Last Update: Apr 17, 2024 | Published: Jan 12, 2023
Advanced password attacks, like brute force and those launched by malicious insiders, are devastating the security of today’s enterprises and cloud services. ADSelfService Plus from ManageEngine can protect web properties from such attacks with multi-factor authentication (MFA).
As the impacts of cybersecurity attacks have increased, and the vectors malicious actors utilities continue to grow, it is important to keep one step ahead in network security and enterprise environments. This includes your Active Directory (AD) and cloud-based identity solutions like Microsoft 365/Azure Active Directory (AAD).
This post is sponsored by ManageEngine
Multi-factor authentication is a relatively intuitive acronym. Think of a factor as an identifier you use to prove who you are. The most common factor is a password. When you sign in with a username, you need to prove to the authentication engine that you are authorized to use that username. And only you. And that the associated password matches that held for the account in the database. Going back to how things were from the start, the password was essential and it was the only factor you needed to access ‘secure’ systems.
Today, passwords can be impersonated, guessed, and cracked. So, we progressed logically by inventing and eventually requiring a second (or third) factor, thus multi-factor authentication was born. The additional factors can be push notifications to the Microsoft Authenticator app, a physical security key (YubiKey, for example), a fingerprint, or an SMS text response.
Thankfully, a solution exists that checks all the boxes required, plus a few nice perks – ADSelfService Plus from ManageEngine.
When everyone essentially worked in the office, most of your users and computers were on the corporate Local Area Network (LAN). Everyone was readily available and on your network if you needed to deploy a new security solution with Active Directory. In today’s hybrid-enabled workforce, many of your employees are likely working from home. Some employees may even be in remote areas, geographically spread out, making it nearly impossible to get them on the LAN.
In addition, Microsoft does not offer any native solutions for using MFA with Active Directory. There are no specific APIs available for developers. So, third-party software solutions were created. Or, you have the option of implementing Active Directory Federated Services (AD FS), which is time-consuming, difficult to learn, and adds a good deal of ‘older’ technology into your modern architecture.
Microsoft is pushing customers from on-premises Active Directory (AD) to Azure AD and its native MFA technology. But there must be a better solution…
ADSelfService Plus is an identity security solution that can help secure your networks from many cyberattacks, save IT costs, and start your Zero Trust Security plan. With this full-featured solution, you can secure multiple IT resources including identities, computers, and Virtual Private Network (VPN), reduce the burden on your helpdesk, and empower users with many self-service capabilities.
Most importantly, you gain 360-degree visibility and control over your resources spread across on-premises, cloud, and hybrid scenarios.
Because ADSelfService Plus includes such a wide variety of authentication factors (19), it is much easier to rollout a security solution like this to your entire user base. Due to the accommodating design of the solution’s framework, you’re able to protect all of the ingress points in your environment, regardless of ‘where’ your users are located.
Adaptive MFA, otherwise known as risk-based MFA, provides users with authentication factors that adjust to the method they use to log in. A calculation of security risk is made with each attempt based on the following factors:
The authentication factors available to the user are adaptable based on these risk assessments. As an example, if a user, known to be on vacation, attempts a log in to the domain at their work desktop at 3 am, additional authentication factors will be required with this attempt, to make extra sure the user is who they say they are. If all things checkout, access is granted. If user activity is suspicious, access to network resources can be denied.
With ADSelfService Plus’s MFA for Windows feature enabled, users are protected when logging into domain-joined computers (desktops, laptops) and servers, using Remote Desktop Protocol (RDP). This gives you the peace of mind that every login request to any computer on your domain will be MFA-protected.
When you enforce MFA on macOS devices using ADSelfService Plus, every user is required to authenticate their identity via two factors before they can log into their device. Here are some benefits to your macOS users and devices:
ADSelfService Plus includes a feature to protect Linux devices as well. It builds an additional layer of security for the user login process. As with the other solutions mentioned, Linux users will log into workstations with their AD credentials and then a second factor including:
Back in the day, VPNs were all the rage, rolled out by corporate IT security teams to protect remote user connections and file access using a secure tunnel into your LAN. Today, just typing in a username and password is sadly not enough. That is where MFAs for VPN come in.
ADSelfService Plus enables you to secure your VPN connection endpoints for the most popular VPN client solutions, including:
Cloud application proliferation has been on the rise for many years now. And yes, that introduces another login session for end users. By enabling single sign-on (SSO) between ADSelfService Plus and a wide range of cloud-based applications (SAML 2.0-enabled cloud applications) like Salesforce, Google Workspace, and Dropbox, you can secure these inroads into your data, too.
Instead of using the Outlook desktop application to access email, users have the option (unless restricted by IT policy) to use their web browser to access email via Outlook on the Web (OWA). Again, only using their email address and password is not secure. This is where the MFA feature in ADSelfService Plus helps. The product provides MFA for Outlook on the Web and the Exchange Admin Center (EAC). It implements additional authentication steps beyond the login and password.
Let’s get into the weeds a bit here and go through some of the general system requirements for ADSelfService Plus.
Here are the minimum and recommended hardware requirements for ADSelfService Plus:
Hardware |
Minimum requirements |
Recommended requirements |
|
|
|
|
|
|
|
|
|
Table 1 – Hardware Requirement for installing ADSelfService Plus on a Windows computer
The following server and client Windows versions are compatible with software installations and endpoint installations.
The installation process is straightforward. All you need to do is download the executable (EXE) file from this link, and run it on a Windows machine joined to your AD domain. There are some post-install security hardening steps you’ll need to run through – click here for that guide.
As an IT Pro, you can launch the service in your web browser by typing in http://hostname:8888/ in the address bar. The hostname will be the computer name of the device you installed the software on. Once you deploy the ADSelfService Plus login agent, users will be able to reset their password and/or unlock their account right from the login screen on their computers.
There are older server and client versions supported by ManageEngine, but as Microsoft does not support them, I will not include them here. You can get more information directly from ManageEngine.
Besides the various MFA tools and features described, there are more features available in their suite. Let’s go through some of the hottest right here:
Download a free trial of ManageEngine ADSelfService Plus and try out multi-factor authentication for yourself. If you’d like to take ADSelfService Plus for a spin, you can use this link to download a fully-functional evaluation for unlimited users for 30 days.
You can also register on that same page to get free technical support during your evaluation period. In addition – click on this link to sign up for a personalized web demo from ManageEngine!
After you’ve trialed the software, you can purchase the professional edition and gain a host of new features – read about them here! Thank you for learning more about ADSelfService Plus and how it can safely and efficiently secure your entire environment from intruders and hackers.