Securing Windows logons using a password and OTP

A guide to enabling two-factor authentication (TFA) for local and remote access to Windows workstations and servers in the domain

Enter OTP

Harick Submit OTP

www.adselfserviceplus.com Table of contents

Why passwords aren't enough 1

Reinforcing Windows security by enabling TFA 1

How TFA for Windows works 2

Prerequisites 3

Steps for enabling TFA 4

Highlights of ADSelfService Plus’ TFA 5

Future proofing: TFA for all enterprise applications 6

About ADSelfService Plus 6 Why passwords aren't enough

Passwords are the keys to unlocking access to your Active Directory (AD) kingdom, and cybercriminals will likely never stop targeting these passwords. All a hacker needs is a password cracking tool—there are a number to choose from—to gain access to your network, steal data, and wreck havoc on your enterprise. According to the Data Breach Investigation Report (2018) from Verizon, 81 percent of breaches were caused by stolen passwords.

The password policy settings available in AD have not changed since 2000. Considering how far technology has come, and how adept today's cybercriminals are at using it, a password alone will no longer ensure security. With the right tools, a hacker can break into your AD domain in a matter of minutes.

Knowing the risks associated with passwords, IT compliance laws such as PCI DSS have explicitly prohibited the use of passwords as the only authentication mechanism.

Reinforcing Windows security by enabling TFA

TFA adds an extra layer of security by authenticating users twice before granting access to valuable corporate resources—once through a standard password, and again through a unique identifier like a fingerprint or a one-time password (OTP) sent by email or SMS.

TFA is a better way to authenticate users than relying solely on passwords. It ensures sensitive data remains secure, even in cases where a password is compromised. With TFA, even if an attacker gets access to a user's password, they would still need access to the user's mobile phone, email, or physical presence. TFA is almost impossible for attackers to bypass.

While Microsoft provides Windows Hello for Business, which enables TFA for Windows, it comes with a lot of drawbacks and is quite costly.

Windows logon TFA using ADSelfService Plus

ADSelfService Plus, an integrated AD self-service password management and single sign-on (SSO) solution, provides a simple, aordable way to enable TFA for Windows machines across both local and remote desktop logons.

1 www.adselfserviceplus.com How TFA for Windows works

When TFA for Windows is enabled in ADSelfService Plus, users will have to authenticate through two successive stages to access their Windows machine.

While the first authentication will be through the usual Windows domain credentials, admins can choose one of the following as the second factor of authentication:

SMS or email-based OTP.

DUO Security.

RSA SecurID.

RADIUS.

Admins can configure the factor of authentication based on OUs and groups.

Here’s how it works:

1. When users log in to their Windows machine, Windows will prompt them to enter their AD domain username and password to prove their identity.

2. If they correctly entered their password, then the ADSelfService Plus authentication wizard will open.

3. Next, users must authenticate themselves with an OTP or through a third-party identity provider.

4. Users will now be successfully logged in to their Windows machines.

User Name

First Factor of Authentication using Second Factor of Authentication in Access to Windows machine Windows Login credentiails ADSelService Plus 1. SMS or email verification codes 2. DUO Security 3. RSA SecurID 4. RADIUS Server

If the user fails the second factor of authentication, they will be taken back to the Windows logon screen and will have to start the process from the beginning.

2 www.adselfserviceplus.com How to enable TFA for Windows in ADSelfService Plus

ADSelfService Plus comes with a built-in logon agent for Windows, which is a custom Credential Provider. You must install this logon agent to enable TFA for Windows. The logon agent must be pushed to the Windows clients and servers from the ADSelfService Plus web console itself. ADSelfService Plus also comes with a scheduler that will automatically scan your network for new computers added to the domain and install the logon agent in them.

Let’s learn how to enable TFA for Windows.

Prerequisites

Download and install ADSelfService Plus.

Deploy the logon agent for Windows (Credential Provider): You must install the logon agent through the GINA/Mac installation console (Configuration > Administrative Tools > GINA/Mac (Ctrl + Alt + Del) > GINA/Mac Installation) available in ADSelfService Plus.

Enable SSL and login TFA:

1. Log in to the ADSelfService Plus web-console with admin credentials; if you're logging in for the first time, the username and password are both admin.

2. Navigate to Configuration > Administrative Tools > GINA/Mac (Ctrl+Alt+Del) > Windows Logon TFA.

3. Click SSL(HTTPS). Check Enable SSL Port, and click Save. Restart ADSelfService Plus. For information on how to enable SSL using a self-signed or CA-signed certificate, refer to this guide.

3 www.adselfserviceplus.com 4. Back in the Windows Logon TFA screen, click Login TFA. In Logon TFA settings, check Enable Two-Factor Authentication, and configure any one of the authentication methods provided.

5. Click OK.

Steps for enabling TFA

Log in to the ADSelfService Plus web console with admin credentials.

Navigate to Configuration > Administrative Tools > GINA/Mac (Ctrl + Alt + Del) > Windows Logon TFA.

Check Enable Windows Logon TFA.

4 www.adselfserviceplus.com By default, the Bypass TFA if ADSelfService Plus is down box is checked when you enable Windows Logon TFA. Checking this box ensures that users will still be able to access their machines if ADSelfService Plus, for any reason, is inaccessible.

Click Configure Access and make sure that the access URL has HTTPS as its selected Protocol.

Click Save.

That’s it! TFA has now been enabled for Windows machines in your organization using ADSelfService Plus.

Highlights of ADSelfService Plus’ TFA

Mitigates risks associated with poor passwords Users nowadays have multiple accounts—both for personal and business use. To avoid forgetting the numerous passwords they have to remember, they often use the same password across all accounts, or set weak passwords. You can mitigate the risks of poor password behavior by enabling TFA.

Granularly enforce TFA You can enforce TFA for all users or only for select individuals—such as those that have elevated privileges and are at higher risk of security attacks—through OU and group-based policies.

Comply with PCI DSS and the GDRP TFA is a requirement in the latest version of PCI DSS (3.2). The European Union Agency for Network and Information Security (ENISA) also recommends implementing TFA as a technical measure to comply with the GDPR.

5 www.adselfserviceplus.com Future proofing: TFA for all enterprise applications

ADSelfService Plus allows you to provide a simple, secure, and seamless logon experience to users across all their enterprise applications—not just AD. By enabling SSO in ADSelfService Plus, you can allow users to access all their SAML-based enterprise applications, even those that were developed in-house, by authenticating once using the same factors that they use to log in to their Windows machines.

SSO saves users from entering their credentials multiple times a day, cuts down the number of passwords they need to remember to one, and improves their overall experience of using multiple applications.

To learn more about enabling TFA and SSO for all enterprise applications, read this guide.

About ADSelfService Plus

ADSelfService Plus is an integrated Active Directory self-service password management and single sign-on solution. It offers password self-service, password expiration reminders, a self-service directory updater, a multiplatform password synchronizer, and single sign-on for cloud applications. Facilitate self-service for end users anywhere at any time with mobile apps for both Android and iPhone users. ADSelfService Plus supports the IT help desk by reducing password reset tickets and spares end users the frustration caused by computer downtime.

For more information, please visit www.manageengine.com/products/self-service-password.