ESET SECURE AUTHENTICATION Product Manual
ESET SECURE AUTHENTICATION Copyright 2015 by ESET, spol. s r.o. ESET Secure Authentication was developed by ESET, spol. s r.o. For more information visit www.eset.com. All rights reserved. No part of this documentation may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise without permission in writing from the author. ESET, spol. s r.o.
Contents 1. Overview ..................................................4 2. Requirements ..................................................4 2.1 Su p p o r ted Op er ati n g Systems ........................................................................4 ons 2.2 Su p p o r ted Web Ap p l i cati ........................................................................5 11.1.4 11.1.5 11.1.6 11.1.7 11.1.8 Hard .....................................................................................
1. Overview ESET Secure Authentication (ESA) adds Two Factor Authentication (2FA) to Microsoft Active Directory domains. The ESA product consists of the following components: The ESA Web Application plugin, which provides 2FA to various Microsoft Web Applications. The ESA Remote Desktop plugin, which provides 2FA for the Remote Desktop Protocol. The ESA RADIUS Server, which adds 2FA to VPN authentication.
2.2 Supported Web Applications ESET Secure Authentication provides 2FA for the following Microsoft products: Microsoft Exchange 2007 o Outlook Web Access Microsoft Exchange 2010 o Outlook Web App o Exchange Control Panel Microsoft Exchange 2013 o Outlook Web App o Exchange Admin Center Microsoft Dynamics CRM 2011 Microsoft Dynamics CRM 2013 Microsoft SharePoint 2010 Microsoft SharePoint 2013 Microsoft Remote Desktop Web Access Microsoft Terminal Services Web Access Microsoft Remote Web Access 2.
Management Tools: o Windows XP SP3 or later, or Windows 2003 Server SP2 or later o .NET Framework version 3.5 o Windows Remote Server Administration Tools, Active Directory Domain Services component (RSAT AD DS) o NOTE: RSAT was previously know as the Remote Administration Pack (adminpak) and is downloadable from Microsoft. In Windows Server 2008 and later, this component may be installed from the “Add Feature” wizard in the Server Manager. All Domain Controllers already have these components installed.
supported on these client operating systems. 2.5 Supported Active Directory Environments ESET Secure Authentication supports either single domain or multiple domain Active Directory environments. The differences between these environments and their installation requirements are detailed below. Single Domain, Single Forest This is the simplest configuration, and the installer may be run as any Domain Admin. ESET Secure Authentication is available to all users within the domain.
3. Installation All of the following components are required for your first ESA installation: At least one instance of the Authentication Server At least one instance of the Management Tools At least one of the authentication endpoints (API, Web Application, Remote Desktop or RADIUS) All the components may be installed on a single machine, or they may be installed across multiple machines in a distributed environment. As is the case with distributed systems there are many possible installation scenarios.
3.1 Installation of the Core components From the machine hosting the ESA Authentication Service, run the supplied .exe file to start the installation. If the .NET Framework version 4.0 is not detected, the installer will bootstrap the installation thereof, as per the figure below. A number of prerequisite checks will be performed to ensure that the domain is healthy and that ESA can be installed. Any failures must be corrected before the installation can proceed.
When prompted, make sure that the "Management Tools", "Authentication Server" and "RADIUS Server for VPN Protection" components are selected, as per the figure below. Go through the remainder of the steps as prompted by the installer and close the installer when complete.
3.2 Installation of the Web App plugin From the machine running the Web App that is to be protected, run the supplied .exe file to start the installation. The installer will run a number of prerequisite checks as was done during the Installation of the Core components. When prompted, make sure that the component for the appropriate Web App is selected. The figure below shows the component selection for the installation of the SharePoint Server plugin.
3.3 Installation of the Remote Desktop plugin From the Remote Desktop Access machine that is to be protected, run the supplied .exe file to start the installation. The installer will run a number of prerequisite checks as was done during the Installation of the Core components. The figure below shows the component selection for the installation of the Remote Desktop plugin. Prerequisite checks will be run to ensure that the ESA Remote Desktop plugin can be installed.
3.4 Basic Configuration Once you have installed the required components, some basic configuration is necessary. All configuration of the ESA system is performed via the ESA Management Console. The ESA Management Console is added as a Snap-In to the standard MMC console. The ESA Management Console may be accessed under Administrative Tools, as per the figure below. First, you must activate your ESA system using an ESA license.
4. User Management All user management is done via the Active Directory Users and Computers management interface. All ESA users must have valid mobile phone numbers in the Mobile field of the Telephones tab. Provisioning a new Mobile App: 1. Open the normal ADUC user view. 2. Right-click a User and select Properties. 3. Type the user’s mobile phone number into the Mobile field.
Enabling soft-token OTPs for a specific user: 1. Make sure that the check box next to Mobile Application is selected. 2. Click Send Application. 3. The user will receive an SMS message containing a link that can be used to install the application. 5. VPN Protection ESA ships with a standalone RADIUS server that is used to authenticate VPN connections. After installing the ESA RADIUS server component, the service will start automatically.
6. Optionally allow any non-2FA users to use the VPN. NOTE: Allowing non-2FA users to log in to the VPN without restricting access to a security group will allow all users in the domain to login via the VPN. Using such a configuration is not recommended. 7. Optionally restrict VPN access to an existing Active Directory security group. 8. Once you are finished making changes, click OK. 9. Re-start the RADIUS Server. a.
6.1 Configuration The Web Application integration can be configured from the Basic Settings page of your domain in the ESET Secure Authentication management console. The settings for the Exchange Server plugins, Outlook Web App and Exchange Control Panel, are global to the domain. The settings for all other Web Application plugins are per server. The 2FA protection can be enabled or disabled for each Web Application. The 2FA protection is enabled by default after installation.
are displayed in the mobile application with a space between the 3rd and 4th digits in order to improve readability. The Web Application Protection module strips whitespace, so a user may include or exclude whitespace when entering an OTP without affecting authentication. 4. If a valid OTP is entered, then the user will be redirected to the page they originally requested. The user will then be able to interact with the Web App. 5.
7.2 Usage The operation of the Remote Desktop Protection module can be verified as follows: 1. A domain user that has ESA 2FA enabled in the ADUC management tool is required for testing. This user must be added as an allowed Remote Desktop user on the remote computer. 2. A computer that has Remote Desktop Access enabled is also required. 3. Connect to the remote computer using a Remote Desktop client, and authenticate as normal using the Active Directory credentials of the test user. 4.
8.1 Hard Token Management This section describes how to enable hard tokens and manage them using the ESA Management Console. This mainly consists of three functions: 1. Importing the hard tokens into the system 2. Deleting hard tokens 3. Resynchronizing hard tokens 8.1.1 Enable Hard tokens are disabled by default and must be enabled before use. Once enabled, hard tokens will need to be imported before the full functionality is available. Hard tokens can be enabled as follows: 1.
5. A result window will pop up indicating how many hard tokens were imported. 6. On clicking OK the windows will close and the imported hard tokens will be displayed.
8.1.3 Delete It may be necessary to delete a token from the system. Tokens can be deleted as follows: 1. Launch the ESET Secure Authentication Management Console and navigate to the "Hard Tokens" node for your domain. 2. Select the hard token to delete. 3. Click the Delete action for that hard token. 4. Click the "Yes" button on the confirmation box. 8.1.4 Resynchronize There is a possibility that a hard token becomes out of sync with the system.
8.2 Hard Token User Management This section deals with the user management of hard tokens. For this functionality to work hard tokens need to be enabled on the system and hard tokens need to have been imported. User management takes place through the ESET Secure Authentication tab in the ADUC tool. There are three functions available: 1. Enable hard token authentication for a user and assign a hard token. 2. Revoke a hard token linked to a user. 8.2.
8.2.2 Revoke Revoking a hard token for a user will also disable that user for hard token authentication. A hard token can be revoked as follows: 1. Open the user's profile from the ADUC tool. 2. Navigate to the ESET Secure Authentication tab. 3. Click the Revoke button. 9. API The ESA API is a REST-based web service that can be used to easily add 2FA to existing applications. In most web-based applications users are authenticated before being granted access to protected resources.
9.1 Integration Overview The API consists of two endpoints , which are both called by POSTing JSON-formatted text to the relevant API URLs. All responses are also encoded as JSON-formatted text, containing the method result and any applicable error messages. The first endpoint (the Authentication API) is for user authentication and the second endpoint (the User Management API) is for user management.
9.3.2 Importing the New Certificate The new certificate needs to be placed in the Local Machine\Personal store before it can be used. 1. Launch the Microsoft Management Console (MMC): o Windows Server 2003: Start -> Run -> Type “mmc.exe” and press the “Enter” key o Windows Server 2008+: Start -> Type “mmc.exe” and press the “Enter” key 2.
Windows Server 2003: 1. Click “Start” -> “All Programs” -> “Windows Support Tools” -> “Command Prompt” 2. Type “httpcfg query ssl -i 0.0.0.0:8001” and press the “Enter” key 3. Copy and paste the “Hash” field somewhere safe, in case you want to re-add the existing certificate 4. Type “httpcfg delete ssl –i 0.0.0.0:8001” and press the “Enter” key 5. You should see “HttpDeleteServiceConfiguration completed with 0.” 6. Type “httpcfg set ssl –i 0.0.0.
10.1 User States A user may be in various states during regular operation.
A user may then be enabled for either SMS-based OTPs, Mobile Application OTPs, or both.
In this state, a user will receive SMS OTPs when authentication attempts are initiated, but as soon as a valid mobile OTP is used for authentication, SMS OTPs will be disabled, and the user will only be able to authenticate using mobile OTPs.
When authenticating OTPs, a user has 10 opportunities to enter an incorrect OTP. On the 11th failed OTP, a user's 2FA gets locked. This is to prevent brute force guessing of OTPs. When a user's 2FA is locked, a red flag is displayed: If it has been confirmed that the user's identity is not under attack, clicking on the Unlock 2FA button will unlock the user's 2FA.
If Hard Token OTPs have been enabled in the MMC, then the Hard Token check-box will become available. There are then more states in which the user may potentially find him or herself. The user can be enabled for any combination of the three OTP types, including a transitioning state. The different possibilities are listed below.
Or the user may be in a transitioning state where all three OTP types are enabled.
In the following state the user is enabled for both Hard Token and mobile OTPs: 35
If the Mobile Application has been sent but not yet installed, the user will be in the following state: 36
The user can also be in the state where both SMS and Hard Token OTPs are allowed: 37
10.2 Provisioning Multiple Phones You can distribute the ESET Secure Authentication mobile app or SMS text messaging service to multiple mobile phones using the ADUC. For provisioning to multiple phones to be successful, all users must have a valid mobile phone number entered in User Properties under 'Mobile' (see the section User Management for instructions on how to enter a user's mobile phone number into User Properties). 1. Open the normal ADUC user view. 2.
6. Click Send Application. Your client phones will receive a text message containing a link to the ESA mobile app download page.
10.3 Override Mobile Number Field You can specify the Active Directory field from which a user's mobile number is loaded. The "Mobile" field is used by default. To change the mobile number field: 1. Launch the ESA Management Console. 2. Expand the node for your domain. 3. Navigate to the Advanced Settings node. 4. Expand the Default Mobile Number Field panel. 5. You will be able to select a different field to be used for loading a user's mobile number. 6.
The ESA SMS Users group contains all users in your domain that have been enabled for SMS OTPs ESA Mobile App Users The ESA Mobile App Users group contains all users that have been enabled for mobile application OTPs. Group membership is updated in real-time when users are configured in the ADUC. Finding all users that have been enabled for SMS OTPs (for example), is simple: 1. Launch the ADUC 2. Right-click on your domain node, and select Find 3.
11.1.2 On-demand SMS-based OTPs ESET Secure Authentication supports "On-demand SMS OTPs" for certain systems that support primary authentication against Active Directory and secondary authentication against a RADIUS server. In this scenario, users that have already been authenticated against Active Directory may type the letters 'sms' to receive a One Time Password via SMS.
11.1.7 Access Control Using Group Membership ESA supports the ability to only allow members of a specific AD security group to log in to the VPN using 2FA. This is configured on a per RADIUS client basis under the Access Control heading. 11.1.8 Hard Tokens This scenario occurs if both the user and the RADIUS client are configured to use Hard Token OTPs. In this configuration, a user logs into the VPN by entering their Active Directory (AD) password concatenated with an OTP generated by their Hard Token.
The use of the standard Windows event logging architecture facilitates the use of third-party aggregation and reporting tools such as LogAnalyzer. 12.2 Licensing 12.2.1 Overview Your ESA license has three parameters: User Total Expiry Date SMS Credits The details of the license are obtained from the ESET Licensing system, and the ESA system automatically checks for license validity. The ESA Provisioning server may perform license enforcement by limiting SMS OTPs and user provisioning.
whichever is lowest SMS Credits less than 10 SMS credits 0 SMS credits remaining (Onboarding + remain Top-up) Never Never Never 12.2.4 License Enforcement The following table describes how license enforcement is performed on the ESA authentication server. In all cases, an administrator will be able to disable ESA authentication for a subset of the users (by disabling 2FA for those users) or for all users (by means of system configuration or uninstalling the product).