Home
Contents
CLOSE
AuthLite Interactive Documentation
FEATURES: What can AuthLite Do? TOKEN TYPES: What "Factors" are supported? INSTALL: How and where to install AuthLite? CONFIGURE AuthLite for your needs CHOOSE USERS: Choose 2-factor Users ENFORCE 2-factor Logons ADMINISTER AuthLite Tokens LDAP logon support/enforcement VPN and RADIUS Configuration How to Log In Event Logging
CLOSE
Fig. 1) File sharing by Allow 2F Tag
Fig. 1) File sharing by Allow 2F Tag
Fig. 2) File sharing by Deny 1F Tag
Fig. 2) File sharing by Deny 1F Tag

You can block all network access to a server by using Group Policy, but if you want to more narrowly tailor permission, you can use the filesystem's Access Control Lists.

The first method (see Fig. 1) is to remove permissions from everyone except the "AuthLite 2F Tag" group, and any other users or groups you explicitly want to allow without 2-factor authentication.  You need to be careful that the AuthLite users are not in any other groups that have access too. It only takes one Allow match for the user to get in.  For example if you had a permission that lets "Domain Users" have access, then they'll be able to get in regardless of their membership in AuthLite or whether they used 1F/2F authentication.

The second method (see Fig. 2) is to leave all the existing permissions in place, but add a Deny permission for the "AuthLite 1F Tag" group.  This is neat because it's minimally disruptive: all the same users will be able to access the share as before.  But now anyone who happens to be an AuthLite User must also have a 2-factor session, otherwise the Deny triggers and blocks them.  Unlike the above configuration, even if the AuthLite users are in the Allow permission, they'll get blocked here if they don't have a 2-factor session.