AuthLite 2-Factor for Windows Administration

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

Secure Lync mobile Authentication

Secure SharePoint mobile connectivity

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Introduction To Windows NT ® Server And Internet Information Server.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

MOBILE SECURITY MADE EASY. STOCKHOLM SOFTWARE COMPANY.

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.

Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.

Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Working with Workgroups and Domains

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

ITS – Identity Services ONEForest Security Jake DeSantis Keith Brautigam

Microsoft Ignite /25/2017 9:57 AM

Secure Skype for Business

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Restricted Admin & Credential Exposure MMS Minnesota 2014 Hasain Alshakarti – TrueSec Enterprise Security #MMSMinnesota #MMSConfigMgr #MMSLove.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

F5 APM & Security Assertion Markup Language ‘sam-el’

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.

2 Factor & Multi Factor Authentication

Secure Connected Infrastructure

Secure Single Sign-On Across Security Domains

Protect Manage Optimize Why LastPass Enterprise? Protect Manage Optimize.

Stop Those Prying Eyes Getting to Your Data

Federation made simple

Enabling Secure Internet Access with TMG

Data and Applications Security Developments and Directions

Radius, LDAP, Radius used in Authenticating Users

Single Sign On Office 365 Client 1 Clients

9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.

CompTIA Security+ Study Guide (SY0-401)

Azure AD Application Proxy

11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Message Digest Cryptographic checksum One-way function Relevance

Access and Information Protection Product Overview October 2013

Management of users at UNIL

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

Public Key Infrastructure from the Most Trusted Name in e-Security

The Evolution of Secure Two Factor Authentication

K!M SAA LOGICAL SECURITY Strong Adaptive Authentication

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.

Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8

Presentation transcript:

AuthLite 2-Factor for Windows Administration J. Greg Mackinnon Windows Technical Lead | Cloud Engineering Yale University | Information Technology Services

What it is: Software that installs on your domain controllers Creates a DS partition: Holds MFA device seeds and user associations Holds AD group transformation rules Intercepts authentication attempts: Does the username match an enrolled user? If so, transform 1FA groups to 2FA groups

How to implement: When authenticating with 1-factor, standard group memberships apply. All 1F logons are added to the global “1FactorTag” group. This group can be added to “Deny” ACLs or “Deny logon to Remote Desktop Services” local security policy. Two factor logons get transformed according to a table stored in AD. Grant access to the “two-factor” groups, not the one factor groups. This allows easy implementation of “Authentication Method Assurance”.

Sign-In Experience: No Client (Yubikey): Username: [DOMAIN]\[OTP] Password: [1F Password] No Client (OATH): Username: [DOMAIN]\[NetID]-[OTP] With Client: Username: [DOMAIN]\[NetID] Password: [1F Password]-[OTP]

Advantages: Multi-protocol protection: Low Cost: “Windows Auth”: NTLM/Kerberos on RDP, WinRM, SMB, RPC, others. Support for RADIUS and LDAP Low Cost: Perpetual licenses, upgrades included Inexpensive / free tokens: Yubikey Google Authenticator (soft token) Any other OATH / tOTP token Simple “Authentication Method Assurance”, for Kerberos and NTLM Clientless architecture (Works with Mac/Linux!): Does not require Windows 10 (Unlike “Windows Hello”) No client-side drivers, crypto providers, or other software required (Unlike “Smart Card”) Resides in the Domain Controller: No internet access or proxy required (unlike Duo) No additional servers required (unlike RSA) No need to provision accounts in an external provider (unlike RSA or Duo) Easy provisioning. LDAP integration can be used to secure high-value targets such as VMware vCenter.

Disadvantages OMG! Third party software on the domain controllers! OMG! Tiny vendor, no “magic quadrant”. Still does not protect you from Pass-the-ticket! Not a great fit for broad-access applications Retraining required for logon process Not as intuitive as other solutions such as Duo Might be impossible to use with SAML Probably not useful for many Cloud solutions Our intention is to use AuthLite to secure Windows Admin credentials, not to be used as a general purpose MFA solution.

References Smart Card and NTLM hashes: http://www.infosecisland.com/blogview/23657-Smart-Card-Logon- The-Good-the-Bad-and-the-Ugly.html AuthLite and Pass-the-Hash: http://www.collectivesoftware.com/blog/blog-articles/exploring- pass-the-hash-authentication-authorization-and-security-groups/ Win High-Ed Discussion on AuthLite: https://mailman.stanford.edu/mailman/private/windows-hied/2015- November/019376.html