Pricing  Get Quote
 
 

Knowledge Base

Self Service Password Management » Knowledge Base

How to harden security for Windows endpoints

With ADSelfService Plus, admins can use MFA to harden security for Windows endpoints during interactive logons, UAC, machine unlocks, and RDP connections.

Benefits of MFA for Windows connections

  • Secures system entry and connections: Protects Windows machines and sensitive user sessions by mandating MFA.
  • Prevents lateral movement in case of a breach: Enforcing MFA for logons, UAC, and RDP limits attacker mobility in case a machine is compromised, by protecting every connection made from within the compromised machine.
  • Enhances your security posture: Securing connections made from within the machine reduces the attack surface and strengthens organizational security.

Based on the level of security needed, logins to and from Windows machines can be secured in two ways: user-centric MFA, and machine-centric MFA. The table below details the differences between these settings.

User-centric MFA Machine-centric MFA
User-centric MFA is applied to users based on the policies configured for them. Machine-centric MFA protects sensitive machines with MFA, and takes precedence over policy-based (user-centric) MFA.
User-centric MFA prompts users who access any machine on the domain for MFA. Machine-centric MFA ensures that any user accessing the machine will be prompted for MFA.
You can choose to allow users who are not enrolled to skip MFA during logins to a machine and other connections made from within the machine. You can use this setting to mandate MFA during logins to the machine as well as other connections made from within the machine, even if users' policies (user-centric MFA) allow them to skip machine MFA for those scenarios.
This setting can be applied to
  • Only users who are enrolled, or
  • Both enrolled and unenrolled users.
 This setting mandates MFA on specific machines regardless of the enrollment status of the user attempting access.

You can use these methods separately or together to achieve the optimal level of security required by your organization. The authentication methods prompted for both user-centric and machine-centric MFA depend on the authenticators assigned to the user according to their policy.

Hardening Windows security

Note: Security hardening with device-based MFA for Windows requires the Professional edition of ADSelfService Plus with Endpoint MFA. Learn more

User-centric MFA

To apply machine login MFA as part of users' self-service policies,

  1. Log into ADSelfService Plus as an administrator.
  2. Navigate to Configuration > Multi-Factor Authentication.
  3. From the Choose the Policy drop-down, choose the policy through which you want to apply machine login MFA to your users' Windows machines.
  4. Navigate to Advanced > Endpoint MFA.

    User-centric MFA

  5. Under Machine Login MFA, select the Windows resources you wish to secure with MFA. You can learn in detail about what each option does, here.
  6. Click Save to apply the new configuration.

Machine-centric MFA

To protect critical or sensitive Windows machines with MFA irrespective of whether the user is enrolled for MFA or not,

  1. Log into ADSelfService Plus as an administrator.
  2. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation > Installed Machines.

    Machine-centric MFA

  3. From the Select Domain drop-down, select the domain that the machines you wish to protect belong to.
  4. Click Advanced Machine MFA Settings at the bottom-right of the page.

    Advanced Machine MFA Settings

  5. Under Windows Machine MFA Settings, select the Windows endpoints you wish to secure with MFA. You can learn in detail about what each option does, here.
  6. Click Save to apply the new configuration.

Next steps

After configuring machine-based MFA for Windows machines, you can enable Offline MFA to prevent getting locked out of the machine in situations when the Windows machine is offline or cannot reach the ADSelfService Plus server. Learn more

That's it! Now you know how to protect your Windows endpoints with MFA and harden your organization's overall security.

Like this tip? Explore additional ways to optimize ADSelfService Plus by visiting our knowledge base.

Request for Support

Need further assistance? Fill this form, and we'll contact you rightaway.

  • Name
  •  
  • Business Email *
  •  
  • Phone *
  •  
  • Problem Description *
  •  
  • Country
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.
Highlights of ADSelfService Plus

Password self-service

Allow Active Directory users to self-service their password resets and account unlock tasks, freeing them from lengthy help desk calls.

One identity with single sign-on

Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications using their Active Directory credentials.

Password and account expiry notification

Intimate Active Directory users of their impending password and account expiry via email and SMS notifications.

Password synchronization

Synchronize Windows Active Directory user passwords and account changes across multiple systems automatically, including Microsoft 365, Google Workspace, IBM iSeries, and more.

Password policy enforcer

Strong passwords resist various hacking threats. Enforce Active Directory users to adhere to compliant passwords by displaying password complexity requirements.

Directory self-update and corporate directory search

Enable Active Directory users to update their latest information themselves. Quick search features help admins scout for information using search keys like contact numbers.

« Home
Knowledge Base »

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Password management Adaptive MFA Enterprise SSO Self-service & security Related products