Do you have needs for securing workstations with multi-factor authentication?
Using lightweight agent based technology, workstations can be secured with multi-factor authentication. Options such as email, telephone call, text, security question and tools that support OATH (Google Authenticator) or RADIUS (RSA key fobs) can be leveraged by a user to confirm their identity. When a device does not have a connection to the internet, offline mode can still be used to secure access, with multi-factor authentication, to the workstation.
This guide is a basic demonstration of how easy it is to setup multi-factor authentication for the following use cases.
- MFA at interative login
- MFA on RDP access
- MFA on screen saver unlock
- MFA in offline mode
Configuration time ~ 1 hour
1) Centrify Identity Service license
2) Domain joined Windows machine
3) Centrify Connector
Lets get started!
1) Install the Centrify Connector on a domain joined Windows server by following this guide: http://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840
1) Logged in as administrator to your Centrify Identity Service console, start by creating a Centrify role. This role will contain the Windows workstations you want to enforce multi-factor authentication on.
2) Add the workstations you want to enforce multi-factor authentication on by searching for the resource and clicking 'Add'.
3) Under 'Administrative Rights', assign the Centrify role the "Computer Login and Privilege Elevation" right. This allows the service to deliver a multi-factor authentication profile (created in the next step), to the workstations you've added to the role.
4) Next, create an 'Authentication Profiles' that contains the available factors that are appropriate for users to authenticate with.
5) Assign the 'Authentication Profile' to the 'Login Authentication Profile' and 'Privilege Elevation Authentication Profile' fields.
6) Next, download the Centrify agent from the 'Downloads' dropdown within the Centrify Administrator's portal.
7) Download the 'Centrify Agent for Windows' .msi file.
8) Install the Centrify agent on each workstation you would like to enforce multi-factor authentication on. Note: The workstation must exist within a Centrify role for the Centrify Identity Service solution to deliver the multi-factor authentication profile to the machine (refer to step 2).
9) Review and accept the Centrify End-User License Agreement.
10) The Centrify agent can be enabled with 'Audit'; a feature that allows for recording of sessions for future playback. If you have purchased the audit feature, you can enable this feature in addition to the default 'Access' option. If you do not have the audit feature, keep the default settings and click 'Next'.
11) Once the installation is completed in step 10, click 'Next' to continue setup of the agent on the workstation/server.
12) The following step is applicable if you are using Centrify Server Suite, designed for securing privileges and requiring multi-factor authentication at server logins or privilege elevation. If you are a Server Suite user, the following post will guide you through configurations at this step http://community.centrify.com/t5/TechBlog/HowTo-Configuring-MFA-for-Windows-Login/ba-p/26126
For purposes of this guide, keep the default settings by leaving the 'Join to a Zone' unchecked and click 'Next' to continue.
13) Ensure that the 'Enable multi-factor authentication on Windows login' is selected. You also have the option of enforcing multi-factor authentication for all active directory users or selectd active directory users logging into the machine. Click 'Next' to continue.
14) Click 'Finish' to complete the installation and setup.
15) A restart is required to complete installation and setup of the service.
16) Upon restart, login to the workstation. During login, you will now see a drop down with the multi-factor authentication options required for login. Login to the machine with one of the factors.
Note: The user must have the available attributes in their user profile for the option to be available to them during login. For example, if a user does not have a telephone number in their active directory profile, and the telephone number is selected as one of the available factors, the telephone option will not be displayed to the user in the drop down.
17) After logging into the workstation, 'Setup Centrify Offline Passcode' will display. This allows a user to successfully authenticate, with multi-factor authentication, to the workstation when the machine is offline. Click on the 'Click here to create your offline passcode'.
18) Click 'Next' to setup offline mode.
19) The Centrify mobile application can be leveraged for the creation of a passcode for offline mode. More generally, you can use utilities that supports OATH to also setup your passcode using existing utilities of preference in your organization. Examples of such utilities are the Centrify mobile app and Google Authenticator.
20) Click 'Finish' to complete the offline passcode setup.
21) Test the offline mode by taking the workstation offline and using the offline passcode to log back into the machine.
The following guide is intended to demonstrate the steps required for enforcing multi-factor authentication on Windows workstations using the Centrify Identity Service solution. Centrify strongly encourages deployment and administrative guides along with testing the solution prior to enterprise deployments.
We hope this guide was helpful and welcome questions you may have in this thread.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.