **Duo Unix**: PAM-based MFA for SSH
### Adaptive Access Policies
- **Trusted Networks**: Reduce MFA friction for corporate networks
- **Remembered Devices**: Skip MFA for trusted devices (configurable duration)
- **Device Health**: Block or require MFA based on OS patch level, encryption, firewall
- **Risk-Based Authentication**: Step-up MFA for anomalous login patterns
## Implementation Steps
### Step 1: Duo Authentication Proxy Setup
1. Deploy Duo Authentication Proxy on Windows/Linux server
2. Configure primary authentication (AD/LDAP or RADIUS)
3. Configure Duo API credentials (Integration Key, Secret Key, API Hostname)
4. Set failmode (safe=deny if Duo unreachable, secure=allow)
5. Test proxy connectivity to Duo cloud and AD
### Step 2: VPN MFA Integration
1. Configure VPN concentrator for RADIUS authentication
2. Point RADIUS to Duo Authentication Proxy
3. Configure Duo proxy with [radius_server_auto] section
4. Test VPN login with Duo Push
5. Deploy to all VPN users with enrollment period
### Step 3: RDP/Windows Logon MFA
1. Install Duo Authentication for Windows Logon on target servers
2. Configure Duo application in Admin Panel
3. Set offline access options (allow N offline logins)
4. Configure bypass for service accounts
5. Test RDP login with Duo MFA
### Step 4: Adaptive Policy Configuration
1. Create user groups (Standard, Privileged, Contractors)
2. Configure per-group authentication policies:
- Standard: Duo Push allowed, remembered device 7 days
- Privileged: Verified Push required, no remembered device
- Contractors: WebAuthn required, no remembered device
3. Configure device health policies:
- Require encrypted disk
- Block outdated OS versions
- Require firewall enabled
4. Set trusted network exceptions for corporate IPs
### Step 5: Phishing-Resistant MFA Deployment
1. Enable Verified Push (requires entering 3-digit code from login screen)
2. Register WebAuthn/FIDO2 security keys for privileged users
3. Disable SMS and phone call for high-risk groups
4. Configure Duo Risk-Based Factor Selection
5. Monitor for MFA fatigue attack patterns
### Step 6: Monitoring and Response
1. Configure Duo Admin Panel alerts
2. Set up authentication log forwarding to SIEM
3. Monitor for: MFA denial patterns, bypass usage, new device enrollments
4. Create incident response playbook for MFA compromise
5. Regular review of bypass and exception policies
## Security Controls
| Control | NIST 800-53 | Description |
|---------|-------------|-------------|
| MFA | IA-2(1) | Multi-factor authentication for network access |
| MFA for Privileged | IA-2(2) | MFA for privileged account access |
| Replay Resistance | IA-2(8) | Replay-resistant authentication |
| Device Identification | IA-3 | Device identity and trust |
| Authenticator Management | IA-5 | MFA enrollment and lifecycle |
## Common Pitfalls
- Not deploying phishing-resistant MFA (Verified Push/FIDO2) for privileged accounts
- Setting failmode to "safe" (allow access when Duo is down) in production
- Not disabling SMS/phone call for users with app-capable devices
- Forgetting to configure offline access for laptops
- Not monitoring for MFA fatigue/prompt bombing attacks
## Verification
- [ ] VPN login requires Duo MFA
- [ ] RDP to servers requires Duo MFA
- [ ] SSH access requires Duo MFA
- [ ] Verified Push enabled for privileged users
- [ ] Device health policy blocks non-compliant devices
- [ ] Authentication logs forwarded to SIEM
- [ ] Bypass/emergency access procedures tested
- [ ] MFA fatigue detection alerts configured
@@ -0,0 +1,37 @@
# Duo MFA Deployment Checklist
## Duo Admin Panel Configuration
- [ ] Admin account secured with hardware security key
- [ ] Admin API credentials generated and stored securely
- [ ] AD Sync configured for user provisioning
- [ ] User groups created (Standard, Privileged, Contractors)
## Authentication Policy Matrix
| Group | Push | Verified Push | WebAuthn | TOTP | SMS | Phone | Remember |
|-------|------|---------------|----------|------|-----|-------|----------|
| Standard | Yes | No | Optional | Yes | No | No | 7 days |
| Privileged | No | Yes | Yes | Backup | No | No | None |
| Contractors | Yes | No | No | Yes | No | No | None |
## Integration Points
| System | Integration Method | Status |
|--------|--------------------|--------|
| VPN (Cisco ASA) | RADIUS via Auth Proxy | [ ] |
| VPN (Palo Alto) | RADIUS via Auth Proxy | [ ] |
| Windows RDP | Duo for Windows Logon | [ ] |
| Linux SSH | Duo Unix (PAM) | [ ] |
| Web Apps (SAML) | Duo SSO | [ ] |
| Office 365 | Duo + Azure AD | [ ] |
## Device Health Policy
- [ ] Require disk encryption
- [ ] Minimum OS version: Windows 10 22H2 / macOS 13 / iOS 16 / Android 12
- [ ] Require firewall enabled
- [ ] Block jailbroken/rooted devices
- [ ] Require screen lock
## Emergency Procedures
- [ ] Bypass code generation procedure documented
- [ ] Failmode configuration documented per integration
- [ ] Emergency contact list for Duo outage
- [ ] Alternative authentication path tested
@@ -0,0 +1,26 @@
# Standards and References - MFA with Duo
## NIST Standards
- **NIST SP 800-63B**: Digital Identity Guidelines - Authentication and Lifecycle Management
- AAL1: Single-factor authentication
- AAL2: Multi-factor authentication (Duo Push, TOTP)
- AAL3: Hardware-based phishing-resistant (FIDO2, PIV)
- **NIST SP 800-53 Rev 5**: IA-2, IA-2(1), IA-2(2), IA-2(6), IA-2(8), IA-3, IA-5
## Duo Documentation
- **Duo Authentication Proxy**: https://duo.com/docs/authproxy-reference
- **Duo for RDP**: https://duo.com/docs/rdp
- **Duo Unix (SSH)**: https://duo.com/docs/duounix
- **Duo Web SDK**: https://duo.com/docs/duoweb
- **Duo Verified Push**: https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture
- **Duo Admin API**: https://duo.com/docs/adminapi
## CISA Guidance
- **CISA MFA Guidance**: Phishing-resistant MFA requirement for federal agencies
- **EO 14028**: Executive Order on Improving the Nation's Cybersecurity - MFA mandate
## Compliance
- **PCI DSS 4.0**: Requirement 8.3.1 - MFA for all access to CDE
- **HIPAA**: 45 CFR 164.312(d) - Person or entity authentication
- **SOX**: MFA for privileged financial system access
- **CMMC**: Level 2 - IA.L2-3.5.3 Multi-factor authentication
@@ -0,0 +1,36 @@
# MFA with Duo Workflows
## Workflow 1: Duo Authentication Proxy Deployment
1. Install Duo Authentication Proxy on dedicated server
2. Configure authproxy.cfg with AD/LDAP primary auth
3. Add Duo API credentials (ikey, skey, api_host)
4. Set failmode=safe for initial testing, change to secure for production
5. Start Duo proxy service, verify connectivity
6. Configure VPN/application to use proxy as RADIUS server
7. Test with pilot group before full deployment
## Workflow 2: User Enrollment
1. Admin creates Duo user (manual or AD sync)
2. User receives enrollment email/link
3. User installs Duo Mobile app
4. User scans QR code to link device
5. User completes test authentication
6. Admin verifies enrollment status in Admin Panel
## Workflow 3: MFA Fatigue Attack Response
1. Detect multiple rapid push notifications to single user
2. Alert security team via SIEM integration
3. Temporarily lock user's Duo account
4. Contact user to verify if they initiated authentication
5. If unauthorized: reset credentials, investigate source
6. If authorized: educate user, enable Verified Push
7. Update policy to require Verified Push for affected group
## Workflow 4: Duo Failover and Emergency Access
1. Duo cloud service becomes unreachable
2. Authentication Proxy checks failmode setting
3. If failmode=secure: deny all access (most secure)
4. If failmode=safe: allow primary auth only (business continuity)
5. Admin monitors Duo status page for resolution
6. After restoration: review all authentications during outage
7. Investigate any suspicious access during failover period
@@ -0,0 +1,268 @@
#!/usr/bin/env python3
"""
Duo MFA Configuration Auditor and Health Checker
Audits Duo MFA deployment configuration, checks policy compliance,
detects MFA fatigue patterns, and monitors authentication health.
"""
import json
import datetime
from typing import Dict, List, Optional
from dataclasses import dataclass, field
from collections import defaultdict
@dataclass
class DuoPolicy:
"""Duo authentication policy configuration."""
policy_name: str
group: str
allowed_methods: List[str] # push, verified_push, webauthn, totp, sms, phone
remembered_devices_days: int = 0
require_device_health: bool = False
require_encryption: bool = False
min_os_version: str = ""
trusted_networks: List[str] = field(default_factory=list)
failmode: str = "secure" # secure or safe
@dataclass
class AuthEvent:
"""Authentication event from Duo logs."""
timestamp: str
username: str
factor: str # push, verified_push, webauthn, totp, sms, phone, bypass
result: str # success, denied, fraud, timeout
ip_address: str
device_os: str = ""
application: str = ""
reason: str = ""
@dataclass
class MFAAuditFinding:
"""MFA audit finding."""
severity: str
category: str
title: str
description: str
recommendation: str = ""
class DuoMFAAuditor:
"""Audits Duo MFA configuration and detects anomalies."""
PHISHING_RESISTANT = {"verified_push", "webauthn", "fido2"}
WEAK_METHODS = {"sms", "phone"}
AAL2_METHODS = {"push", "verified_push", "webauthn", "totp", "fido2"}
def __init__(self):
self.policies: List[DuoPolicy] = []
self.auth_events: List[AuthEvent] = []
self.findings: List[MFAAuditFinding] = []
def load_policies(self, policies: List[Dict]):
for p in policies:
self.policies.append(DuoPolicy(**p))
def load_auth_events(self, events: List[Dict]):
for e in events:
self.auth_events.append(AuthEvent(**e))
def audit_all(self) -> List[MFAAuditFinding]:
self.findings = []
self._audit_policy_strength()
self._audit_weak_methods()
self._audit_device_health()
self._audit_failmode()
self._audit_remembered_devices()
self._detect_mfa_fatigue()
self._detect_bypass_usage()
self._audit_method_distribution()
return self.findings
def _audit_policy_strength(self):
for policy in self.policies:
has_phishing_resistant = any(
m in self.PHISHING_RESISTANT for m in policy.allowed_methods
)
if "privileged" in policy.group.lower() or "admin" in policy.group.lower():
if not has_phishing_resistant:
self.findings.append(MFAAuditFinding(
severity="critical",
category="Policy Strength",
title=f"Privileged group '{policy.group}' lacks phishing-resistant MFA",
description=f"Policy '{policy.policy_name}' allows only: {', '.join(policy.allowed_methods)}",
recommendation="Enable Verified Push or WebAuthn for privileged users per CISA guidance"
))
def _audit_weak_methods(self):
for policy in self.policies:
weak = set(policy.allowed_methods) & self.WEAK_METHODS
if weak:
self.findings.append(MFAAuditFinding(
severity="high",
category="Weak Methods",
title=f"Weak MFA methods enabled for '{policy.group}'",
description=f"SMS and/or phone call enabled: {', '.join(weak)}. "
"These are vulnerable to SIM swapping and social engineering.",
recommendation="Disable SMS/phone for users with smartphone access. Use push or WebAuthn."
))
def _audit_device_health(self):
for policy in self.policies:
if not policy.require_device_health:
self.findings.append(MFAAuditFinding(
severity="medium",
category="Device Health",
title=f"Device health not enforced for '{policy.group}'",
description="Unmanaged or unhealthy devices can authenticate without restriction.",
recommendation="Enable device health policy to check OS version, encryption, and firewall."
))
def _audit_failmode(self):
for policy in self.policies:
if policy.failmode == "safe":
self.findings.append(MFAAuditFinding(
severity="high",
category="Failmode",
title=f"Failmode set to 'safe' for '{policy.policy_name}'",
description="When Duo is unreachable, users are allowed in without MFA.",
recommendation="Set failmode to 'secure' to deny access when Duo is unavailable."
))
def _audit_remembered_devices(self):
for policy in self.policies:
if policy.remembered_devices_days > 30:
self.findings.append(MFAAuditFinding(
severity="medium",
category="Remembered Devices",
title=f"Long remembered device period for '{policy.group}'",
description=f"Devices remembered for {policy.remembered_devices_days} days. "
"Stolen devices retain MFA bypass.",
recommendation="Reduce remembered device period to 7 days or less."
))
def _detect_mfa_fatigue(self):
"""Detect potential MFA prompt bombing / fatigue attacks."""
user_denials = defaultdict(list)
for event in self.auth_events:
if event.result in ("denied", "timeout", "fraud"):
user_denials[event.username].append(event)
for user, denials in user_denials.items():
if len(denials) >= 5:
# Check if denials happened within a short window
timestamps = sorted(denials, key=lambda e: e.timestamp)
if len(timestamps) >= 5:
self.findings.append(MFAAuditFinding(
severity="critical",
category="MFA Fatigue",
title=f"Potential MFA fatigue attack on user '{user}'",
description=f"{len(denials)} denied/timeout MFA attempts detected. "
"This pattern indicates potential MFA prompt bombing.",
recommendation=f"Lock account '{user}', verify with user, enable Verified Push, "
"investigate source IPs."
))
def _detect_bypass_usage(self):
bypass_events = [e for e in self.auth_events if e.factor == "bypass"]
if bypass_events:
users = set(e.username for e in bypass_events)
self.findings.append(MFAAuditFinding(
severity="high",
category="Bypass Usage",
title=f"{len(bypass_events)} MFA bypass authentications detected",
description=f"Users with bypass codes: {', '.join(users)}. "
"Bypass codes circumvent MFA protection.",
recommendation="Review bypass usage. Ensure bypass codes are single-use and time-limited."
))
def _audit_method_distribution(self):
method_counts = defaultdict(int)
for event in self.auth_events:
if event.result == "success":
method_counts[event.factor] += 1
total = sum(method_counts.values())
if total > 0:
weak_pct = sum(method_counts.get(m, 0) for m in self.WEAK_METHODS) / total * 100
if weak_pct > 10:
self.findings.append(MFAAuditFinding(
severity="medium",
category="Method Distribution",
title=f"{weak_pct:.1f}% of authentications use weak MFA methods",
description="Significant portion of users still using SMS/phone.",
recommendation="Migrate users to Duo Push, Verified Push, or WebAuthn."
))
def generate_report(self) -> str:
if not self.findings:
self.audit_all()
lines = [
"=" * 70,
"DUO MFA CONFIGURATION AUDIT REPORT",
"=" * 70,
f"Report Date: {datetime.datetime.now().isoformat()}",
f"Policies Audited: {len(self.policies)}",
f"Auth Events Analyzed: {len(self.auth_events)}",
f"Findings: {len(self.findings)}",
"-" * 70, ""
]
severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3, "info": 4}
for f in sorted(self.findings, key=lambda x: severity_order.get(x.severity, 5)):
lines.append(f"[{f.severity.upper()}] {f.title}")
lines.append(f" Category: {f.category}")
lines.append(f" {f.description}")
if f.recommendation:
lines.append(f" Fix: {f.recommendation}")
lines.append("")
lines.append("=" * 70)
critical = sum(1 for f in self.findings if f.severity == "critical")
lines.append(f"OVERALL: {'FAIL' if critical > 0 else 'PASS WITH FINDINGS' if self.findings else 'PASS'}")
lines.append("=" * 70)
return "\n".join(lines)
def main():
auditor = DuoMFAAuditor()
auditor.load_policies([
{"policy_name": "Standard Users", "group": "standard_users",
"allowed_methods": ["push", "totp", "sms"], "remembered_devices_days": 7,
"failmode": "secure"},
{"policy_name": "Privileged Admins", "group": "privileged_admins",
"allowed_methods": ["push", "totp"], "remembered_devices_days": 0,
"require_device_health": True, "failmode": "safe"},
{"policy_name": "Contractors", "group": "contractors",
"allowed_methods": ["push", "phone", "sms"], "remembered_devices_days": 45,
"failmode": "secure"},
])
auditor.load_auth_events([
{"timestamp": "2026-02-23T08:00:00", "username": "alice", "factor": "push",
"result": "success", "ip_address": "10.0.1.50", "application": "VPN"},
{"timestamp": "2026-02-23T08:01:00", "username": "bob", "factor": "sms",
"result": "success", "ip_address": "192.168.1.100", "application": "VPN"},
{"timestamp": "2026-02-23T08:02:00", "username": "charlie", "factor": "push",
"result": "denied", "ip_address": "203.0.113.50", "application": "RDP"},
{"timestamp": "2026-02-23T08:02:30", "username": "charlie", "factor": "push",
"result": "denied", "ip_address": "203.0.113.50", "application": "RDP"},
{"timestamp": "2026-02-23T08:03:00", "username": "charlie", "factor": "push",
"result": "denied", "ip_address": "203.0.113.50", "application": "RDP"},
{"timestamp": "2026-02-23T08:03:30", "username": "charlie", "factor": "push",
"result": "timeout", "ip_address": "203.0.113.50", "application": "RDP"},
{"timestamp": "2026-02-23T08:04:00", "username": "charlie", "factor": "push",
"result": "denied", "ip_address": "203.0.113.50", "application": "RDP"},
{"timestamp": "2026-02-23T09:00:00", "username": "dave", "factor": "bypass",
"result": "success", "ip_address": "10.0.2.75", "application": "SSH"},
])
print(auditor.generate_report())
if __name__ == "__main__":
main()