locked
Implementing Two-factor authentication with Windows 2008 r2 ? RRS feed

  • Question

  • Hi, 

    To better secure our environment, I am tasked to implementing a two-factor authentication with our domain admin accounts.

    What's my choice ?    The only thing that came across my mind is the authenicator from Battle.net, where you it required you to generate a token to login every single time, can I implement something like that ?  Or more like, does Windows 2008 r2 DC supports that ?

    Thanks,

    Thursday, July 12, 2012 3:37 PM

Answers

  • Two factor authentication is been supported & i have worked with numerous client who has been successfully using in their environment. I remember one of the client using RSA token mentioned by Ace.

    http://www.goldkey.com/active-directory-two-factor-authentication-token.html

    http://blogs.windowsecurity.com/shinder/2009/04/22/two-factor-for-small-and-midsized-businesses/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
    Friday, July 13, 2012 9:41 AM
  • Hi,

    > does Windows 2008 r2 DC supports that ?

    Yes.

    Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

    Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.

    To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.

    Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.

    For more information please refer to following MS articles:

    Understanding Extended Protection for Authentication
    http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
    Microsoft Security Advisory: Extended protection for authentication
    http://support.microsoft.com/?kbid=973811
    Authentication failure from non-Windows NTLM or Kerberos servers
    http://support.microsoft.com/kb/976918

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     


    Lawrence

    TechNet Community Support

    • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
    Friday, July 13, 2012 5:55 AM

All replies

  • There are a number of 3rd party tools that provide this functionality, and most of them all support Active Directory, no matter which version. You've already found Battle, and some of the others out there are:

    .

    Maybe the SANS write-up and the buyer's guide in the following links will help you decide?

    SANS: Two-Factor Authentication: Can You Choose the Right One?
    http://www.sans.org/reading_room/whitepapers/authentication/two-factor-authentication-choose-one_33093

    Buyer's Guide: Two-Factor Authentication
    http://www.windowsitpro.com/article/security/buyers-guide-two-factor-authentication

    .

    I guess it comes down to budget?

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Proposed as answer by Meinolf Weber Thursday, July 12, 2012 6:45 PM
    Thursday, July 12, 2012 3:50 PM
  • Hi,

    > does Windows 2008 r2 DC supports that ?

    Yes.

    Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).

    Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.

    To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.

    Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.

    For more information please refer to following MS articles:

    Understanding Extended Protection for Authentication
    http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
    Microsoft Security Advisory: Extended protection for authentication
    http://support.microsoft.com/?kbid=973811
    Authentication failure from non-Windows NTLM or Kerberos servers
    http://support.microsoft.com/kb/976918

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     


    Lawrence

    TechNet Community Support

    • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
    Friday, July 13, 2012 5:55 AM
  • Two factor authentication is been supported & i have worked with numerous client who has been successfully using in their environment. I remember one of the client using RSA token mentioned by Ace.

    http://www.goldkey.com/active-directory-two-factor-authentication-token.html

    http://blogs.windowsecurity.com/shinder/2009/04/22/two-factor-for-small-and-midsized-businesses/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
    Friday, July 13, 2012 9:41 AM
  • Hi,

    I would like to confirm what is the current situation? Have you resolved the problem?

    If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.


    Lawrence

    TechNet Community Support

    Monday, July 16, 2012 1:06 AM
  • There's a simple solution to this that no one has thought of:

    Give your admins a USB drive (I'm sure they have many already) with a specific file on it

    Create a login script for your admin accounts that checks for this file and logs them off it does not exist.

    The script only needs to run for admin accounts, and the admin user just needs to plug in the usb key before logging in.

    The script will likely need to check several drives, as it's impossible to determine which drive the key will be assigned to.  But if it can't be found in any one of the locations, it can log off the current user.

    The script will be too quick to cancel.

    If the USB drive was left somewhere, just up date the file to another one and correct the login script

    Problem solved

    • Proposed as answer by doolz1 Wednesday, May 17, 2017 10:43 PM
    Wednesday, May 17, 2017 10:43 PM