Binding additional one-time passwords to the Windows login window. One Time Password Access Authentication System (OTP)

18.05.2019 Windows 8

tutorial

Some of you must have heard about the incident, which was made public recently. American semiconductor manufacturer Allegro MicroSystem LLC has sued its former IT specialist for sabotage. Nimesh Patel, who has been with the company for 14 years, destroyed important financial data in the first week of the new fiscal year.

How did it happen?

Two weeks after he was fired, Patel entered the company's headquarters in Worcester, Massachusetts, USA, in order to capture the company's Wi-Fi network. Using the credentials of a former colleague and a work laptop, Patel logged into the corporate network. He then injected code into the Oracle module and programmed it to run on April 1, 2016, the first week of the new fiscal year. The code was meant to copy certain headers or pointers into a separate database table and then remove them from the module. Exactly on April 1, the data was deleted from the system. And since the attacker logged in to the Allegro network legally, his actions were not immediately noticed.

The general public does not know the details, but most likely the incident became possible largely due to the fact that the company used password authentication to access the network. Surely there were other security problems, but it is the password that can be stolen unnoticed by the user and the fact of stealing the password will not be detected, at best, until the moment the stolen credentials are used.

The use of strong two-factor authentication and the prohibition of the use of passwords, combined with a competent security policy, could help, if not avoid the described development of events, then greatly complicate the implementation of such a plan.

We will talk about how you can significantly increase the security level of your company and protect yourself from such incidents. You will learn how to set up authentication and signing of important data using tokens and cryptography (both foreign and domestic).

In the first article, we will explain how to set up strong two-factor authentication using PKI when logging into a domain account on Windows.

In the following articles, we will tell you how to set up Bitlocker, secure email and the simplest workflow. We will also set up secure access to corporate resources and secure remote access via VPN together with you.

Two-factor authentication

Experienced system administrators and security personnel are well aware that users are extremely inconscient in the issue of compliance with security policies, they can write their credentials on a sticky note and stick it next to the computer, transfer passwords to their colleagues, and the like. This happens especially often when the password is complex (contains more than 6 characters and consists of letters of different case, numbers and special characters) and is difficult to remember. But such policies are set by administrators for a reason. This is necessary to protect the user account from a simple dictionary search of passwords. Also, administrators recommend changing passwords at least once every 6 months, simply from the consideration that during this time even a complex password can theoretically be brute-forced.

Let's remember what authentication is. In our case, this is the process of confirming the identity of a subject or object. User authentication is the process of verifying the identity of a user.

A two-factor authentication is an authentication in which you must use at least two different methods to verify your identity.

The simplest example of two-factor authentication in real life is a safe with a lock and a code combination. To open such a safe, you need to know the code and own the key.

Token and smart card

Probably the most reliable and easiest to implement two-factor authentication method is to use a cryptographic token or smart card. A token is a USB device that is both a reader and a smart card at the same time. The first factor in this case is the fact of ownership of the device, and the second is the knowledge of its PIN code.

Use a token or a smart card, whichever is more convenient for you. But historically, it so happened that in Russia they are more accustomed to using tokens, since they do not require the use of built-in or external smart card readers. Tokens also have their downsides. For example, you can't print a photo on it.

The photo shows a typical smart card and reader.

But back to corporate security.

And we will start with the Windows domain, because in most companies in Russia the corporate network is built around it.

As you know, Windows domain policies, user settings, and group settings in Active Directory provide and restrict access to a huge number of applications and network services.

By protecting an account in a domain, we can protect most, and in some cases all, internal information resources.

Why is two-factor authentication in a domain using a token with a PIN code more secure than a regular password scheme?

The PIN is tied to a specific device, in our case, a token. Knowing the PIN-code in itself does not give anything.

For example, a PIN code from a token can be dictated by phone to other persons and this will not give anything to an attacker if you treat the token carefully enough and do not leave it unattended.

With a password, the situation is completely different, if an attacker picked up, guessed, spied on or somehow got hold of the password from an account in the domain, then he will be able to freely enter both the domain itself and other company services that use this same account.

A token is a unique non-copyable physical object. It is owned by a legitimate user. Two-factor authentication by token can be bypassed only when the administrator intentionally or through an oversight left "loopholes" in the system for this.

Benefits of logging into a domain with a token

A token PIN is easier to remember as it can be much simpler than a password. Everyone must have seen at least once in their life how an “experienced” user painfully cannot authenticate in the system after several attempts, remembering and entering his “secure” password.

The PIN does not need to be constantly changed, as tokens are more resistant to PIN brute force. After a certain number of unsuccessful input attempts, the token is blocked.

When using a token for a user, the login looks like this: after the computer boots up, he simply plugs the token into the computer's USB port, enters 4-6 digits and presses the Enter button. The speed of entering numbers in ordinary people is higher than the speed of entering letters. Therefore, the PIN code is entered faster.

Tokens solve the problem of "abandoned workplace" - when a user leaves his workplace and forgets to log out of his account.

The domain policy can be configured to automatically lock the computer when the token is retrieved. Also, the token can be equipped with an RFID tag for passage between the company's premises, so without taking the token from his workplace, the employee simply will not be able to move around the territory.

Disadvantages, where without them

Tokens or smart cards are not free (decided by the budget).

They need to be accounted for, administered and maintained (decided by token management systems and smart cards).

Some information systems may not support authentication by tokens out of the box (it is solved by Single Sign-On systems - designed to organize the possibility of using a single account to access any resources of the region).

Setting up two-factor authentication in a Windows domain

Theoretical part:

The Active Directory directory service supports smart card and token authentication since Windows 2000. It is embedded in the PKINIT (public key initialization) extension for the Kerberos RFC 4556 protocol.

The Kerberos protocol was specifically designed to provide strong user authentication. It can use centralized storage of authentication data and is the basis for building Single Sing-On mechanisms. The protocol is based on the key entity Ticket (ticket).

Ticket (ticket) is an encrypted data packet that is issued by a trusted authentication center, in terms of the Kerberos protocol - Key Distribution Center (KDC, key distribution center).

When a user performs primary authentication after successfully authenticating the user, the KDC issues the user's primary identity for accessing network resources, the Ticket Granting Ticket (TGT).

In the future, when accessing individual network resources, the user, presenting the TGT, receives from the KDC an identity for accessing a specific network resource - Ticket Granting Service (TGS).

One of the advantages of the Kerberos protocol, which provides a high level of security, is that neither passwords nor password hash values are transmitted in clear text during any interactions.

The PKINIT extension allows you to use two-factor authentication using tokens or smart cards during the Kerberos pre-authentication stage.

Logon can be provided using either a domain directory service or a local directory service. TGT is created on the basis of an electronic signature, which is calculated on a smart card or token.

All domain controllers must have the Domain Controller Authentication, or Kerberos Authentication, certificate installed, because the process of mutual client and server authentication is implemented.

Practice:

Let's start setting up.

We will make sure that you can enter the domain under your account only upon presenting the token and knowing the PIN code.

For the demonstration, we will use Rutoken EDS PKI manufactured by Aktiv.

Stage 1 - Setting up a domain The first step is to install Certificate Services.

Disclaimer.

This article is not a tutorial on how to implement an enterprise PKI. The issues of designing, deploying and competently using PKI are not considered here due to the immensity of this topic.

All domain controllers and all client computers within the forest where such a solution is being implemented must necessarily trust the root Certification Authority (Certification Authority).

The task of the certification authority is to authenticate encryption keys using electronic signature certificates.

Technically, the CA is implemented as a component of the global directory service responsible for managing users' cryptographic keys. Public keys and other information about users are stored by certification authorities in the form of digital certificates.

The CA that issues certificates for the use of smart cards or tokens must be placed in the NT Authority store.

Go to Server Manager and select "Add Roles and Features".

When adding server roles, select "Active Directory Certificate Services" (Microsoft strongly recommends that you do not do this on a domain controller, so as not to aggravate performance problems). In the window that opens, select "Add Features" and select "Certificate Authority".

On the page to confirm the installation of components, click "Install".

Stage 2 - Setting up domain login using a token

To log in, we need a certificate that contains the Smart Card Logon and Client Authentication IDs.

The certificate for smart cards or tokens must also contain the user's UPN (User Principal Name suffix). By default, the UPN suffix for an account is the DNS name of the domain that contains the user account.

The certificate and private key must be placed in the appropriate sections of the smart card or token, while the private key must be in a secure area of the device's memory.

The certificate must contain the path to the CRL distribution point. Such a file contains a list of certificates, indicating the serial number of the certificate, the date of revocation, and the reason for the revocation. It is used to communicate information about revoked certificates to users, computers, and applications that attempt to verify the authenticity of a certificate.

Let's configure the installed certificate services. In the upper right corner, click on the yellow triangle with an exclamation point and click "Configure Certificate Services ...".

In the Credentials window, select the required user credentials to configure the role. Select "Certificate Authority".

Select Enterprise CA.

Enterprise CAs are integrated with AD. They publish certificates and CRLs to AD.

Specify the type "Root CA".

In the next step, select "Create a new private key".

Select the validity period for the certificate.

Step 3 - Adding Certificate Templates

To add certificate templates, open the Control Panel, select Administrative Tools, and open the Certification Authority.

Click on the name of the "Certificate Templates" folder, select "Manage".

Click on the template name "Smart Card User" and select "Copy Template". The following screenshots show which options in the New Template Properties window need to be changed.

If there is no “Aktiv ruToken CSP v1.0” in the list of providers, then you need to install the “Rutoken Drivers for Windows” kit.

Starting with Windows Server 2008 R2, you can use the "Microsoft Base Smart Card Crypto Provider" instead of the vendor specific provider.

For Rutoken devices, the "minidriver" library that supports the "Microsoft Base Smart Card Crypto Provider" is distributed via Windows Update.

You can check whether the “minidriver” is installed on your server by connecting Rutoken to it and looking in the device manager.

If for some reason there is no “minidriver”, you can force it by installing the “Rutoken Drivers for Windows” kit, and then use the “Microsoft Base Smart Card Crypto Provider”.

The Rutoken Drivers for Windows kit is distributed free of charge from the Rutoken website.

Add two new templates "Certification Agent" and "User with Rutoken".

In the "Certificate Manager Snap-in" window, select "my user account". In the Add/Remove Snap-in window, confirm the addition of certificates.

Select the "Certificates" folder.

Request a new certificate. The page for registering the certificate will open. In the certificate request step, select the "Administrator" enrollment policy and click "Apply".

In the same way, request a certificate for the Registration Agent.

To request a certificate for a specific user, click "Certificates", select "Register as...".

In the window for requesting a certificate, check the box "User with Rutoken".

Now you need to select a user.

In the "Enter the names of the selected objects" field, enter the user's name in the domain and click "Check Name".

In the window for selecting a user, click "Application".

Select the name of the token from the drop-down list and enter the PIN code.

Select certificates for other users in the domain in the same way.

Stage 4 - Setting up user accounts

To set up accounts, open the list of AD users and computers.

Select the Users folder and select Properties.

Go to the "Accounts" tab, check the box "Requires a smart card to sign in interactively".

Set up security policies. To do this, open the Control Panel and select Administrative Tools. Open the menu to manage group policy.

On the left side of the Group Policy Management window, click Default Domain Policy and select Edit.

On the left side of the Group Policy Management Editor window, select Security Options.

Open the "Interactive logon: Require smart card" policy.

On the "Security Policy Settings" tab, select the "Define the following policy setting" and "Enabled" checkboxes.

Open the Interactive Logon: Smart Card Removal Behavior policy.

On the "Security policy settings" tab, check the "Define the following policy setting" box, select "Lock workstation" from the drop-down list.

Restart your computer. And the next time you try to authenticate in the domain, you can already use the token and its PIN.

Two-factor authentication for logging into the domain is configured, which means that the level of security for logging into the Windows domain has been significantly increased without spending an insane amount on additional security tools. Now, without a token, logging into the system is impossible, and users can breathe easy and not suffer from complex passwords.

The next step is secure mail, read about this and how to set up secure authentication in other systems in our next articles.

Tags:

windows server
PKI
Rutoken
authentication

Add Tags Received incredibly good comments and clarifications from a friend who wished to remain anonymous:
1) At the very beginning of the server setup, enter the command:
multiotp.exe -debug -config default-request-prefix-pin=0 display-log=1 after it, you do not need to enter a pin code when setting up a user and display the log of each operation in the console.

2) Using this command, you can adjust the bantime for users who made a mistake with the password (30 seconds by default):
multiotp.exe -debug -config failure-delayed-time=60
3) What will be written in the google Authenticator application above 6 digits is called issuer, you can change from the default MultiOTP to something else:
multiotp.exe -debug -config issuer=other
4) After the performed operations, the command to create a user becomes a little easier:
multiotp.exe -debug -create user TOTP 12312312312312312321 6 (I don't set the digit update time to 30 seconds, it seems to default to 30).

5) Each user can change the description (text under the numbers in the Google Auth app):
multiotp.exe -set username description=2
6) QR codes can be created directly in the application:
multiotp.exe -qrcode username c:\multiotp\qrcode\user.png:\multiotp\qrcode\user.png
7) You can use not only TOTP, but also HOTP (the input of the hash function is not the current time, but the value of the incremental counter):
multiotp.exe -debug -create username HOTP 12312312312312312321 6

Passwords can create a big security headache and manageability for IT administrators of enterprises and organizations. Users often create simple passwords or write down passwords so they don't forget them. In addition, few of the password reset procedures are effective and secure. Given these limitations, how can these types of security issues be mitigated when the network is accessed by remote users? How can you make your company's password solution more secure knowing that many users write down their passwords?

There is a solution - this is the introduction in the organization of an additional access protection system based on the input of one-time passwords (OTP - One Time Password), which are generated on your employee's mobile device. The transition to authentication based on one-time passwords usually occurs when it becomes clear that standard long-term passwords are insufficient in terms of security and, at the same time, the possibilities of using smart cards are limited, for example, in a situation of mass use of mobile clients.

Our company has developed a technological solution, which will allow you to get additional line of defense for a terminal server or 1C server based on one-time passwords , to which employees connect remotely.

Scope of work for deploying and configuring an OTP system

On your server, specialized software is installed and configured for the operation of an access authentication system based on one-time passwords (OTP) All employees of the organization who need access to the server enter the OTP system For each employee, the initial configuration of a mobile phone is performed with the installation of a program for generating a one-time password

The cost of introducing an access authentication system to a terminal server or 1C server based on one-time passwords (OTP) into an organization begins from 6 400 rubles.

In cases where the OTP system will be deployed in conjunction with the rental of infrastructure in our secure "cloud", discount for the implementation of a system of protection using one-time passwords (OTP) can reach 50%.

One-time passwords - an additional layer of data security

A traditional, static password is usually only changed when necessary, either when it expires or when the user has forgotten it and wants to reset it. Since passwords are cached on the computer's hard drives and stored on the server, they are vulnerable to hacking. This problem is especially acute for portable computers because they are easy to steal. Many companies give employees laptops and open up their networks to remote access. They also hire temporary employees and suppliers. In such an environment, a simple static password solution becomes a disadvantage.
Unlike a static password, a one-time password changes every time a user logs into the system and is only valid for a short period of time (30 seconds). The passwords themselves are created and encrypted according to a complex algorithm that depends on many variables: time, the number of successful / unsuccessful logins, randomly generated numbers, etc. This seemingly complex approach requires simple actions from the user - Install a special application on your phone that synchronizes once with the server and subsequently generates a one-time password. With each new successful login, the client and server are automatically resynchronized independently of each other according to a special algorithm. The counter value increases each time an OTP value is requested from the device and when the user wishes to log in, he enters the OTP currently displayed on his mobile device.

The password is not a very strong security measure. Very often, simple, easy-to-guess passwords are used, or users do not really monitor the safety of their passwords (distribute to colleagues, write on pieces of paper, etc.). Microsoft has long implemented a technology that allows you to use a SmartCard to log in, i.e. authenticate in the system using a certificate. But it is not necessary to use smart cards directly, because they also need readers, so it is easier to replace them with usb tokens. They will allow you to implement two-factor authentication: the first factor is the password from the token, the second factor is the certificate on the token. Further, using the example of the JaCarta usb token and the Windows domain, I will tell you how to implement this authentication mechanism.

First of all, let's create a group "g_EtokenAdmin" in AD and account. Enrollment Agent entry that belongs to this group. This group and user will drive the certificate authority.

Additionally, we will install a Web service to request certificates.

Next, select the option for the enterprise. Select the Root CA (if we have this is the first certificate authority in the domain)
We create a new private key. The key length can be left tighter, but the hashing algorithm is better to choose SHA2 (SHA256).

Enter the name of the CA and select the validity period of the main certificate.
Leave the rest of the parameters as default and start the installation process.

After installation, let's go to the snap-in of the certification center and configure the rights to the templates.

We will be interested in two templates: Enrollment Agent and Smartcard logon.
Let's go to the properties of these templates and on the security tab add the "g_EtokenAdmin" group with read and request rights.

And they will appear in our general list.

The next step is to configure group policies:
First of all, we will tell all computers in the domain about the root certification authority, for this we will change the Default Domain Policy.
Computer Configuration -> Policies -> Windows Configuration -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities -> Import

Let's select our root certificate located along the path: C:\Windows\System32\certsrv\CertEnroll. Close Default Domain Policy.
In the next step, we will create a policy for a container that will contain computers with token (Smart Card) authentication.

Along the path Computer Configuration -> Policies -> Windows Configuration -> Security Settings -> Local Policies -> Security Options. Let's configure two options "Interactive logon: require smart card" and "Interactive logon: Behavior when removing smart card".

That's all with the settings, now you can generate a client certificate and check authentication by token.
Log in to the computer under the “Enrollment Agent” account and open the browser by clicking on the link http://Server_name_MS_CA/certsrv

Select Certificate Request -> Advanced Certificate Request -> Create and issue a request to this CA
If you receive an error like "To complete the certificate enrollment, you must configure the web site for the CA to use HTTPS authentication", then you need to bind the site to the https protocol on the IIS server on which MS CA is installed.

Let's continue obtaining a certificate, for this, on the page that opens, select the template: "Registration Agent" and click the button to issue and install a certificate.

The Enrollment Agent user can now issue certificates for other users. For example, we will request a certificate for the test user. To do this, open the certificate management console certmgr.msc, because via the web interface it will not be possible to write a certificate to a usb token.
In this console, on the personal folder, we will make a request on behalf of another user

As a signature, select the only certificate "Enrollment Agent" and proceed to the next step, where we select the item "Login with a smart card" and click details to select a crypto provider.
In my case, I use JaCarta tokens, so the Athena crypto provider was installed along with the drivers:

At the next step, select the domain user for which we issue a certificate and click on the "Application" button.

We insert the token, enter the pin code and the generation process begins. As a result, we should see a dialog box that says "Successful".
If the process ended unsuccessfully, the problem may be in the template for obtaining a certificate, in my case it had to be tweaked a little.

Let's start testing, let's check the operation of the token on a computer located in an OU with a smart card login group policy.
When trying to log in with an account with a password, we should be denied. When trying to log in with a smart card (token), we will be prompted to enter a pin and must successfully log in to the system.

P.s.
1) If automatic blocking of the computer or logging out does not work, after pulling out the token, see if the "Smart Card Removal Policy" service is running
2) You can write to a token (generate a certificate) only locally, it will not work via RDP.
3) If it is not possible to start the certificate generation process using the standard "Smart card login" template, create a copy of it with the following parameters.

That's all, if you have any questions, ask, I'll try to help.

Today we will tell you how you can quickly and easily set up two-factor authentication and encrypt important data, even with the possibility of using biometrics. The solution will be relevant for small companies or just for a personal computer or laptop. It is important that for this we do not need a public key infrastructure (PKI), a server with the role of a certification authority (Certificate Services) and do not even need a domain (Active Directory). All system requirements will come down to the Windows operating system and the user's possession of an electronic key, and in the case of biometric authentication, also a fingerprint reader, which, for example, may already be built into your laptop.

For authentication, we will use our developed software - JaCarta SecurLogon and the JaCarta PKI electronic key as an authenticator. The encryption tool will be standard Windows EFS, access to encrypted files will also be through the JaCarta PKI key (the same one used for authentication).

Recall that JaCarta SecurLogon is a software and hardware solution certified by the FSTEC of Russia by Aladdin R.D., which allows for a simple and quick transition from one-factor authentication based on a login-password pair to two-factor authentication in the OS using USB tokens or smart cards. The essence of the solution is quite simple - JSL generates a complex password (~63 characters) and writes it to the secure memory of the electronic key. In this case, the password may not be known to the user himself, the user knows only the PIN code. By entering the PIN during authentication, the device is unlocked and the password is sent to the system for authentication. Optionally, you can replace the PIN entry with scanning the user's fingerprint, and you can also use a combination of PIN + fingerprint.

EFS, like JSL, can work in standalone mode, requiring nothing but the OS itself. All Microsoft operating systems of the NT family, starting with Windows 2000 and later (except for home versions), have built-in EFS (Encrypting File System) data encryption technology. EFS encryption is based on the capabilities of the NTFS file system and the CryptoAPI architecture and is designed to quickly encrypt files on a computer's hard drive. Encryption in EFS uses the user's private and public keys, which are generated the first time the user uses the encryption feature. These keys remain unchanged for as long as his account exists. When encrypting a file, EFS randomly generates a unique number, the so-called File Encryption Key (FEK), 128 bits long, with which files are encrypted. The FEK keys are encrypted with a master key, which is encrypted with the key of the system users who have access to the file. The user's private key is protected by the user's password hash. Data encrypted with EFS can only be decrypted using the same Windows account with the same password under which the encryption was performed. And if you store the encryption certificate and private key on a USB token or smart card, then you will also need this USB token or smart card to access encrypted files, which solves the problem of password compromise, since an additional device will also be required in the form of an electronic key.

Authentication

As already noted, you don’t need AD or a certification authority for configuration, you need any modern Windows, JSL distribution and license. The setup is simple to disgrace.

You need to install a license file.

Add user profile.

And start using two-factor authentication.

Biometric authentication

It is possible to use biometric fingerprint authentication. The solution works on Match On Card technology. The hash of the fingerprint is written to the card during the initial initialization and then checked against the original. It does not leave the map anywhere, it is not stored in some databases. To unlock such a key, a fingerprint or combination of PIN + fingerprint, PIN or fingerprint is used.

To start using, you just need to initialize the card with the necessary parameters, write down the user's fingerprint.

In the future, the same window will pop up before entering the OS.

In this example, the card is initialized with the possibility of authentication by fingerprint or PIN code, which is indicated by the authentication window.

After presenting a fingerprint or PIN code, the user will enter the OS.

Data encryption

Setting up EFS is also not very complicated, it comes down to setting up a certificate and issuing it to an electronic key and setting up encryption directories. Typically, you do not need to encrypt the entire drive. Really important files, which it is not desirable for third parties to access, are usually located in separate directories, and are not scattered all over the disk.

To issue an encryption certificate and a private key, open the user account, select - Manage File Encryption Certificates. In the wizard that opens, create a self-signed certificate on the smart card. Since we continue to use a smart card with a BIO applet, a fingerprint or PIN must be presented to write the encryption certificate.