AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

Windows Workstation (Endpoint) Protection

There are several important points to consider regarding workstations and the protection of logons/data on these endpoints.

Threat Modeling

Unlike remote network resources, workstations (especially mobile laptops) present a greater attack surface. In addition to subverting the OS logon itself, an attacker could choose to pull the hard drive and directly attempt to access the stored data. Therefore, solutions that only protect the OS logon itself may not be sufficient protection. Consideration should be given to the protection of stored data as well.

Full Drive Encryption

AuthLite does not provide its own branded/integrated full disk encryption. We recommend using BitLocker with TPM if possible, since this integrates seamlessly into Windows and does not require the entry of any additional credentials.1

Without drive encryption, endpoint protection is not effective against an attacker who steals the system or its hard drive. The attacker does not need to authenticate to the account, they can simply read data off the hard drive.

If you choose to use a third-party FDE solution that “synchronizes” with Windows user credentials (meaning you enter the username and password at boot time) then it will probably not work with AuthLite. AuthLite OTPs affect the Windows logon on workstations. At bestyour FDE will still just use your password. More likelyit will stop being able to synchronize properly with password changes and/or prevent AuthLite logons from working. At worstit could prevent you from decrypting your drive. You should contact your FDE vendor and follow whatever solution for strong authentication they support.

Untrusted workstations

With AuthLite version 2 and later, the credential data processed by a workstation cannot be reused in the future to gain another fresh Kerberos or NTLM session. By contrast, a malicious AuthLite v1 workstation could gather enough information to impersonate the user in the future. For more information see this KB article.

Known workstation limitations

If a user's session lasts long enough for their Kerberos ticket-granting ticket to expire, the workstation will attempt to acquire a new ticket in the background using the previously entered credentials. For 2-factor users this operation will fail, because (by design) the workstation does not possess the user's full credentials. Therefore, logon sessions that endure past the expiration of the Kerberos TGT will become unable to access network resources. Upon trying to access a resource without a valid TGT, Windows will automatically show a message to the user instructing them to lock and unlock the workstation to provide domain credentials.

1   This BitLocker+TPM authentication mode is quite secure for most threat models, however it is vulnerable to Cold Boot attacks. To protect against the threat model of an attacker chilling and removing a running workstation's DRAM, another approach should be considered.

Next Steps: