My customer is a defense sub-contractor and has a requirement to implement multi factor authentication for just about everything short of going to the bathroom. It is possible to implement this within Windows server/AD without some sort of 3rd party system? Yes I googled it, and I see a lot of 3rd party companies offering solutions but if there is a way to do that without spending the extra money, that would be great. FWIW, it is a pretty small company with only about 20 employees and 10-15 PCs. Thanks for any suggestions.<\/p>","upvoteCount":8,"answerCount":7,"datePublished":"2023-03-09T21:10:26.000Z","author":{"@type":"Person","name":"mikebmiller","url":"https://community.spiceworks.com/u/mikebmiller"},"suggestedAnswer":[{"@type":"Answer","text":"

Advertisement

Close

My customer is a defense sub-contractor and has a requirement to implement multi factor authentication for just about everything short of going to the bathroom. It is possible to implement this within Windows server/AD without some sort of 3rd party system? Yes I googled it, and I see a lot of 3rd party companies offering solutions but if there is a way to do that without spending the extra money, that would be great. FWIW, it is a pretty small company with only about 20 employees and 10-15 PCs. Thanks for any suggestions.<\/p>","upvoteCount":8,"datePublished":"2023-03-09T21:10:26.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/1","author":{"@type":"Person","name":"mikebmiller","url":"https://community.spiceworks.com/u/mikebmiller"}},{"@type":"Answer","text":"

Advertisement

Close

USG MFA definitions are described by NIST’s AALs (authenticator assurance levels).<\/p>\n

Microsoft describes how to do that with their technologies here<\/a> :<\/p>\n

<\/p>\n

Depending on your requirements, your configuration will vary. Short answer is yes, Windows can do MFA with various technologies, such as:<\/p>\n

\n
• Smart cards (Most of US Gov is doing this already) - this uses Windows AD Certificate Services and physical cards/readers<\/li>\n
• Windows Hello (uses TPM chips or other hardware)<\/li>\n
• Microsoft Authenticator (for Windows Server running in Azure)<\/li>\n
• and others<\/li>\n<\/ul>\n

  So as always: “What are you trying to accomplish, specifically?”<\/p>","upvoteCount":1,"datePublished":"2023-03-09T21:52:00.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/2","author":{"@type":"Person","name":"mike-crowley","url":"https://community.spiceworks.com/u/mike-crowley"}},{"@type":"Answer","text":"

  Are they using O365?<\/p>","upvoteCount":1,"datePublished":"2023-03-09T22:19:03.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/3","author":{"@type":"Person","name":"da-schmoo","url":"https://community.spiceworks.com/u/da-schmoo"}},{"@type":"Answer","text":"

  Thank you I will read that. And yes they are using O365. As far as what they are trying to accomplish, they need to be able to pass the NIST requirements.<\/p>","upvoteCount":0,"datePublished":"2023-03-10T01:34:00.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/4","author":{"@type":"Person","name":"mikebmiller","url":"https://community.spiceworks.com/u/mikebmiller"}},{"@type":"Answer","text":"

  We implemented AuthLite ( https://www.authlite.com/<\/a> ) for domain admin accounts. Pricing is reasonable and I was able to get it implemented quickly.<\/p>","upvoteCount":1,"datePublished":"2023-03-10T18:27:34.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/5","author":{"@type":"Person","name":"chadjohnson6","url":"https://community.spiceworks.com/u/chadjohnson6"}},{"@type":"Answer","text":"

  Is this doable with on-premises AD? Everything I am reading mentions Azure AD and at this point they aren’t really using that.<\/p>","upvoteCount":0,"datePublished":"2023-03-14T19:56:16.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/6","author":{"@type":"Person","name":"mikebmiller","url":"https://community.spiceworks.com/u/mikebmiller"}},{"@type":"Answer","text":"

  MFA & Access Management for Active Directory (on-premise) users can be achieved easily with UserLock.<\/p>\n

  You can set granular and customized MFA on Windows logins, RDP & RD Gateway, IIS and VPN connections. It also will protect these on-premise accounts with MFA & Single Sign-on as they access Cloud applications - such as 0365.<\/p>\n

  \n
  • Secure all employee access, whether privileged, remote or cloud<\/li>\n
  • Streamline session management<\/li>\n
  • Review accurate logon logoff forensics<\/li>\n
  • Manage working hours<\/li>\n
  • Stop security breaches<\/li>\n
  • Meet compliance & insurance requirements, like: HIPAA, PCI DSS, ISO 27001, NIST 800-53.<\/li>\n<\/ul>\n

    Full details on MFA here: Multi-Factor Authentication for Active Directory<\/a><\/p>\n

    Short video: https://www.youtube.com/watch?v=jDu0LQl_du8&t=91s<\/a><\/p>\n

    Free trial download: Protect Active Directory Identities with 2FA and SSO | UserLock<\/a><\/p>","upvoteCount":0,"datePublished":"2023-03-23T08:33:51.000Z","url":"https://community.spiceworks.com/t/multi-factor-authentication-for-active-directory/947859/7","author":{"@type":"Person","name":"chris-is-decisions","url":"https://community.spiceworks.com/u/chris-is-decisions"}}]}}