Interesting idea. It's similar in essence to using a separate user account for VPN authentication instead of the user's primary domain account. That also works, but what I'm really looking for is a genuine two factor system.
I'll look into Scorpionsoft and am going to try out Quest's Defender in the next few weeks. Thanks for the input folks. -----Original Message----- From: Clayton Doige [mailto:[email protected]] Sent: Thursday, July 30, 2009 11:27 AM To: NT System Admin Issues Subject: RE: Windows two factor auth quick poll This is a slightly different twist, but is a cost effective method assuming your firewall supports this: my experience was with Watchguard. Watchguard firewall have the ability to force people to log in to the firewall before they open a port - typically you would use this if you wanted to restrict web browsing by user, however it works from the outside in as well. So the process was simple: set up a separate username and password on the firewall for a user, and before they can access your OWA, or Terminal Server farm, whatever, they have to authenticate to the firewall. Next, when they wish to access the actual resource they are after they have to use the Windows password etc to do so. It's not pure two factor in that both levels are 'something the user knows' as opposed to something they know and something have and something they are etc, but it's effective, and cheap to implement. If you have multiple sites, take some of those old Windows 2000 Server CD's you have and create a virtual domain controller in a separate Windows 2000 domain at each site (assuming you're licensed of course), and then let the domain controllers sync up so the user only has one firewall password for the whole estate, as opposed to one for each site. Point the firewall authentication at that active directory, and you're done -----Original Message----- From: Richard Stovall [mailto:[email protected]] Sent: 30 July 2009 03:46 To: NT System Admin Issues Subject: Windows two factor auth quick poll I'm throwing this out into the ether 'cause I really don't know where to start. I'm looking for strong remote access / user authentication for a Windows 2003 functional level domain. RSA SecureID -or- Aladdin SafeWord -or- Entrust IdentityGuard -or- Authenex-ASAS -or- Quest Defender -or- something else? Desired features are: 1) minimal cost (naturally) 2) minimal installation footprint 3) flexibility (different rules depending on where the user is physically located) 4) ease of management 5) upgrade-ready (to future AD versions, etc.) All thoughts and experiences are welcome. Thanks, RS ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
