Securing remote administrator login to Windows Server has always been a challenge. To enforce best practices such as complex passwords and Multi-Factor Authentication (MFA) required installing additional plugins and tools on all machines in the environment to prompt and enforce the organizational policies. Additionally, this adds complexity to the build process and may get missed when setting up new servers in the environment.
With the Preempt platform, since Remote Desktop authentications require Active Directory login, policy enforcement for secure and anomalous activity can be enforced at login time with little or no changes at the endpoint level. In this blog, I will cover enabling and enforcing MFA and organizational policy within the Preempt platform (https://www.preempt.com/) to reduce the changes at the server level and provide consistent policy enforcement across the environment. For this demo, I am going to be using PingID as the MFA factor (which there are multiple supported by Preempt) and accessing my Server 2012+ environment securely. I have also pre-configured the Preempt platform in my environment and installed the Domain Controller sensors for monitoring login activity.
To begin, we need to gather the PingID integration properties file from the Ping administrator interface. Login to https://admin.pingone.com and go to the Setup > PingID > Client Integration and get an integration properties file.
Download the file to your local machine to be uploaded to the Preempt platform.
Once you have the PingID properties file, login to the Preempt console and go to Administration > Connectors.
From the dropdown, select PingID. As you can see in the list, there is a long list of possible MFA factors to use in the platform, but for the demo here, we are going to be using PingID.
Once selected, you will see the PingID connector on the page.
Select the pingid.properties file that was downloaded from the previous steps.
Once uploaded, you should see the success message that the properties file has been uploaded and is now enabled.
NOTE: To ensure the authentication is enforced on login, validate that all domain controller agents are set to Active / inline proxy mode for both Kerberos and NTLM (as below). If this is not set, it will allow login but still prompt for MFA for the administrator.
At this point, we can add a sample policy to force MFA on administrator users when logging into a host via RDP. Log in to the console and go to Policy > Settings and enable Simulation mode for testing.
Next, add a sample policy by going to Manage Rules and clicking Add Rule.
For the sample rule, there are a ton of options for selecting based on group membership, location, login type, etc. To keep it simple to validate the enforcements, we have chosen a specific user, specific machine, and login type of Remote Desktop.
Run the assess option at the bottom to test / validate the rule conditions and see impact. This is a good way to validate the rule is catching only certain logins / policy wanting to catch.
Click save when done. Apply the changes at the top of the page to push the policy into the appliance.
Now, we can login to the test host to validate the configuration / make sure the rule is triggered (since we are in simulation mode right now).As we can see, the remote login for ‘Admin – Nick Hunt’ triggered the rule and would have done a push to PingID.
Once this is done, go back in and disable Simulation mode. The next time you login, you should see something like the video below on login.