Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthLite 2-Factor for Windows Administration

Published byJared Bradford Modified over 6 years ago

Similar presentations

Presentation on theme: "AuthLite 2-Factor for Windows Administration"— Presentation transcript:

1 AuthLite 2-Factor for Windows Administration
J. Greg Mackinnon Windows Technical Lead | Cloud Engineering Yale University | Information Technology Services

2 What it is: Software that installs on your domain controllers
Creates a DS partition: Holds MFA device seeds and user associations Holds AD group transformation rules Intercepts authentication attempts: Does the username match an enrolled user? If so, transform 1FA groups to 2FA groups

3 How to implement: When authenticating with 1-factor, standard group memberships apply. All 1F logons are added to the global “1FactorTag” group. This group can be added to “Deny” ACLs or “Deny logon to Remote Desktop Services” local security policy. Two factor logons get transformed according to a table stored in AD. Grant access to the “two-factor” groups, not the one factor groups. This allows easy implementation of “Authentication Method Assurance”.

4 Sign-In Experience: No Client (Yubikey): Username: [DOMAIN]\[OTP]
Password: [1F Password] No Client (OATH): Username: [DOMAIN]\[NetID]-[OTP] With Client: Username: [DOMAIN]\[NetID] Password: [1F Password]-[OTP]

5 Advantages: Multi-protocol protection: Low Cost:
“Windows Auth”: NTLM/Kerberos on RDP, WinRM, SMB, RPC, others. Support for RADIUS and LDAP Low Cost: Perpetual licenses, upgrades included Inexpensive / free tokens: Yubikey Google Authenticator (soft token) Any other OATH / tOTP token Simple “Authentication Method Assurance”, for Kerberos and NTLM Clientless architecture (Works with Mac/Linux!): Does not require Windows 10 (Unlike “Windows Hello”) No client-side drivers, crypto providers, or other software required (Unlike “Smart Card”) Resides in the Domain Controller: No internet access or proxy required (unlike Duo) No additional servers required (unlike RSA) No need to provision accounts in an external provider (unlike RSA or Duo) Easy provisioning. LDAP integration can be used to secure high-value targets such as VMware vCenter.

6 Disadvantages OMG! Third party software on the domain controllers!
OMG! Tiny vendor, no “magic quadrant”. Still does not protect you from Pass-the-ticket! Not a great fit for broad-access applications Retraining required for logon process Not as intuitive as other solutions such as Duo Might be impossible to use with SAML Probably not useful for many Cloud solutions Our intention is to use AuthLite to secure Windows Admin credentials, not to be used as a general purpose MFA solution.

7 References Smart Card and NTLM hashes: The-Good-the-Bad-and-the-Ugly.html AuthLite and Pass-the-Hash: pass-the-hash-authentication-authorization-and-security-groups/ Win High-Ed Discussion on AuthLite: November/ html

Download ppt "AuthLite 2-Factor for Windows Administration"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Azure AD & Office 365 1. Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.

Azure AD & Office Logon with Username / Password 2. MFA challenge 3. Reply to MFA challenge -1-way or 2-way SMS -Phone call -Mobile Application.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation

©2006 Microsoft Corporation. All rights reserved. Windows Vista Security Tidbits Steve Riley Senior Security Strategist Microsoft Corporation
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.

Digital DNA Server Login People ®. Login People ˃ IT security vendor ˃ Patented Digital DNA ® technology innovation Digital DNA Server Multi-factor Authentication.
Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.

Kerberos Part 1 CNS 4650 Fall 2004 Rev. 2. The Name Greek Mythology Cerberus Gatekeeper of Hates Only allowed in dead Prevented dead from leaving Spelling.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Active Directory Integration with Microsoft Office 365

Active Directory Integration with Microsoft Office 365
Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.

Active Directory Integration with Microsoft Office 365 Ross Adams & Jono Luk Program Managers Microsoft Corporation OSP321.
MOBILE SECURITY MADE EASY. STOCKHOLM SOFTWARE COMPANY.

MOBILE SECURITY MADE EASY. STOCKHOLM SOFTWARE COMPANY.
2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server 1 2 3 Sue’s.

2 User: Sue Password hash: C9DF4E… Sue’s Laptop User: Sue Password: a1b2c3 Sue’s User Session User: Sue Password hash: C9DF4E… File Server Sue’s.

Similar presentations

Ads by Google