Offline Cache not subject to Duo 2FA on Datasource
Hello,
My company has recently begun using Duo for 2FA.
I'm testing things out and have setup Duo so that when RDM opens and connects to our Datasource (MSSQL) , RDM sends a "Duo Push".
This is a user-level "on data source connection" 2FA.
However!
if I hit cancel on the Duo prompt a few times , RDM opens without connecting to a datasource,
and If I go to file > offline
RDM loads the offline database cache.
I guess I have a few questions:
1. How should a situation where the internet or Duo services are unavailable be handled in RDM , in regards to 2FA? If I scan in the QR code as 2FA from RDM \ User Options \ Security \ 2FA , then I have.. 3FA..
The offline cache could still be compromised in 1 of the 4 scenarios I list below .
2. How is RDM's offline cache secured?
I see two options in RDM User Options, Security,
Offline Security, Default or Enhanced
"Enable DPAPI cryptography on local files" which is not enabled by default.
When enter a passphrase into "offline security" it seems like a behind-the-scenes encryption for the offline cache - as RDM doesn't prompt me for that password.
When I enable DPAPI , I can't tell a difference when looking at the files. I though they'd have blue-colored names when encrypted with the windows encryption provider?
I'm attempting to resolve the following scenarios (before they happen)
- An employees' workstation is compromised and the offline cache exfiltrated.
- Our network is compromised and active-directory user passwords reset.
- An infiltrator with domain-admin access connects to a workstation's administrative share to exfiltrate their data.
- An employee's credentials are compromised, a new computer joined to the domain (to get around duo 2FA on workstation login), RDM's appdata copied to the new computer and Duo 2FA on RDM skipped for the offline cache.
I suspect and am hoping that I simply don't know enough about cryptography , that my concerns are invalid and the solution apparent.
I also hope that I didn't miss any potential scenarios.. really, I just don't want access or passwords compromised! Let your imagination run wild as to how someone may do that and please comfort me! Ahaha
I hope I'm not presenting an exploit!
All that being said, I have no problem disabling the offline cache if it presents a security risk. Our datasource is local, redundant, and secured. The weakspot is user-land.
If this line of questioning and alert should not be on the internet and instead asked in a private manner, I would understand!
All Comments (2)
Thank you for your questions, I am looking at it right now and we will get back to you shortly.
Sébastien Duquette
There is an option in RDM to prompt for the 2FA before going offline. This configuration would block the method to access the offline cache that you mentioned. Duo needs an Internet connection to complete the 2FA, so the going offline operation would need to be done while there is still an active Internet connection. 
Concerning the cache security, the cache is encrypted using DPAPI by default, this way it cant be copied an opened with another user account. "Enable DPAPI cryptography on local files" is a different option that encrypts the RDM configuration file. It is disabled by default because changes to the DPAPI key can result in data loss, for example when a Windows password is reset instead of changed. However for the offline cache its not an issue, we simply discard it and reconstruct it if this case happens.
Enhanced security makes it possible to set a password that is used to encrypt the offline cache. Make sure to check "Prompt for offline access", else the password is stored in the RDM configuration.
Finally, disabling the offline cache is also a valid option to consider.
Going back to your attack scenarios:
1. An employees' workstation is compromised and the offline cache exfiltrated.
Enabling "prompt for 2fa before going offline" would block someone from accessing the offline cache from RDM on that computer. The offline cache wouldn't be readable on another computer because of the encryption via DPAPI.
2. Our network is compromised and active-directory user passwords reset.
Prompt for 2FA would help here, an attacker wouldn't be able to access the credentials from RDM. Using "Enable DPAPI cryptography on local files" would render the RDM configuration unreadable, with the caveat that this would also be the case for a legitimate password reset.
3. An infiltrator with domain-admin access connects to a workstation's administrative share to exfiltrate their data.
The exfiltrated offline cache wouldn't be readable due to DPAPI.
4. An employee's credentials are compromised, a new computer joined to the domain (to get around duo 2FA on workstation login), RDM's appdata copied to the new computer and Duo 2FA on RDM skipped for the offline cache.
"prompt for 2fa before going offline" would block access to the offline cache.
I hope that answers your questions, don't hesitate if I missed something.
Sébastien Duquette