Answered by:
Implementing Two-factor authentication with Windows 2008 r2 ?

Question
-
Hi,
To better secure our environment, I am tasked to implementing a two-factor authentication with our domain admin accounts.
What's my choice ? The only thing that came across my mind is the authenicator from Battle.net, where you it required you to generate a token to login every single time, can I implement something like that ? Or more like, does Windows 2008 r2 DC supports that ?
Thanks,
Thursday, July 12, 2012 3:37 PM
Answers
-
Two factor authentication is been supported & i have worked with numerous client who has been successfully using in their environment. I remember one of the client using RSA token mentioned by Ace.
http://www.goldkey.com/active-directory-two-factor-authentication-token.html
http://blogs.windowsecurity.com/shinder/2009/04/22/two-factor-for-small-and-midsized-businesses/
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
Friday, July 13, 2012 9:41 AM -
Hi,
> does Windows 2008 r2 DC supports that ?
Yes.
Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.
To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.
Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.
For more information please refer to following MS articles:
Understanding Extended Protection for Authentication
http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
Microsoft Security Advisory: Extended protection for authentication
http://support.microsoft.com/?kbid=973811
Authentication failure from non-Windows NTLM or Kerberos servers
http://support.microsoft.com/kb/976918Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Lawrence
TechNet Community Support
- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
Friday, July 13, 2012 5:55 AM
All replies
-
There are a number of 3rd party tools that provide this functionality, and most of them all support Active Directory, no matter which version. You've already found Battle, and some of the others out there are:
- RSA SecurID Two-Factor Authentication (very popular): http://www.rsa.com/products/securid/sb/10695_SIDTFA_SB_0210.pdf
- Quest Defender: http://www.quest.com/defender/
- AuthLite Two Factory Auth: https://ardvaark.net/authlite-two-factor-authentication-for-windows-and-active-directory & http://authlite.com/
- And numerous more. You can search Bing or Google for "Active Directory Tw
.
Maybe the SANS write-up and the buyer's guide in the following links will help you decide?
SANS: Two-Factor Authentication: Can You Choose the Right One?
http://www.sans.org/reading_room/whitepapers/authentication/two-factor-authentication-choose-one_33093Buyer's Guide: Two-Factor Authentication
http://www.windowsitpro.com/article/security/buyers-guide-two-factor-authentication.
I guess it comes down to budget?
.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis post is provided AS-IS with no warranties or guarantees and confers no rights.
- Proposed as answer by Meinolf Weber Thursday, July 12, 2012 6:45 PM
Thursday, July 12, 2012 3:50 PM -
Hi,
> does Windows 2008 r2 DC supports that ?
Yes.
Windows 7 and Windows Server 2008 R2 support Extended Protection for Integrated Authentication. This feature enhances the protection and handling of credentials when authenticating network connections using Integrated Windows Authentication (IWA).
Extended Protection for Authentication is a feature that helps to protect credentials for network connections that are being authenticated using Integrated Windows authentication. Integrated Windows authentication uses the Negotiate, Kerberos, and NTLM authentication methods. We strongly recommend that you use Extended Protection for Authentication if you're using Integrated Windows authentication.
To use this feature, both the client and the server must be running a Microsoft Windows operating system that includes the Extended Protection for Authentication security update.
Default installations of Windows 7 and Windows Server 2008 R2 operating systems include this security update. However, for client or server computers that are running other versions of Windows (for example Windows Vista or Windows Server 2008 SP2), you must install the update. For detailed information about the operating systems that are supported by default, see Microsoft Knowledge Base article 973811, Microsoft Security Advisory: Extended protection for authentication.
For more information please refer to following MS articles:
Understanding Extended Protection for Authentication
http://technet.microsoft.com/en-us/library/ff459225.aspx#requirements
Microsoft Security Advisory: Extended protection for authentication
http://support.microsoft.com/?kbid=973811
Authentication failure from non-Windows NTLM or Kerberos servers
http://support.microsoft.com/kb/976918Hope this helps!
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Lawrence
TechNet Community Support
- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
Friday, July 13, 2012 5:55 AM -
Two factor authentication is been supported & i have worked with numerous client who has been successfully using in their environment. I remember one of the client using RSA token mentioned by Ace.
http://www.goldkey.com/active-directory-two-factor-authentication-token.html
http://blogs.windowsecurity.com/shinder/2009/04/22/two-factor-for-small-and-midsized-businesses/
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Marked as answer by Yan Li_ Thursday, August 9, 2012 5:06 AM
Friday, July 13, 2012 9:41 AM -
-
There's a simple solution to this that no one has thought of:
Give your admins a USB drive (I'm sure they have many already) with a specific file on it
Create a login script for your admin accounts that checks for this file and logs them off it does not exist.
The script only needs to run for admin accounts, and the admin user just needs to plug in the usb key before logging in.
The script will likely need to check several drives, as it's impossible to determine which drive the key will be assigned to. But if it can't be found in any one of the locations, it can log off the current user.
The script will be too quick to cancel.
If the USB drive was left somewhere, just up date the file to another one and correct the login script
Problem solved
- Proposed as answer by doolz1 Wednesday, May 17, 2017 10:43 PM
Wednesday, May 17, 2017 10:43 PM