Introduction
- The Problem: For the compliance, you might be asking to implement the MFA for running VM in GCP, it is easy when it comes to Linux, but how about Windows?
- The Solution: There are not only one solution to achieve the goal, but this time we choose Cisco Duo as the MFA infrastructure.
- The Goal: "By the end of this guide, you will have a secure Windows VM that prompts for MFA upon every RDP login."
Architecture Overview
Prerequisites
- A running Windows Server VM on GCP.
- Admin access to the VM (RDP).
- A valid Cisco Duo account (Free trial or Admin access).
-
Critical Network Check: Ensure the VM allows outbound traffic on TCP port 443 to
api-*.duosecurity.com.(It will be used by the installation of Duo Authentication for Windows )
Step 1: Configure Duo Admin Panel
- Action: Create a "Protect an Application" entry.
- Selection: Choose "Microsoft RDP".
- Key Data: Note down the Integration Key (IKEY), Secret Key (SKEY), and API Hostname.
Step 2: Installation on GCP Windows VM
- Download: Link to the official Duo Authentication for Windows Logon installer.
- Install: Walk through the wizard.
- Configuration:
- Enter the IKEY, SKEY, and Hostname. (Refers to last step in Step 1)
Step 3: Verification & Troubleshooting
- The Test: After the above steps, try to log into Windows and you will see the MFA requirement like below screenshot.
-
Troubleshooting:
- Problem: "I locked myself out!"
- Solution: Use GCP Serial Console or a startup script to uninstall/bypass Duo in an emergency.
If you accidentally locked yourself out, you could use GCP Serial Console(Windows should choose #2) to get into SAC to stop the service or uninstall the service.
Conclusion
By implementing Cisco Duo on your GCP Windows VM, you have successfully added a critical layer of defense against credential theft and brute-force attacks. Not only does this secure your infrastructure, but it also helps you check the box for compliance standards like SOC2 or PCI-DSS that mandate MFA for remote access.
Top comments (0)