Hackers gained access to the main mail server of the international company Deloitte. The administrator account for this server was password protected only.
Independent Austrian researcher David Wind received a $5 reward for discovering a vulnerability in the Google intranet login page.
91% of Russian companies hide the facts of data leakage.
Such news almost every day can be found in the news feeds of the Internet. This is direct evidence that the internal services of the company must be protected.
And the larger the company, the more employees it has and the more complex the internal IT infrastructure, the more relevant the problem of information leakage is for it. What information is of interest to attackers and how to protect it?
Leakage of what information can harm the company?
- customer and transaction information;
- technical information about products and know-how;
- information about partners and special offers;
- personal data and accounting.
And if you understand that some information from the above list is available from any segment of your network only upon presentation of a login and password, then you should think about increasing the level of data security and protecting them from unauthorized access.
Two-factor authentication based on hardware cryptographic media (tokens or smart cards) has earned a reputation for being very reliable and at the same time quite easy to use.
We write about the benefits of two-factor authentication in almost every article. You can read more about this in articles about ΠΈ .
In this article, we'll show you how to use two-factor authentication to sign in to your organization's internal portals.
For example, we will take the most suitable Rutoken model for corporate use - a cryptographic USB token .
Let's get started with the setup.
Step 1 - Setting Up the Server
The heart of any server is the operating system. In our case, this is Windows Server 2016. And along with it and other operating systems of the Windows family, IIS (Internet Information Services) is distributed.
IIS is a group of Internet servers, including a web server and an FTP server. IIS includes applications for creating and managing websites.
IIS is designed to build web services using user accounts provided by a domain or Active Directory. This allows you to use existing user databases.
Π we described in detail how to install and configure a Certification Authority on your server. Now we will not dwell on this in detail, but we will assume that everything is already set up. The HTTPS certificate for the web server must be issued correctly. It's best to check it out right away.
Windows Server 2016 has built-in IIS version 10.0.
If IIS is installed, then it remains to configure it correctly.
At the stage of selecting role services, we checked the box Basic authentication.
Then in IIS Manager have included Basic authentication.
And they indicated the domain in which the web server is located.
Then we added a link to the site.
And chose the SSL options.
This completes the server setup.
After completing these steps, only a user who has a token with a certificate and a token PIN will be able to access the site.
We remind you once again that according to , the user was previously issued a token with keys and a certificate issued according to a template like smart card user.
Now let's move on to setting up the user's computer. He should configure the browsers he will use to connect to protected websites.
Step 2 - Setting up the user's computer
For simplicity, let's assume that our user has Windows 10.
Also assume he has the kit installed .
Installing a set of drivers is optional, since support for the token will most likely arrive via Windows Update.
But if this suddenly did not happen, then installing the Rutoken Drivers for Windows will solve all problems.
Connect the token to the user's computer and open the Rutoken Control Panel.
On the Advanced tab Certificates check the box next to the required certificate if it is not checked.
Thus, we checked that the token is working and contains the required certificate.
All browsers except Firefox are configured automatically.
You don't need to do anything special with them.
Now open any browser and enter the address of the resource.
Before the site loads, we will have a window for selecting a certificate, and then a window for entering the PIN code of the token.
If Aktiv ruToken CSP is selected as the default crypto provider for the device, then another window will open to enter the PIN code.
And only after its successful entry in the browser, our site will open.
For the Firefox browser, additional settings must be made.
Select in browser settings Privacy and Security. In section Certificates press Protection Device... A window will open Device management.
Click Download, specify the name Rutoken EDS and the path C: windowssystem32rtpkcs11ecp.dll.
That's it, now Firefox knows how to handle the token and allows you to log into the site using it.
By the way, token login to websites also works on Macs in the Safari, Chrome and Firefox browsers.
You just need to install from the site Rutoken and see the certificate on the token in it.
You do not need to configure Safari, Chrome, Yandex and others browsers, you just need to open the site in any of these browsers.
The Firefox browser is configured in almost the same way as in Windows (Settings - Advanced - Certificates - Security devices). Only the path to the library is slightly different /Library/Akitv Co/Rutoken ECP/lib/librtpkcs11ecp.dylib.
Conclusions
We showed you how to set up two-factor authentication on websites using cryptographic tokens. As always, we did not need any additional software for this, except for the Rutoken system libraries.
You can do this procedure with any of your internal resources, and you can also flexibly configure user groups that will have access to the site, however, as elsewhere in Windows Server.
Are you using a different OS for the server?
If you want us to write about setting up other operating systems, then write about it in the comments to the article.
Source: habr.com