Securing Administrator Access to Internal Windows Servers



Similar documents
1 Introduction Product overview Product description System requirements Software support... 7

Windows Server : Advanced Services 3 1 1

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

CAC AND KERBEROS FROM VISION TO REALITY

How to connect to the diamonds wireless network with Vista.

User Guide. Version R91. English

IGEL Linux and Microsoft Remote Desktop Connection Broker 2012 R2

Session 17 Windows 7 Professional DNS & Active Directory(Part 2)

70-685: Enterprise Desktop Support Technician

Meeting CJIS Advanced Authentication

Windows 7, Enterprise Desktop Support Technician

סילבוס -MCITP מנהלי רשתות

TestOut Course Outline for: Windows Server 2008 Active Directory

MS 6419 Configuring, Managing and Maintaining Windows Server 2008-based Servers

6.1.2 Installing AD DS 7:45

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

McAfee One Time Password

HGC SUPERHUB HOSTED EXCHANGE

Owner of the content within this article is Written by Marc Grote

HOTPin Integration Guide: DirectAccess

Smart Card Two Factor Authentication

You need to recommend a monitoring solution to ensure that an administrator can review the availability information of Service1. What should you do?

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Active Directory Objectives

MS Managing and Maintaining Windows 8

Active Directory Services with Windows Server MOC 10969

User Documentation for SmartPolicy. Version 1.2

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Course Outline. Course 6419 : Configuring, Managing and Maintaining Windows Server 2008-based Servers. Duration: 5 Days

Defender Token Deployment System Quick Start Guide

Course 20688A: Managing and Maintaining Windows 8

Configuring, Managing and Maintaining Windows Server 2008-based Servers

Active Directory Services with Windows Server

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Administering Windows Server 2012

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

Check Point FDE integration with Digipass Key devices

Course 6419B: Configuring, Managing and Maintaining Windows Server 2008-based Servers

Copyright

Desktop Web Access Single Sign-On Configuration Guide

ESET Secure Authentication Java SDK

ICT Professional Optional Programmes

Creating a User Profile for Outlook 2013

Security and Rights Delegations for the Password Reset PRO Master Service Applies to software versions 2.x.x and 3.x.x

AV-006: Installing, Administering and Configuring Windows Server 2012

Entrust Managed Services PKI

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Propalms TSE Quickstart Guide

Professional Mailbox Software Setup Guide

Agent Configuration Guide for Microsoft Windows Logon

Password Manager Windows Desktop Client

Deploying and Managing a Public Key Infrastructure

Chapter 1 Scenario 1: Acme Corporation

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Single Sign-On: Reviewing the Field

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

AT&T Global Network Client Domain Logon Guide. Version 9.6

Creating a New Domain Tree in the Forest

Endpoint Security VPN for Mac

Strong Authentication for Microsoft Windows Logon

Installing, Configuring, and Managing a Microsoft Active Directory

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

SAS Agent for Outlook Web App

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Enhancing Organizational Security Through the Use of Virtual Smart Cards

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Administering Windows Server 2012

How To Set Up A Macintosh With A Cds And Cds On A Pc Or Macbook With A Domain Name On A Macbook (For A Pc) For A Domain Account (For An Ipad) For Free

ADDING STRONGER AUTHENTICATION for VPN Access Control

Lesson Plans Administering Security in a Server 2003 Network

Planning and Implementing Windows Server 2008

Windows XP Exchange Client Installation Instructions

Enabling Active Directory Authentication with ESX Server 1

MS Exam Objectives Configuring Advanced Windows Server 2012 Services

1. Name of Course: Windows Server 2008 Active Directory, Configuring

Exchange 2010 PKI Configuration Guide

etoken Single Sign-On 3.0

Deployment of Keepit for Windows

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Cloud Services ADM. Agent Deployment Guide

Identity Management: The authentic & authoritative guide for the modern enterprise

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Centralized Self-service Password Reset: From the Web and Windows Desktop

RSA AUTHENTICATION AGENTS FOR MICROSOFT WINDOWS

educ Office Remove & create new Outlook profile

Hosted Microsoft Exchange Client Setup & Guide Book

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

NETWRIX IDENTITY MANAGEMENT SUITE

Course Active Directory Services with Windows Server

COURSE 20411D: ADMINISTERING WINDOWS SERVER 2012

Transcription:

Securing Administrator Access to Internal Windows Servers

Contents 1. Introduction... 3 2. PKI implementation... 3 Require two-factor authentication for computers... 3 Require two-factor authentication for users... 5 3. OTP implementation... 5 4. Emergency cases... 6 5. Conclusion... 7

1. Introduction The present document contains some advice on securing the administrator access to internal servers in a Windows environment with two-factor authentication. It can be used to secure access to sensitive servers such as Domain Controllers, Active Directories, Certificate Authorities or databases. 2. PKI implementation Strong authentication can be enforced either at the user level or at the computer level. In both cases, the user trying to authenticate with a simple password will be denied access and the following error message will be displayed. Error message displayed when a user authenticating with a password has been denied access Require two-factor authentication for computers It can be set as a Domain GPO or Local GPO. Below is an example of a GPO applied to a computer APP1. 2-factor authentication GPO applied to a computer

To enforce smart card authentication, enable Interactive logon: Require smart card in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options as shown below. Configuring the GPO to require smart card When the GPO is not defined, the local policy Interactive logon: Require smart card can be set in Local Policies -> Security Options. This setting is not available on Domain Controllers. Configuring the local computer policy to require smart card

Require two-factor authentication for users This can be set in the AD user account properties by enabling Smart card is required for interactive login as shown in the screenshot below: Active Directory settings to require a user to authenticate with a smart card When this option is enabled, Windows sets the user account with a very complex password which is not disclosed to the user. Because some less sensitive applications may not support smart card authentication, the administrators may have 2 accounts, one requiring smart card which gives access to sensitive server and a normal user account. 3. OTP implementation An OTP implementation is similar in many ways to the PKI implementation. The GPO can be used in the same way to enforce strong authentication to a resource but it can t be set at the user level. The AD setting can also be used if the OTP server is not configured to delegate the password verification to the AD. As shown below, OTP and PKI authentication can even live side-by-side:

Windows Logon with OTP and PKI authentication tiles Here are a few points to take in consideration when choosing between OTP and PKI for strong authentication for this use case: - The PKI implementation requires a physical device to be connected to the client/remote client. - The OTP Windows Logon supported only on Windows 7 and Windows Server 2008 R2. - The OTP Windows Logon is not compatible with RDP yet. We are working on solving this technical issue with Microsoft. - The OTP Windows Logon does not support offline authentication. PKI smart card credentials are cached and can be used even if the network is down. 4. Emergency cases It is important to ensure the availability of the strong authentication infrastructure to ensure the system is accessible at all times. For the PKI implementation, it means, for example, to have the CRL (Certificate Revocation List) always accessible. For the OTP implementation, it means, for example, having an OTP server in the same physical location as the resource being accessed in case the inter-communication between datacenters is down. In some rare cases, the strong authentication may not be available and a fall back will be required. For example, all the network cards on a server are failing and the machine cannot access the CRL or the OTP server. - For the PKI implementation, a smart card with a long life certificate (eg: 10 years) can be created and stored in a safe. If the administrator certificates were not renewed in time, this emergency card can be used. - If the smart card is required at the user level, a special user with a known extremely complex password can be created and its credentials stored in a safe. The password can also be split and stored in two different locations. In case of emergency, this account can be used to access the server. - As a last resort, booting in safe mode or booting from a Linux CD can also be used. This does not apply to Domain Controllers.

5. Conclusion Requiring PKI smart card authentication at the user level makes it easier to recover from a situation where the strong authentication is not available but it requires the administrators to be careful managing the user accounts that can access these servers. Requiring strong authentication (PKI or OTP) at the computer level is a safer way to ensure nobody can access a resource with a single factor of authentication but it may be more complex to recover from the unavailability of the strong authentication system.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information