Looking for some suggestions to use for Two Factor Authentication to a Windows 2008 Server for RDP sessions. Local gov agency so needs to be low budget if possible. Also prefer not to have a separate Linux box for this project.
11 Spice ups
I use RSA keyfobs with my 2008 remote desktop sessions and it works like a charm
it was super simple, and for 25 keyfobs it was like 3k
the only thing that i dont like about it is that the rsa token challange happens after the windows login (maybe there is a way to swap the order but i didnt spend that much time with it )
dex
(Drex)
4
We use https://www.PhoneFactor.com and their free version for right now and it works great.
Also, here is a thread with a similar conversation:
http://community.spiceworks.com/topic/248629-two-factor-authentication-for-rdp
aaronstuder
(Aaron Studer)
5
My solution is Only $3/user/month… 3K is a lot of money. Not too mention all the work to setup RSA…
2 Spice ups
Hey Drex
This sounds really interesting, are you using it with 2008 R2 RDP and if so what did you have to do on your server to get is working?
Ed
tom-collis
(Tom Collis MBCS)
8
Sorry about this post, unfortunately I don’t have an answer but I believe it is possible to protect RDP with
This can work with Google Authenticator app which is available for every platform.
I don’t know how to set this up, but if any one wants to figure it out and provides some instructions, then i’m sure lots of people would love you for it.
1 Spice up
alan1489
(Alan1397)
9
Just rolling out DuoSecurity. We have a need for both a smart phone app to do the authentication as well as a physical key fob.
When I checked a few weeks ago… Duosecurity’s fobs were backordered. I ended up getting “c100 HOTP - 6 digit” tokens from “Hypersecu Information Systems, Inc.” for around $10/ea.
aaronstuder
(Aaron Studer)
10
Overall, How do you like it? Pros? Cons?
talk2jimmy
(Jimmy8889)
11
I guess you’re getting the push to implement two factor auth before the September deadline.
Most of the county’s( Local LawEnf) are implementing Imprivata. I think because it has support for RDP / Citrix and even AppV.
You can also use omnixx forceweb
alan1489
(Alan1397)
12
I’m just now starting a few end-users on DuoSecurity. Still using the 1st 10 user free trial.
You pay by the user account, not how many systems you are protecting; however, for now just on RDP.
There are a number of ways that you can authenticate: Key fob, Smart phone app, or even a land-line call. All seem to work okay.
Oddly, to sign on to the duosecurity Web site to administer your account, you can not use a key fob (at least I could not find a way). This means that you must have your phone available to administer.
dex
(Drex)
13
Ed- We have it set up on 2008 R2 and it took about a half hour to set up. A tech from Phone Factor was on the phone with us, and walked us through the whole process. We have it set up with IIS Authentication; see the screen shot, it can do RADIOUS, LDAP, or Windows authentication.
I would suggest you to use dual factor authentication solutions from TeleSign. It works perfectly on windows 2008. Also it does not require any hardware to set up and is also very cheap as compared to traditional multifactor authentication methods.
TeleSign is a phone based system. I won’t be able to use phones or cell phones for this project.
Duo-Security has been awesome for us. I’m only using it on 4 machines, so it’s free(up to 10 users) and quite easy.
1 Spice up
Thnaks but for this client we can’t use cell phone based authentication. We are currently evaluating Rohos.
Duo offers key-fobs, but I have not tried them.
interesting!
Cheers for the info Jack.
I’m currently looking into cost effective alternatives to hardware dongles so thanks.
1 Spice up
Hello Tom,
I’m the developer of the free and open source multiOTP library and tools. If you want to use it for RDP two factor authentication, you can use multiotp-CP ( Google Code Archive - Long-term storage for Google Code Project Hosting. ) which is using multiotp as the strong authentication engine.
The last available beta version of multiOTP can do a lot more things than before. QRcode generation (for Google Authenticator provisioning), SMS token (for example using clickatell ( https://www.clickatell.com/ ) API), etc.
Have a look, and don’t hesitate to send comments to enhance the library.
Regards,
Andre
