Presentation is loading. Please wait.

Presentation is loading. Please wait.

AuthLite 2-Factor for Windows Administration

Similar presentations


Presentation on theme: "AuthLite 2-Factor for Windows Administration"— Presentation transcript:

1 AuthLite 2-Factor for Windows Administration
J. Greg Mackinnon Windows Technical Lead | Cloud Engineering Yale University | Information Technology Services

2 What it is: Software that installs on your domain controllers
Creates a DS partition: Holds MFA device seeds and user associations Holds AD group transformation rules Intercepts authentication attempts: Does the username match an enrolled user? If so, transform 1FA groups to 2FA groups

3 How to implement: When authenticating with 1-factor, standard group memberships apply. All 1F logons are added to the global “1FactorTag” group. This group can be added to “Deny” ACLs or “Deny logon to Remote Desktop Services” local security policy. Two factor logons get transformed according to a table stored in AD. Grant access to the “two-factor” groups, not the one factor groups. This allows easy implementation of “Authentication Method Assurance”.

4 Sign-In Experience: No Client (Yubikey): Username: [DOMAIN]\[OTP]
Password: [1F Password] No Client (OATH): Username: [DOMAIN]\[NetID]-[OTP] With Client: Username: [DOMAIN]\[NetID] Password: [1F Password]-[OTP]

5 Advantages: Multi-protocol protection: Low Cost:
“Windows Auth”: NTLM/Kerberos on RDP, WinRM, SMB, RPC, others. Support for RADIUS and LDAP Low Cost: Perpetual licenses, upgrades included Inexpensive / free tokens: Yubikey Google Authenticator (soft token) Any other OATH / tOTP token Simple “Authentication Method Assurance”, for Kerberos and NTLM Clientless architecture (Works with Mac/Linux!): Does not require Windows 10 (Unlike “Windows Hello”) No client-side drivers, crypto providers, or other software required (Unlike “Smart Card”) Resides in the Domain Controller: No internet access or proxy required (unlike Duo) No additional servers required (unlike RSA) No need to provision accounts in an external provider (unlike RSA or Duo) Easy provisioning. LDAP integration can be used to secure high-value targets such as VMware vCenter.

6 Disadvantages OMG! Third party software on the domain controllers!
OMG! Tiny vendor, no “magic quadrant”. Still does not protect you from Pass-the-ticket! Not a great fit for broad-access applications Retraining required for logon process Not as intuitive as other solutions such as Duo Might be impossible to use with SAML Probably not useful for many Cloud solutions Our intention is to use AuthLite to secure Windows Admin credentials, not to be used as a general purpose MFA solution.

7 References Smart Card and NTLM hashes: The-Good-the-Bad-and-the-Ugly.html AuthLite and Pass-the-Hash: pass-the-hash-authentication-authorization-and-security-groups/ Win High-Ed Discussion on AuthLite: November/ html


Download ppt "AuthLite 2-Factor for Windows Administration"

Similar presentations


Ads by Google