- Free Edition
- Quick Links
- Multi-factor authentication
- Adaptive MFA
- Active Directory MFA
- Conditional access
- Passwordless authentication
- Endpoint MFA
- MFA for remote and local Windows logons
- MFA for Windows servers
- MFA for remote and local macOS logons
- MFA for remote and local Linux logons
- MFA for VPN logons
- MFA for OWA logons
- MFA for RDP
- Offline MFA
- MFA for UAC
- Device-based MFA
- MFA for cloud apps
- MFA for Microsoft 365 users
- Phishing-resistant MFA
- Password management
- Password management and security
- Self-service password reset
- Self-service account unlock
- Web-based domain password change
- Password expiration notifications
- Password synchronization
- Password policy enforcer
- Cached credentials update
- Reporting and auditing
- Password self-service from logon screens
- Help-desk-assisted password reset
- Mobile password management
- Password security and compliance
- Single sign-on
- Remote work enablement
- Enterprise self-service
- Reporting and auditing
- Zero trust
- Integrations
- Security
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- Exchange Reporter Plus Exchange Server Auditing & Reporting
- EventLog Analyzer Real-time Log Analysis & Reporting
- M365 Manager Plus Microsoft 365 Management & Reporting Tool
- DataSecurity Plus File server auditing & data discovery
- RecoveryManager Plus Enterprise backup and recovery tool
- SharePoint Manager Plus SharePoint Reporting and Auditing
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools
The need to protect Windows server logins
Windows servers are often the backbone of IT infrastructure and are key targets for threat actors. Traditional username and password combinations, although important, are no longer sufficient to protect these systems against modern cyberattacks. Implementation of MFA for Windows Server logins provides an added layer of security by requiring additional verification steps, making it harder for unauthorized users to gain access. Adopting MFA not only fortifies your servers against brute force and credential theft attacks, but also ensures a more resilient and secure environment for your organization.
Secure your Windows server logins with ADSelfService Plus
ManageEngine ADSelfService Plus, an identity security solution, helps strengthen Windows server logins using adaptive MFA. This includes implementing authentication methods such as biometric authentication and one-time passwords (OTPs) during Windows server logins, in addition to the traditional username and passwords. ADSelfService Plus ensures that exposed credentials become useless for unauthorized Windows server logins, providing an extra layer of security.
Supported Windows server versions
ADSelfService Plus allows admins to secure the below mentioned Windows server versions with MFA.
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
How does MFA for Windows server logins work?
To configure MFA for Windows server logins, the ADSelfService Plus' logon agent must be installed on the machines that will be secured with MFA. The agent acts as the intermediary between the Windows server and ADSelfService Plus to enable MFA during logins. Once these requirements are fulfilled, the process shown below takes place.
- The user initiates a login request to the Windows server machine.
- The system checks the user's credentials (password) against the local security system.
- After successful primary authentication, the system moves to secondary authentication (MFA), handled by the ADSelfService Plus login agent.
- The ADSelfService Plus login agent sends the MFA request to the ADSelfService Plus server for verification.
- If the user completes the required authentication levels successfully, they are logged into the machine.
Supported authentication methods
ADSelfService Plus supports a wide range of authenticators. Those that can be configured for Windows Server logins are listed here.
- Biometric authentication (fingerprint/facial recognition)
- Push notification authentication
- Duo Security
- Google Authenticator
- YubiKey authentication
- RSA SecurID
- RADIUS
- Time-based-one-time password (TOTP)
- Custom TOTP authenticator
- Zoho OneAuth TOTP
- Push notifications
- QR code-based authentication
- Security questions and answers
- AD-based security questions
- SMS and ema il verification
Customizing Windows Server MFA according to your organizational needs
Admins can customize MFA to align with their organization's needs in several ways.
- The number of authentication factors can be customized for each user depending on the OUs and groups they are part of.
- Certain authentication factors can be made mandatory.
- Selected users can be permitted to bypass the MFA process when using a trusted device for the subsequent logins. A trusted device is one that the user has previously used to complete the MFA process. This trust is temporary and expires after a set period, requiring the user to reauthenticate when using the same device again.
Machine-based MFA
Through machine-based MFA, you can trigger MFA during login based on the device’s policy settings rather than the user's account settings. When enabled, any user logging into a specific server must authenticate using MFA. Administrators can select from various authentication methods to configure device-based MFA. Click hereto learn more.
Windows user account control MFA
ADSelfService Plus provides MFA for Windows UAC to enhance security for elevated system activities performed on standard user accounts. With this feature enabled, users are required to authenticate via MFA for all UAC credential requests, and can only proceed with administrative actions once their identity is successfully verified. ADSelfService Plus supports various authentication factors for Windows UAC MFA, and this feature is compatible with Windows Server 2008 and newer versions. Click hereto learn more.
Offline MFA
ADSelfService Plus supports offline MFA for Windows server machines, providing security for remote workers and users without internet access or when the ADSelfService Plus server is unavailable. Administrators can set up one or more MFA methods that users can use during login. To access their machines offline, users must enroll in the necessary authenticators while connected online.
MFA for remote desktops
ADSelfService Plus provides MFA for RDP, adding extra layers of security to remote Windows logins. Administrators can configure MFA prompts for RDP connections to either the client (host) machine or the target machine. Enabling RDP client-based MFA allows for IP address-based conditional access during RDP logins. Additionally, ADSelfService Plus empowers admins with the flexibility to select and customize the authentication methods from the multiple authenticators it offers.
Why should you choose ADSelfService Plus?
Employing ADSelfService Plus' MFA for Windows servers delivers the following benefits.
- Conditional access policies: Automate access control decisions through contextual authentication based on risk factors such as IP address, device type, time of access, and geolocation.
- Customizable and granular configuration: Enable specific authentication methods and several authentication factors for users belonging to certain domains, groups, and organizational units.
- Real-time audit reports: View detailed reports on Windows server login attempts with information like time of logon, authentication methods used, and authentication success or failure status.
- Enhanced security: MFA for Windows Server logins enhances security by requiring additional verification beyond just the user credentials. Even if the user credentials get compromised, unauthorized users would still need access to the authorized user’s email or phone to log in to the system successfully.
Highlights
Password self-service
Unburden Active Directory users from lengthy help desk calls by empowering them with self-service password reset and account unlock capabilities.
One identity with single sign-on
Get seamless one-click access to more than 100 cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.
Password and account expiry notification
Notify Active Directory users of their impending password and account expiry via email and SMS notifications.
Password synchronization
Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, and IBM iSeries, and more.
Password Policy Enforcer
Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.
Directory self-update and corporate search
Enable Active Directory users to update their latest information by themselves. Quick search features help admins scout for information on peers using search keys like contact numbers.
FAQs
Normally, while connecting to Windows server machines, users are authenticated using only their user credentials. MFA for Windows servers ensures that users verify their identities with multiple authenticators along with their user credentials while logging in to Windows server machines.
By integrating Windows servers with ADSelfService Plus, you can choose your preferred methods from a range of authenticators like biometric (fingerprint/facial recognition), Duo Security, push notification authentication, Microsoft Authenticator, Google Authenticator, YubiKey, and email verification.
Yes, it is essential to safeguard all the Windows server logins in your organization using MFA. To prevent rogue access, it is recommended that you use strong identity verification measures like biometrics instead of the traditional user credentials only method. On enabling MFA for Windows servers, you can prevent Windows server machines from being compromised even if their passwords are compromised by attackers.
You can easily deploy MFA for Windows servers in a few simple steps using ADSelfService Plus. This solution allows you to enable more than two authenticators during login, and includes strong authenticators such as biometrics and YubiKey.
