Windows Domain 2 Factor Authentication (2FA)

Windows domains and Active Directory (AD) makes it easy for administrators to control a large number of business PCs and devices from a central location. Today, a huge percentage of enterprises continue to rely on Windows domain AD to manage assets, users, systems, policies, profiles, and rights.

Even after all these years, the consistency, centralized management, and scalability of a Windows domain mean it continues to live at the center of a company’s IT infrastructure, but it doesn’t mean it can’t be enhanced. Take the security of Active Directory user credentials. Over 80% of hacking-related breaches involve the use of lost or stolen user credentials. Using only a strong user name and password doesn’t cut it anymore. Your Active Directory Password can be cracked in 5 minutes or less!

2FA with Active Directory

UserLock is a security solution aimed at protecting Windows domain AD with two factor authentication (2FA) and contextual access restrictions.

Enabling 2FA for endpoints across a Windows AD domain is extremely difficult to put together without third party software. Additionally, the complexity increases as more and more businesses extend their architecture outside of traditional perimeters, meaning many more users are dependent on Remote Desktop (RDP) connections and Virtual Private Network (VPN) access.

With UserLock, 2FA for endpoints is very easy across all session types, including Windows logins, RDP connections and VPN sessions.

  1. To start, the UserLock software is deployed right alongside Active Directory and a light agent distributed across all devices you want to protect. An automated deployment engine makes it easy even for larger user bases. (No modifications are made to AD accounts, its structure or its schema).
  2. Next, you simply look-up and add Active Directory users via a wizard. You don’t have to add accounts individually, you can look-up and add Active Directory groups or organizational units that you want to protect with 2FA.
  3. Once configured for 2FA, a user is prompted on their next login, to install an authentication application or invited to use a hardware-based token such as YubiKey or Token2. At subsequent logins where 2FA is required, they are simply presented with a dialog box for the validation code, after the password.
  4. To determine exactly how, when, and where the user is prompted for a second factor, administrators define granular circumstances that can be for just one individual or easily scaled across groups of users.

The users’ self-enrollment can be set over a specific time period. Whilst the process is extremely simple the user always has the option to “ask for help” from an administrator any time during the process.

So in just a few short configuration steps, 2FA can be added to bolster login security across your Windows domain.

Superior 2FA with Restrictions & Visibility

In addition to 2FA, UserLock also offers a multitude of other options as to how to better protect login access. You can configure device restrictions, time restrictions, and geolocation restrictions or even limit the number of simultaneous connections.

These type of contextual access restrictions offer customized policies beyond what is natively capable in Active Directory, to further protect login credentials and help avoid prompting the user for 2FA each time they log in.

An extremely powerful part of the UserLock solution is also the visibility, auditing, and reporting that you get. You can see in great detail how users are conducting themselves throughout various login sessions. If you find any suspicious activity on any specific account, an administrator can choose to block the user or close certain connections that a user may currently have – all direct from the UserLock console.


Download UserLock for 2FA on Windows Domain

The sobering reality for companies without two-factor authentication is that when employees fall for phishing scams or share passwords, you are wide open to attack.

By enabling 2FA and contextual restrictions, UserLock helps ensure only the appropriate use of critical systems and sensitive data to avoid a breach or non-compliance. Download now a free 30-Day fully functional trial and see for yourself.

The post Windows Domain 2 Factor Authentication (2FA) appeared first on Enterprise Network Security Blog from IS Decisions.

*** This is a Security Bloggers Network syndicated blog from Enterprise Network Security Blog from IS Decisions authored by Chris Bunn. Read the original post at: