Jump to content

Windows logon and MFA


Recommended Posts

We are looking for an MFA solution as extra protection for our Windows domain. I tried a couple of them; Duo and Userlock. They offer device-based MFA for Windows. Which is fine if you want extra protection for your pc. However, they don't provide MFA on Domain level. If the MFA client software isn't installed on a pc, a user can simply logon to a domain without MFA.

I have studied ESET Secure Authentication. And I wonder how Windows logon requires MFA. The server part of Secure Authentication can integrate with AD, which is promising. But the part about Windows Login protection talks about installing client software. To me, this looks like the Windows Logon part of Secure Authentication works the same as Duo and Userlock? I.e. without client software, you can simply logon without MFA.

Any thoughts on this?

Link to comment
Share on other sites

  • ESET Staff

Hi @Simon_Weel,

I'm not sure how the Duo has it but I can explain that the ESET Secure Authentication needs to be installed on the clients computer in order to connect with the Server side, meaning that the Server knows which computer has to use 2FA against it.

So in general you install Server and after you install the component on the clients side and during the first initial set-up they exchange secrects.

Hope this will help you.

Ingemar

Link to comment
Share on other sites

  • ESET Staff

@Simon_Weel in a short answer no, but let me try to put together a longer answer as well for you to understand it.

When you install the component on your local computer it allows the 2FA for any user who is within the users of the product or the domain of your users which are allowed to authenticate on that specific computer. However, you can allow non 2fa users to access the computer if you wish so even if the component is installed on the computer.

Hope it helps if anything just feel free to follow-up.

Link to comment
Share on other sites

On 9/27/2022 at 6:38 AM, Simon_Weel said:

I tried a couple of them; Duo and Userlock. They offer device-based MFA for Windows. Which is fine if you want extra protection for your pc. However, they don't provide MFA on Domain level. If the MFA client software isn't installed on a pc, a user can simply logon to a domain without MFA.

Reviewing the overview for UserLock here: https://www.isdecisions.com/products/userlock/ , it appears to protect access to AD w/o any MFA client software installed. I would contact UserLock for clarification of your assumption.

Link to comment
Share on other sites

  • ESET Staff

@Simon_Weel I would assume most of the vendors have some kind of deployment on the client's machine. I have never seen anything which is MFA which does not require some kind of agent or component to be installed on the client's machine.

Link to comment
Share on other sites

@IggyPop: It's not so much the client software bothering me. It's the way it seems to work on the Windows client level. The sole purpose of MFA is to have a more solid protection against account mis-use. All MFA solutions I've seen so far do a pretty good job in securing the Windows client (i.e. pc). But in a Windows domain environment, that's not enough. In that case, you want extra protection for domain accounts as well. In other words, the need for MFA should be initiated by the Domain controller. If the domain requires MFA for a user account and that user can't provide a token, then that account is denied access to domain resources.

The current incarnation of MFA solutions I've tried so far don't protect domain accounts. Like I said, if you manage to gain access to the local network and you happen to have an account username and password, then you can simply access domain resources for which that account has permissions, without supplying an additional token.

So if it's that easy to circumvent MFA on a Windows Domain, then why even bother using it?

Link to comment
Share on other sites

  • ESET Staff

@Simon_Weel, okay I get it now 100% sorry my bad here than.

But please see below the settings you can apply for that specific computer if you have turned on the 2FA in any of those modes the person wouldn't get into the computer unless he would be enrolled with 2FA. Hopefully, this one resolved the question.

image.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...